Password Protected TCP Reverse Shell (IPv6) | Linux x86_64

Introduction

In this post we will create a custom TCP reverse shell for Linux x86_64 architecture that requires password to spawn a shell. This post is a continuation of Password Protected TCP Bind Shell | Linux x86_64 and since my SLAE32 series include an in-depth analysis of the functions used in reverse shells we won’t spend too much time there.

Shellcode

I decided to create an IPv6 reverse shell this time around for two reasons, the first being I haven’t done any before! and the second is for some reason msfvenom don’t have one for x86_64 so the final shellcode could be of use to somebody, maybe.

Creating an IPv6 reverse shell is not rocket science, all we need is use AF_INET6 as domain when calling socket() function and use IPv6 structure to specify what IP and port we want amongst other things (I used localhost ::1 in this case). Lastly, we need to accommodate for the structure length when calling connect() function using RDX register.

The following is the final null-free shellcode. Please refer to the link of my previous post in the introduction section to learn more about read() function used in the password check routine.

Now its demo time.

Closing Thoughts

I did learn a thing or two about IPv6 addressing while crafting this shellcode and I hope you did too. All of the above code are available on my github or exploit-db. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579­

Leave a Reply

Your email address will not be published. Required fields are marked *