Details | Last modification | View Log | RSS feed
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 6477 | hidnplayr | 1 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; |
| 2 | ;; ;; |
||
| 3 | ;; Copyright (C) KolibriOS team 2016. All rights reserved. ;; |
||
| 4 | ;; Distributed under terms of the GNU General Public License ;; |
||
| 5 | ;; ;; |
||
| 6 | ;; rshell.asm - Simple reverse shell for KolibriOS ;; |
||
| 7 | ;; ;; |
||
| 8 | ;; Written by hidnplayr@kolibrios.org ;; |
||
| 9 | ;; ;; |
||
| 10 | ;; GNU GENERAL PUBLIC LICENSE ;; |
||
| 11 | ;; Version 2, June 1991 ;; |
||
| 12 | ;; ;; |
||
| 13 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; |
||
| 14 | |||
| 15 | format binary as "" |
||
| 16 | |||
| 17 | BUFFERSIZE = 1500 |
||
| 18 | |||
| 19 | use32 |
||
| 20 | ; standard header |
||
| 21 | db 'MENUET01' ; signature |
||
| 22 | dd 1 ; header version |
||
| 23 | dd start ; entry point |
||
| 24 | dd i_end ; initialized size |
||
| 25 | dd mem ; required memory |
||
| 26 | dd mem ; stack pointer |
||
| 27 | dd 0 ; parameters |
||
| 28 | dd 0 ; path |
||
| 29 | |||
| 30 | |||
| 31 | include '../../macros.inc' |
||
| 32 | purge mov,add,sub |
||
| 33 | include '../../proc32.inc' |
||
| 34 | include '../../dll.inc' |
||
| 35 | |||
| 36 | include '../../network.inc' |
||
| 37 | |||
| 38 | ; entry point |
||
| 39 | start: |
||
| 40 | ; load libraries |
||
| 41 | stdcall dll.Load, @IMPORT |
||
| 42 | test eax, eax |
||
| 43 | jnz exit |
||
| 44 | |||
| 45 | ; initialize console |
||
| 46 | invoke con_start, 1 |
||
| 47 | invoke con_init, 80, 25, 80, 25, title |
||
| 48 | |||
| 49 | mcall 40, EVM_STACK |
||
| 50 | |||
| 51 | invoke con_write_asciiz, str1 |
||
| 52 | |||
| 53 | mcall socket, AF_INET4, SOCK_STREAM, 0 |
||
| 54 | cmp eax, -1 |
||
| 55 | je sock_err |
||
| 56 | mov [socketnum], eax |
||
| 57 | |||
| 58 | ; This socket option is not implemented in kernel yet. |
||
| 59 | ; mcall setsockopt, [socketnum], SOL_SOCKET, SO_REUSEADDR, &yes, |
||
| 60 | ; cmp eax, -1 |
||
| 61 | ; je opt_err |
||
| 62 | |||
| 63 | mcall bind, [socketnum], sockaddr1, sockaddr1.length |
||
| 64 | cmp eax, -1 |
||
| 65 | je bind_err |
||
| 66 | |||
| 67 | mcall listen, [socketnum], 10 ; Backlog = 10 |
||
| 68 | cmp eax, -1 |
||
| 69 | je listen_err |
||
| 70 | |||
| 71 | invoke con_write_asciiz, str2 |
||
| 72 | |||
| 73 | mcall accept, [socketnum], sockaddr1, sockaddr1.length |
||
| 74 | cmp eax, -1 |
||
| 75 | je acpt_err |
||
| 76 | mov [socketnum2], eax |
||
| 77 | |||
| 78 | mcall 18, 7 |
||
| 79 | push eax |
||
| 80 | mcall 51, 1, thread, mem - 2048 |
||
| 81 | pop ecx |
||
| 82 | mcall 18, 3 |
||
| 83 | |||
| 84 | .loop: |
||
| 85 | mcall recv, [socketnum2], buffer, buffer.length, 0 |
||
| 86 | cmp eax, -1 |
||
| 87 | je .loop |
||
| 88 | |||
| 89 | mov byte[buffer+eax], 0 |
||
| 90 | invoke con_write_asciiz, buffer |
||
| 91 | jmp .loop |
||
| 92 | |||
| 93 | acpt_err: |
||
| 94 | invoke con_write_asciiz, str8 |
||
| 95 | jmp done |
||
| 96 | |||
| 97 | listen_err: |
||
| 98 | invoke con_write_asciiz, str3 |
||
| 99 | jmp done |
||
| 100 | |||
| 101 | bind_err: |
||
| 102 | invoke con_write_asciiz, str4 |
||
| 103 | jmp done |
||
| 104 | |||
| 105 | sock_err: |
||
| 106 | invoke con_write_asciiz, str6 |
||
| 107 | jmp done |
||
| 108 | |||
| 109 | done: |
||
| 110 | invoke con_getch2 ; Wait for user input |
||
| 111 | invoke con_exit, 1 |
||
| 112 | exit: |
||
| 113 | cmp [socketnum], 0 |
||
| 114 | je @f |
||
| 115 | mcall close, [socketnum] |
||
| 116 | @@: |
||
| 117 | cmp [socketnum2], 0 |
||
| 118 | je @f |
||
| 119 | mcall close, [socketnum2] |
||
| 120 | @@: |
||
| 121 | mcall -1 |
||
| 122 | |||
| 123 | |||
| 124 | thread: |
||
| 125 | mcall 40, 0 |
||
| 126 | .loop: |
||
| 127 | invoke con_getch2 |
||
| 128 | mov [send_data], ax |
||
| 129 | xor esi, esi |
||
| 130 | inc esi |
||
| 131 | test al, al |
||
| 132 | jnz @f |
||
| 133 | inc esi |
||
| 134 | @@: |
||
| 135 | mcall send, [socketnum2], send_data |
||
| 136 | |||
| 137 | invoke con_get_flags |
||
| 138 | test eax, 0x200 ; con window closed? |
||
| 139 | jz .loop |
||
| 140 | mcall -1 |
||
| 141 | |||
| 142 | |||
| 143 | |||
| 144 | ; data |
||
| 145 | title db 'Reverse shell',0 |
||
| 146 | str1 db 'Opening socket',10, 0 |
||
| 147 | str2 db 'Listening for incoming connections...',10,0 |
||
| 148 | str3 db 'Listen error',10,10,0 |
||
| 149 | str4 db 'Bind error',10,10,0 |
||
| 150 | str5 db 'Setsockopt error',10,10,0 |
||
| 151 | str6 db 'Could not open socket',10,10,0 |
||
| 152 | str8 db 'Error accepting connection',10,10,0 |
||
| 153 | |||
| 154 | sockaddr1: |
||
| 155 | dw AF_INET4 |
||
| 156 | .port dw 23 shl 8 ; port 23 - network byte order |
||
| 157 | .ip dd 0 |
||
| 158 | rb 10 |
||
| 159 | .length = $ - sockaddr1 |
||
| 160 | |||
| 161 | ; import |
||
| 162 | align 4 |
||
| 163 | @IMPORT: |
||
| 164 | |||
| 165 | library console, 'console.obj' |
||
| 166 | |||
| 167 | import console, \ |
||
| 168 | con_start, 'START', \ |
||
| 169 | con_init, 'con_init', \ |
||
| 170 | con_write_asciiz, 'con_write_asciiz', \ |
||
| 171 | con_exit, 'con_exit', \ |
||
| 172 | con_gets, 'con_gets',\ |
||
| 173 | con_cls, 'con_cls',\ |
||
| 174 | con_printf, 'con_printf',\ |
||
| 175 | con_getch2, 'con_getch2',\ |
||
| 176 | con_set_cursor_pos, 'con_set_cursor_pos',\ |
||
| 177 | con_get_flags, 'con_get_flags' |
||
| 178 | |||
| 179 | i_end: |
||
| 180 | |||
| 181 | socketnum dd ? |
||
| 182 | socketnum2 dd ? |
||
| 183 | buffer rb BUFFERSIZE |
||
| 184 | .length = BUFFERSIZE |
||
| 185 | |||
| 186 | send_data dw ? |
||
| 187 | |||
| 188 | align 4 |
||
| 189 | rb 4096 ; stack |
||
| 190 | mem: |