| 0,0 → 1,190 |
|---|
| ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; |
| ;; ;; |
| ;; Copyright (C) KolibriOS team 2016. All rights reserved. ;; |
| ;; Distributed under terms of the GNU General Public License ;; |
| ;; ;; |
| ;; rshell.asm - Simple reverse shell for KolibriOS ;; |
| ;; ;; |
| ;; Written by hidnplayr@kolibrios.org ;; |
| ;; ;; |
| ;; GNU GENERAL PUBLIC LICENSE ;; |
| ;; Version 2, June 1991 ;; |
| ;; ;; |
| ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; |
| |
| format binary as "" |
| |
| BUFFERSIZE = 1500 |
| |
| use32 |
| ; standard header |
| db 'MENUET01' ; signature |
| dd 1 ; header version |
| dd start ; entry point |
| dd i_end ; initialized size |
| dd mem ; required memory |
| dd mem ; stack pointer |
| dd 0 ; parameters |
| dd 0 ; path |
| |
| |
| include '../../macros.inc' |
| purge mov,add,sub |
| include '../../proc32.inc' |
| include '../../dll.inc' |
| |
| include '../../network.inc' |
| |
| ; entry point |
| start: |
| ; load libraries |
| stdcall dll.Load, @IMPORT |
| test eax, eax |
| jnz exit |
| |
| ; initialize console |
| invoke con_start, 1 |
| invoke con_init, 80, 25, 80, 25, title |
| |
| mcall 40, EVM_STACK |
| |
| invoke con_write_asciiz, str1 |
| |
| mcall socket, AF_INET4, SOCK_STREAM, 0 |
| cmp eax, -1 |
| je sock_err |
| mov [socketnum], eax |
| |
| ; This socket option is not implemented in kernel yet. |
| ; mcall setsockopt, [socketnum], SOL_SOCKET, SO_REUSEADDR, &yes, |
| ; cmp eax, -1 |
| ; je opt_err |
| |
| mcall bind, [socketnum], sockaddr1, sockaddr1.length |
| cmp eax, -1 |
| je bind_err |
| |
| mcall listen, [socketnum], 10 ; Backlog = 10 |
| cmp eax, -1 |
| je listen_err |
| |
| invoke con_write_asciiz, str2 |
| |
| mcall accept, [socketnum], sockaddr1, sockaddr1.length |
| cmp eax, -1 |
| je acpt_err |
| mov [socketnum2], eax |
| |
| mcall 18, 7 |
| push eax |
| mcall 51, 1, thread, mem - 2048 |
| pop ecx |
| mcall 18, 3 |
| |
| .loop: |
| mcall recv, [socketnum2], buffer, buffer.length, 0 |
| cmp eax, -1 |
| je .loop |
| |
| mov byte[buffer+eax], 0 |
| invoke con_write_asciiz, buffer |
| jmp .loop |
| |
| acpt_err: |
| invoke con_write_asciiz, str8 |
| jmp done |
| |
| listen_err: |
| invoke con_write_asciiz, str3 |
| jmp done |
| |
| bind_err: |
| invoke con_write_asciiz, str4 |
| jmp done |
| |
| sock_err: |
| invoke con_write_asciiz, str6 |
| jmp done |
| |
| done: |
| invoke con_getch2 ; Wait for user input |
| invoke con_exit, 1 |
| exit: |
| cmp [socketnum], 0 |
| je @f |
| mcall close, [socketnum] |
| @@: |
| cmp [socketnum2], 0 |
| je @f |
| mcall close, [socketnum2] |
| @@: |
| mcall -1 |
| |
| |
| thread: |
| mcall 40, 0 |
| .loop: |
| invoke con_getch2 |
| mov [send_data], ax |
| xor esi, esi |
| inc esi |
| test al, al |
| jnz @f |
| inc esi |
| @@: |
| mcall send, [socketnum2], send_data |
| |
| invoke con_get_flags |
| test eax, 0x200 ; con window closed? |
| jz .loop |
| mcall -1 |
| |
| |
| |
| ; data |
| title db 'Reverse shell',0 |
| str1 db 'Opening socket',10, 0 |
| str2 db 'Listening for incoming connections...',10,0 |
| str3 db 'Listen error',10,10,0 |
| str4 db 'Bind error',10,10,0 |
| str5 db 'Setsockopt error',10,10,0 |
| str6 db 'Could not open socket',10,10,0 |
| str8 db 'Error accepting connection',10,10,0 |
| |
| sockaddr1: |
| dw AF_INET4 |
| .port dw 23 shl 8 ; port 23 - network byte order |
| .ip dd 0 |
| rb 10 |
| .length = $ - sockaddr1 |
| |
| ; import |
| align 4 |
| @IMPORT: |
| |
| library console, 'console.obj' |
| |
| import console, \ |
| con_start, 'START', \ |
| con_init, 'con_init', \ |
| con_write_asciiz, 'con_write_asciiz', \ |
| con_exit, 'con_exit', \ |
| con_gets, 'con_gets',\ |
| con_cls, 'con_cls',\ |
| con_printf, 'con_printf',\ |
| con_getch2, 'con_getch2',\ |
| con_set_cursor_pos, 'con_set_cursor_pos',\ |
| con_get_flags, 'con_get_flags' |
| |
| i_end: |
| |
| socketnum dd ? |
| socketnum2 dd ? |
| buffer rb BUFFERSIZE |
| .length = BUFFERSIZE |
| |
| send_data dw ? |
| |
| align 4 |
| rb 4096 ; stack |
| mem: |