From 284b0be1c3ef6e34e5c4e21c401c8ac29bf3636f Mon Sep 17 00:00:00 2001 From: hidnplayr Date: Mon, 15 Aug 2016 18:56:02 +0000 Subject: [PATCH] Simple reverse Shell (TCP) demo, moved icmp.inc and ip.inc to network dir. git-svn-id: svn://kolibrios.org@6477 a494cfbc-eb01-0410-851d-a64ba20cac60 --- programs/network/{ping => }/icmp.inc | 0 programs/network/{ping => }/ip.inc | 0 programs/network/ping/ping.asm | 4 +- programs/network/rshell/Tupfile.lua | 2 + programs/network/rshell/rshell.asm | 190 +++++++++++++++++++++++++++ 5 files changed, 194 insertions(+), 2 deletions(-) rename programs/network/{ping => }/icmp.inc (100%) rename programs/network/{ping => }/ip.inc (100%) create mode 100644 programs/network/rshell/Tupfile.lua create mode 100644 programs/network/rshell/rshell.asm diff --git a/programs/network/ping/icmp.inc b/programs/network/icmp.inc similarity index 100% rename from programs/network/ping/icmp.inc rename to programs/network/icmp.inc diff --git a/programs/network/ping/ip.inc b/programs/network/ip.inc similarity index 100% rename from programs/network/ping/ip.inc rename to programs/network/ip.inc diff --git a/programs/network/ping/ping.asm b/programs/network/ping/ping.asm index 06f303f856..c5c37b16c1 100644 --- a/programs/network/ping/ping.asm +++ b/programs/network/ping/ping.asm @@ -36,8 +36,8 @@ include '../../dll.inc' include '../../struct.inc' include '../../network.inc' -include 'icmp.inc' -include 'ip.inc' +include '../icmp.inc' +include '../ip.inc' START: diff --git a/programs/network/rshell/Tupfile.lua b/programs/network/rshell/Tupfile.lua new file mode 100644 index 0000000000..91e45f061a --- /dev/null +++ b/programs/network/rshell/Tupfile.lua @@ -0,0 +1,2 @@ +if tup.getconfig("NO_FASM") ~= "" then return end +tup.rule("tcpserv.asm", "fasm %f %o " .. tup.getconfig("KPACK_CMD"), "tcpserv") diff --git a/programs/network/rshell/rshell.asm b/programs/network/rshell/rshell.asm new file mode 100644 index 0000000000..257710793d --- /dev/null +++ b/programs/network/rshell/rshell.asm @@ -0,0 +1,190 @@ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; ;; +;; Copyright (C) KolibriOS team 2016. All rights reserved. ;; +;; Distributed under terms of the GNU General Public License ;; +;; ;; +;; rshell.asm - Simple reverse shell for KolibriOS ;; +;; ;; +;; Written by hidnplayr@kolibrios.org ;; +;; ;; +;; GNU GENERAL PUBLIC LICENSE ;; +;; Version 2, June 1991 ;; +;; ;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +format binary as "" + +BUFFERSIZE = 1500 + +use32 +; standard header + db 'MENUET01' ; signature + dd 1 ; header version + dd start ; entry point + dd i_end ; initialized size + dd mem ; required memory + dd mem ; stack pointer + dd 0 ; parameters + dd 0 ; path + + +include '../../macros.inc' +purge mov,add,sub +include '../../proc32.inc' +include '../../dll.inc' + +include '../../network.inc' + +; entry point +start: +; load libraries + stdcall dll.Load, @IMPORT + test eax, eax + jnz exit + +; initialize console + invoke con_start, 1 + invoke con_init, 80, 25, 80, 25, title + + mcall 40, EVM_STACK + + invoke con_write_asciiz, str1 + + mcall socket, AF_INET4, SOCK_STREAM, 0 + cmp eax, -1 + je sock_err + mov [socketnum], eax + +; This socket option is not implemented in kernel yet. +; mcall setsockopt, [socketnum], SOL_SOCKET, SO_REUSEADDR, &yes, +; cmp eax, -1 +; je opt_err + + mcall bind, [socketnum], sockaddr1, sockaddr1.length + cmp eax, -1 + je bind_err + + mcall listen, [socketnum], 10 ; Backlog = 10 + cmp eax, -1 + je listen_err + + invoke con_write_asciiz, str2 + + mcall accept, [socketnum], sockaddr1, sockaddr1.length + cmp eax, -1 + je acpt_err + mov [socketnum2], eax + + mcall 18, 7 + push eax + mcall 51, 1, thread, mem - 2048 + pop ecx + mcall 18, 3 + + .loop: + mcall recv, [socketnum2], buffer, buffer.length, 0 + cmp eax, -1 + je .loop + + mov byte[buffer+eax], 0 + invoke con_write_asciiz, buffer + jmp .loop + +acpt_err: + invoke con_write_asciiz, str8 + jmp done + +listen_err: + invoke con_write_asciiz, str3 + jmp done + +bind_err: + invoke con_write_asciiz, str4 + jmp done + +sock_err: + invoke con_write_asciiz, str6 + jmp done + +done: + invoke con_getch2 ; Wait for user input + invoke con_exit, 1 +exit: + cmp [socketnum], 0 + je @f + mcall close, [socketnum] + @@: + cmp [socketnum2], 0 + je @f + mcall close, [socketnum2] + @@: + mcall -1 + + +thread: + mcall 40, 0 + .loop: + invoke con_getch2 + mov [send_data], ax + xor esi, esi + inc esi + test al, al + jnz @f + inc esi + @@: + mcall send, [socketnum2], send_data + + invoke con_get_flags + test eax, 0x200 ; con window closed? + jz .loop + mcall -1 + + + +; data +title db 'Reverse shell',0 +str1 db 'Opening socket',10, 0 +str2 db 'Listening for incoming connections...',10,0 +str3 db 'Listen error',10,10,0 +str4 db 'Bind error',10,10,0 +str5 db 'Setsockopt error',10,10,0 +str6 db 'Could not open socket',10,10,0 +str8 db 'Error accepting connection',10,10,0 + +sockaddr1: + dw AF_INET4 +.port dw 23 shl 8 ; port 23 - network byte order +.ip dd 0 + rb 10 +.length = $ - sockaddr1 + +; import +align 4 +@IMPORT: + +library console, 'console.obj' + +import console, \ + con_start, 'START', \ + con_init, 'con_init', \ + con_write_asciiz, 'con_write_asciiz', \ + con_exit, 'con_exit', \ + con_gets, 'con_gets',\ + con_cls, 'con_cls',\ + con_printf, 'con_printf',\ + con_getch2, 'con_getch2',\ + con_set_cursor_pos, 'con_set_cursor_pos',\ + con_get_flags, 'con_get_flags' + +i_end: + +socketnum dd ? +socketnum2 dd ? +buffer rb BUFFERSIZE +.length = BUFFERSIZE + +send_data dw ? + +align 4 +rb 4096 ; stack +mem: