kolibrios-gitea/programs/network/rshell/rshell.asm

191 lines
5.1 KiB
NASM
Raw Normal View History

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; ;;
;; Copyright (C) KolibriOS team 2016. All rights reserved. ;;
;; Distributed under terms of the GNU General Public License ;;
;; ;;
;; rshell.asm - Simple reverse shell for KolibriOS ;;
;; ;;
;; Written by hidnplayr@kolibrios.org ;;
;; ;;
;; GNU GENERAL PUBLIC LICENSE ;;
;; Version 2, June 1991 ;;
;; ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
format binary as ""
BUFFERSIZE = 1500
use32
; standard header
db 'MENUET01' ; signature
dd 1 ; header version
dd start ; entry point
dd i_end ; initialized size
dd mem ; required memory
dd mem ; stack pointer
dd 0 ; parameters
dd 0 ; path
include '../../macros.inc'
purge mov,add,sub
include '../../proc32.inc'
include '../../dll.inc'
include '../../network.inc'
; entry point
start:
; load libraries
stdcall dll.Load, @IMPORT
test eax, eax
jnz exit
; initialize console
invoke con_start, 1
invoke con_init, 80, 25, 80, 25, title
mcall 40, EVM_STACK
invoke con_write_asciiz, str1
mcall socket, AF_INET4, SOCK_STREAM, 0
cmp eax, -1
je sock_err
mov [socketnum], eax
; This socket option is not implemented in kernel yet.
; mcall setsockopt, [socketnum], SOL_SOCKET, SO_REUSEADDR, &yes,
; cmp eax, -1
; je opt_err
mcall bind, [socketnum], sockaddr1, sockaddr1.length
cmp eax, -1
je bind_err
mcall listen, [socketnum], 10 ; Backlog = 10
cmp eax, -1
je listen_err
invoke con_write_asciiz, str2
mcall accept, [socketnum], sockaddr1, sockaddr1.length
cmp eax, -1
je acpt_err
mov [socketnum2], eax
mcall 18, 7
push eax
mcall 51, 1, thread, mem - 2048
pop ecx
mcall 18, 3
.loop:
mcall recv, [socketnum2], buffer, buffer.length, 0
cmp eax, -1
je .loop
mov byte[buffer+eax], 0
invoke con_write_asciiz, buffer
jmp .loop
acpt_err:
invoke con_write_asciiz, str8
jmp done
listen_err:
invoke con_write_asciiz, str3
jmp done
bind_err:
invoke con_write_asciiz, str4
jmp done
sock_err:
invoke con_write_asciiz, str6
jmp done
done:
invoke con_getch2 ; Wait for user input
invoke con_exit, 1
exit:
cmp [socketnum], 0
je @f
mcall close, [socketnum]
@@:
cmp [socketnum2], 0
je @f
mcall close, [socketnum2]
@@:
mcall -1
thread:
mcall 40, 0
.loop:
invoke con_getch2
mov [send_data], ax
xor esi, esi
inc esi
test al, al
jnz @f
inc esi
@@:
mcall send, [socketnum2], send_data
invoke con_get_flags
test eax, 0x200 ; con window closed?
jz .loop
mcall -1
; data
title db 'Reverse shell',0
str1 db 'Opening socket',10, 0
str2 db 'Listening for incoming connections...',10,0
str3 db 'Listen error',10,10,0
str4 db 'Bind error',10,10,0
str5 db 'Setsockopt error',10,10,0
str6 db 'Could not open socket',10,10,0
str8 db 'Error accepting connection',10,10,0
sockaddr1:
dw AF_INET4
.port dw 23 shl 8 ; port 23 - network byte order
.ip dd 0
rb 10
.length = $ - sockaddr1
; import
align 4
@IMPORT:
library console, 'console.obj'
import console, \
con_start, 'START', \
con_init, 'con_init', \
con_write_asciiz, 'con_write_asciiz', \
con_exit, 'con_exit', \
con_gets, 'con_gets',\
con_cls, 'con_cls',\
con_printf, 'con_printf',\
con_getch2, 'con_getch2',\
con_set_cursor_pos, 'con_set_cursor_pos',\
con_get_flags, 'con_get_flags'
i_end:
socketnum dd ?
socketnum2 dd ?
buffer rb BUFFERSIZE
.length = BUFFERSIZE
send_data dw ?
align 4
rb 4096 ; stack
mem: