-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathlibsshcpexec.asm
185 lines (141 loc) · 3.14 KB
/
libsshcpexec.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
; linuxthor
;
; simple libssh example for passwd auth - copy a file
; to server (sftp) then execute it
;
; assemble with:
; nasm -f elf64 -o libsshcpexec.o libsshcpexec.asm
; gcc libsshcpexec.o -no-pie -o libsshcpexec -lssh
;
BITS 64
extern ssh_options_set, ssh_new, ssh_connect, ssh_disconnect
extern sftp_init, sftp_new, sftp_open, sftp_write, sftp_free
extern sftp_close, ssh_free, ssh_userauth_password, ssh_channel_new
extern ssh_channel_open_session, ssh_channel_request_exec
extern ssh_channel_close, ssh_channel_free
%define SSH_OPTIONS_HOST 0
%define SSH_OPTIONS_USER 4
%define SSH_OK 0
%define SSH_AUTH_SUCCESS 0
%define S_IRWXU 448
global main
main:
push rbp
mov rbp, rsp
xor eax, eax
call ssh_new
cmp rax, 0
je error
mov [ssh_sesh], rax
mov rdi, [ssh_sesh]
mov rsi, SSH_OPTIONS_HOST
mov rdx, con
xor rax, rax
call ssh_options_set
cmp rax, 0
jne error
mov rdi, [ssh_sesh]
mov rsi, SSH_OPTIONS_USER
mov rdx, usr
xor rax, rax
call ssh_options_set
cmp rax, 0
jne error
mov rdi, [ssh_sesh]
xor rax, rax
call ssh_connect
cmp rax, SSH_OK
jne error
mov rdi, [ssh_sesh]
mov rsi, 0
mov rdx, pwd
xor rax, rax
call ssh_userauth_password
cmp rax, SSH_AUTH_SUCCESS
jne error
mov rdi, [ssh_sesh]
xor rax, rax
call sftp_new
cmp rax, 0
je error
mov [sftp_sesh], rax
mov rdi, [sftp_sesh]
xor rax, rax
call sftp_init
cmp rax, SSH_OK
jne error
mov rdi, [sftp_sesh]
mov rsi, pth
mov rdx, 577 ; O_WRONLY | O_CREAT | O_TRUNC
mov rcx, S_IRWXU
xor rax, rax
call sftp_open
cmp rax, 0
je error
mov [sftp_file], rax
mov rdi, [sftp_file]
mov rsi, pload
mov rdx, ploadlen
mov rax, rax
call sftp_write
cmp rax, ploadlen
jne error
mov rdi, [sftp_file]
xor rax, rax
call sftp_close
cmp rax, SSH_OK
jne error
mov rdi, [sftp_sesh]
xor rax, rax
call sftp_free
mov rdi, [ssh_sesh]
xor rax, rax
call ssh_channel_new
cmp rax, 0
je error
mov [ssh_chan], rax
mov rdi, rax
xor rax, rax
call ssh_channel_open_session
cmp rax, SSH_OK
jne error
mov rdi, [ssh_chan]
mov rsi, pth
xor rax, rax
call ssh_channel_request_exec
cmp rax, SSH_OK
jne error
mov rdi, [ssh_chan]
call ssh_channel_close
xor rax, rax
cmp rax, SSH_OK
jne error
mov rdi, [ssh_chan]
call ssh_channel_free
xor rax, rax
mov rdi, [ssh_sesh]
xor rax, rax
call ssh_disconnect
mov rdi, [ssh_sesh]
xor rax, rax
call ssh_free
pop rbp
xor eax, eax
ret
error:
pop rbp
mov rax, 1
ret
section .data
con db '192.168.0.1',0
usr db 'username',0
pwd db '!passwd!',0
pth db '/tmp/success',0
pload:
incbin "pload"
ploadlen equ $-pload
section .bss
ssh_sesh resq 1
ssh_chan resq 1
sftp_sesh resq 1
sftp_file resq 1