-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathlibsshexec.asm
131 lines (99 loc) · 2.18 KB
/
libsshexec.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
; linuxthor
;
; simple libssh example for passwd auth
; and shell command execution via channel
;
; assemble with:
; nasm -f elf64 -o libsshexec.o libsshexec.asm
; gcc libsshexec.o -no-pie -o libsshexec -lssh
;
BITS 64
extern ssh_options_set, ssh_new, ssh_connect, ssh_disconnect
extern ssh_free, ssh_userauth_password, ssh_channel_new
extern ssh_channel_open_session, ssh_channel_request_exec
extern ssh_channel_close, ssh_channel_free
%define SSH_OPTIONS_HOST 0
%define SSH_OPTIONS_USER 4
%define SSH_OK 0
%define SSH_AUTH_SUCCESS 0
global main
main:
push rbp
mov rbp, rsp
xor eax, eax
call ssh_new
cmp rax, 0
je error
mov [ssh_sesh], rax
mov rdi, [ssh_sesh]
mov rsi, SSH_OPTIONS_HOST
mov rdx, con
xor rax, rax
call ssh_options_set
cmp rax, 0
jne error
mov rdi, [ssh_sesh]
mov rsi, SSH_OPTIONS_USER
mov rdx, usr
xor rax, rax
call ssh_options_set
cmp rax, 0
jne error
mov rdi, [ssh_sesh]
xor rax, rax
call ssh_connect
cmp rax, SSH_OK
jne error
mov rdi, [ssh_sesh]
mov rsi, 0
mov rdx, pwd
xor rax, rax
call ssh_userauth_password
cmp rax, SSH_AUTH_SUCCESS
jne error
mov rdi, [ssh_sesh]
xor rax, rax
call ssh_channel_new
cmp rax, 0
je error
mov [ssh_chan], rax
mov rdi, rax
xor rax, rax
call ssh_channel_open_session
cmp rax, SSH_OK
jne error
mov rdi, [ssh_chan]
mov rsi, cmd
xor rax, rax
call ssh_channel_request_exec
cmp rax, SSH_OK
jne error
mov rdi, [ssh_chan]
call ssh_channel_close
xor rax, rax
cmp rax, SSH_OK
jne error
mov rdi, [ssh_chan]
call ssh_channel_free
xor rax, rax
mov rdi, [ssh_sesh]
xor rax, rax
call ssh_disconnect
mov rdi, [ssh_sesh]
xor rax, rax
call ssh_free
pop rbp
xor eax, eax
ret
error:
pop rbp
mov rax, 1
ret
section .data
con db '192.168.0.1',0
usr db 'username',0
pwd db '!passwd!',0
cmd db 'touch /tmp/success',0
section .bss
ssh_sesh resq 1
ssh_chan resq 1