forked from temisu/oneKpaq
-
Notifications
You must be signed in to change notification settings - Fork 3
/
onekpaq_stub_lnx32.asm
163 lines (133 loc) · 2.87 KB
/
onekpaq_stub_lnx32.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
; vim: set ft=nasm noet ts=4:
; offset = 2, mode=3, dind=2, shift=3
%ifndef ONEKPAQ_DECOMPRESSOR_MODE
%error "please define ONEKPAQ_DECOMPRESSOR_MODE"
;%define ONEKPAQ_DECOMPRESSOR_MODE 3
%endif
%ifndef ONEKPAQ_DECOMPRESSOR_SHIFT
%error "please define ONEKPAQ_DECOMPRESSOR_SHIFT"
;%define ONEKPAQ_DECOMPRESSOR_SHIFT 3
%endif
%ifndef PAYLOAD_OFF
%error "please define PAYLOAD_OFF"
;%define PAYLOAD_OFF 2
%endif
%define ONEKPAQ_NO_SECTIONS 1
%define STDIN_FILENO 0
%define STDOUT_FILENO 1
%define STDERR_FILENO 2
%define AT_EMPTY_PATH 0x1000
%define P_ALL 4
%define SYS_exit 1
%define SYS_fork 2
%define SYS_write 4
%define SYS_open 5
%define SYS_waitpid 7
%define SYS_creat 8
%define SYS_execve 11
%define SYS_lseek 19
%define SYS_dup2 63
%define SYS_vfork 190
%define SYS_memfd_create 356
%define SYS_execveat 358
bits 32
org 0x08048000
ehdr:
db 0x7F,"ELF" ;!EI_MAGIC
db 1 ;~E_CLASS
db 1 ;~E_DATA
_endstub1: ; 10 bytes
mov eax, SYS_memfd_create ; 5 bytes
; ebx: name: don't care
xor ecx, ecx ; 2 bytes
int 0x80 ; 2 bytes
db 0x3d ; cmp eax, imm32 -> jump over e_type and e_machine
;db 1 ; E_VERSION
;db 0 ; E_OSABI
;times 8 db 0
db 2 ;!e_type.0 (EXEC)
emptystr:
db 0 ;!e_type.1 (EXEC)
dw 3 ;!e_machine
;dd 1 ; e_version
_endstub2: ; 4 bytes
push SYS_write ; 2 bytes
jmp short _endstub3 ; 2 bytes
dd _start ;!e_entry
dd phdr - ehdr ;!e_phoff
;dd 0 ; e_shoff
;dd 0 ; e_flags
_endstub3: ; 8 bytes
xchg eax, ebx ; 1 byte
;pop eax ; 1 byte
mov ecx, payload_dest ; 5 bytes
jmp short _endstub4 ; 2 bytes
dw ehdr.end-ehdr ;!e_ehsize
dw phdr.end-phdr ;!e_phentsize
dw 1 ;!e_phnum
_endstub4: ; >=6 bytes
pop eax ; 1 byte
mov edx, 0x4000-(payload_dest-ehdr) ; 5 bytes
ehdr.end:
int 0x80 ; 2 bytes
jmp short _endstub5
;dw 0 ; e_shentsize
;dw 0 ; e_shnum
;dw 0 ; e_shstrndx
phdr:
dd 1 ;!p_type
dd 0 ;!p_offset
dd ehdr ;!p_vaddr
dd phdr ;!p_paddr
dd END-ehdr ;!p_filesz
dd 0xfc000;END-ehdr ;!memsz
;dd 7 ;~p_flags
;dd 0x1000 ; p_align
db 7
_endstub5: ; 7 bytes
pop ecx ; 1 byte
mov edx, esp ; 2 bytes
lea esi, [edx + ecx * 4 + 4] ; 4 bytes
phdr.end:
mov ax, SYS_execveat
mov ecx, emptystr
mov edi, AT_EMPTY_PATH
int 0x80
_start:
mov ebx, payload+PAYLOAD_OFF
lea edi, [ebx + payload_dest-payload-PAYLOAD_OFF]
%include "onekpaq_decompressor32.asm"
jmp _endstub1
; mov eax, SYS_memfd_create
; ; ebx: name: whatever
; xor ecx, ecx
; int 0x80
;
; push SYS_write
; xchg eax, ebx
; mov ecx, payload_dest
; pop eax
; mov edx, 0x4000-(payload_dest-ehdr)
; int 0x80
;
; pop ecx ; argc
; mov edx, esp ; argv
; lea esi, [edx + ecx * 4 + 4] ; envp
;
; mov ax, SYS_execveat ; eax was SYS_write result
; ; ebx: filedes
; mov ecx, emptystr
; ; edx: argv
; ; esi: envp
; mov edi, AT_EMPTY_PATH
; int 0x80
;
; int3
payload:
;incbin "flag32.raw"
incbin PAYLOAD_BIN
payload.end:
END:
; resb 9
payload_dest equ payload.end + 9 + 4
;payload_dest: