Skip to content

Instantly share code, notes, and snippets.

@netspooky

netspooky/bye.asm

Last active June 23, 2021 01:06
Show Gist options
  • Save netspooky/dd750e7ced85fb1861780a90be71053d to your computer and use it in GitHub Desktop.
Save netspooky/dd750e7ced85fb1861780a90be71053d to your computer and use it in GitHub Desktop.
Download ZIP
For write up
Raw
bye.asm
; 84 byte LINUX_REBOOT_CMD_POWER_OFF Binary Golf
BITS 64
org 0x100000000
;---------------------+------+------------+------------------------------------------+-----------------------------+----------+
; CODE LISTING | OFFS | ASSEMBLY | CODE COMMENT | ELF HEADER STRUCT | PHDR |
;---------------------+------+------------+------------------------------------------+-----------------------------+----------+
db 0x7F, "ELF" ; 0x0 | 7f454c46 | PROTIP: Can use magic as a constant ;) | ELF Magic | |
_start: ;------|------------|------------------------------------------|-----------------------------|----------|
mov edx, 0x4321fedc ; 0x04 | badcfe2143 | Moving magic values... | ei_class,ei_data,ei_version | |
mov esi, 0x28121969 ; 0x09 | be69191228 | into their respective places | unused | |
jmp short reeb ; 0x0E | eb3c | Short jump down to @x4c | unused | |
dw 2 ; 0x10 | 0200 | | e_type | |
dw 0x3e ; 0x12 | 3e00 | | e_machine | |
dd 1 ; 0x14 | 01000000 | | e_version | |
dd _start - $$ ; 0x18 | 04000000 | | e_entry | |
phdr: ;------|------------|------------------------------------------|-----------------------------|----------|
dd 1 ; 0x1C | 01000000 | | e_entry | p_type |
dd phdr - $$ ; 0x20 | 1c000000 | | e_phoff | p_flags |
dd 0 ; 0x24 | 00000000 | | e_phoff | p_offset |
dd 0 ; 0x28 | 00000000 | | e_shoff | p_offset |
dq $$ ; 0x2C | 00000000 | | e_shoff | p_vaddr |
; 0x30 | 01000000 | | e_flags | p_vaddr |
dw 0x40 ; 0x34 | 4000 | | e_shsize | p_addr |
dw 0x38 ; 0x36 | 3800 | | e_phentsize | p_addr |
dw 1 ; 0x38 | 0100 | | e_phnum | p_addr |
dw 2 ; 0x3A | 0200 | | e_shentsize | p_addr |
cya: ;------|------------|------------------------------------------|-----------------------------|----------|
mov al, 0xa9 ; 0x3C | b0a9 | Load syscall | e_shnum | p_filesz |
syscall ; 0x3E | 0f05 | Execute syscall | e_shstrndx | p_filesz |
dd 0 ; 0x40 | 00000000 | Filler, should try to keep as all 0's | | p_filesz |
mov al, 0xa9 ; 0x44 | b0a9 | Load syscall | | p_memsz |
syscall ; 0x46 | 0f05 | Execute syscall | | p_memsz |
dd 0 ; 0x48 | 00000000 | Filler, should try to keep as all 0's | | p_memsz |
reeb: ;------|------------|------------------------------------------|-----------------------------|----------|
mov edi, 0xfee1dead ; 0x4C | bfaddee1fe | Load magic "LINUX_REBOOT_CMD_POWER_OFF" | | p_align |
jmp short cya ; 0x51 | ebe9 | Short jmp back to e_shnum/p_filesz @0x3C | | p_align |
nop ; 0x53 | 90 | Filler, could use this byte for code. | | p_align |
;---------------------+------+------------+------------------------------------------+-----------------------------+----------+
; Note that we are overlaying the ELF Header with the program headers.
; You have 12 bytes minus your short jump from 0x4-0x10 to store code
; Then you have 8 bytes within the program headers at 0x4c for more
; code, plus e_shentsize and the lower bytes of p_filesz + p_memsz for
; storage and code if you stay within the bounds - still testing.
;
; LINUX_REBOOT_CMD_POWER_OFF
; (RB_POWER_OFF, 0x4321fedc; since Linux 2.1.30). The message
; "Power down." is printed, the system is stopped, and all power
; is removed from the system, if possible. If not preceded by a
; sync(2), data will be lost.
; [ Compile ]
; nasm -f bin -o bye bye.nasm
;
; One Liner
; base64 -d <<< f0VMRrrc/iFDvmkZEijrPAIAPgABAAAABAAAAAEAAAAcAAAAAAAAAAAAAAAAAAAAAQAAAEAAOAABAAIAsKkPBQAAAACwqQ8FAAAAAL+t3uH+6+mQ > bye;chmod +x bye;sudo ./bye
;
; Syscall reference: http://man7.org/linux/man-pages/man2/reboot.2.html
Raw
extendedcomment.asm
; [ Full breakdown ]
; --- Elf Header
; Offset # Value Purpose
; 0-3 A 7f454c46 Magic number - 0x7F, then 'ELF' in ASCII
; 4 B ba 1 = 32 bit, 2 = 64 bit
; 5 C dc 1 = little endian, 2 = big endian
; 6 D fe ELF Version
; 7 E 21 OS ABI - usually 0 for System V
; 8-F F 43be69191228eb3c Unused/padding
; 10-11 G 0200 1 = relocatable, 2 = executable, 3 = shared, 4 = core
; 12-13 H 3e00 Instruction set
; 14-17 I 01000000 ELF Version
; 18-1F J 0400000001000000 Program entry position
; 20-27 K 1c00000000000000 Program header table position - This is actually in the middle of J.
; 28-2f L 0000000000000000 Section header table position (Don't have one here so whatev)
; 30-33 M 01000000 Flags - architecture dependent
; 34-35 N 4000 Header size
; 36-37 O 3800 Size of an entry in the program header table
; 38-39 P 0100 Number of entries in the program header table
; 3A-3B Q 0200 Size of an entry in the section header table
; 3C-3D R b0a9 Number of entries in the section header table [holds mov al, 0xa9 load syscall]
; 3E-3F S 0f05 Index in section header table with the section name [holds syscall opcodes]
;
; --- Program Header
; OFFSET # Value Purpose
; 1C-1F PA 01000000 Type of segment
; 0 = null - ignore the entry
; 1 = load - clear p_memsz bytes at p_vaddr to 0, then copy p_filesz bytes from p_offset to p_vaddr
; 2 = dynamic - requires dynamic linking
; 3 = interp - contains a file path to an executable to use as an interpreter for the following segment
; 4 = note section
; 20-23 PB 1c000000 Flags
; 1 = PROT_READ readable
; 2 = PROT_WRITE writable
; 4 = PROT_EXEC executable
; In this case the flags are 1c which is 00011100
; The ABI only pays attention to the lowest three bits, meaning this is marked "PROT_EXEC"
; 24-2B PC 0000000000000000 The offset in the file that the data for this segment can be found (p_offset)
; 2C-33 PD 0000000001000000 Where you should start to put this segment in virtual memory (p_vaddr)
; 34-3B PE 4000380001000200 Physical Address
; 3C-43 PF b0a90f0500000000 Size of the segment in the file (p_filesz) | NOTE: Can store string here and p_memsz as long as they
; 44-4B PG b0a90f0500000000 Size of the segment in memory (p_memsz) | are equal and not over 0xffff - holds mov al, 0xa9 and syscall
; 4C-43 PH bfaddee1feebe990 The required alignment for this section (must be a power of 2) Well... supposedly, because you can write code here.
;
; Breakdown of the hex dump according to the above data
; A---------- B- C- D- E- F----------------------
; 00000000 7f 45 4c 46 ba dc fe 21 43 be 69 19 12 28 eb 3c |.ELF...!C.i..(.<|
; PA---------
; G---- H---- I---------- J----------------------
; 00000010 02 00 3e 00 01 00 00 00 04 00 00 00 01 00 00 00 |..>.............|
; PB--------- PC---------------------- PD---------
; K---------------------- L----------------------
; 00000020 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
; PD--------- PE---------------------- PF---------
; M---------- N---- O---- P---- Q---- R---- S----
; 00000030 01 00 00 00 40 00 38 00 01 00 02 00 b0 a9 0f 05 |[email protected].........|
; PF--------- PG---------------------- PH---------
; 00000040 00 00 00 00 b0 a9 0f 05 00 00 00 00 bf ad de e1 |................|
; PH---------
; 00000050 fe eb e9 90 |....|
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment