Codegolfing su in assembly

Sat 06 December 2014
By mute
; su in x86-64 for abusing shbot on irc.freenode.org/#bash.
; we overwrite .text section of a donor binary with our code to save writing a big ELF header.
; mute (m@san.aq) 07jul2015. public domain.

; 1. get offset for target binary
;  (/bin/nl is 6288 and /bin/[ is 5696; good luck getting other binaries off shbot)
;   objdump -h ~/nl.shbot | awk '/text/{print "ibase=16;"toupper($6)}' | bc
; 2. build this file with nasm
;   nasm -f bin su su.asm
; 3. get base64 encoded
;   base64 -w 0 ./su
; 4. run on shbot
;   # cd /bin;(head -c5696;read -N33;recode /64<<<VlJmv/7/McCwag8FsGkPBVpeSLsvYmluLy9zaDHAUFNIieewOw8F;cat)>tr<[;tr -c id
;   # recode /64<<<VlJmv/7/McCwag8FsGkPBVpeSLsvYmluLy9zaDHAUFNIieewOw8F|2<&-dd of=/bin/nl bs=8 seek=786 conv=notrunc;nl -c id

BITS 64
        ; main(rdi=argc, rsi=argv, rdx=envp)
        push    rsi             ; argv
        push    rdx             ; envp

;       mov     rdi, 65534
        mov     di, 65534
        xor     eax, eax
        mov     al, 106         ; setgid(%rdi)
        syscall

;       mov     rdi, 65534
        mov     al, 105         ; setuid(%rdi)
        syscall

        pop     rdx             ; envp
        pop     rsi             ; argv
        mov     rbx, '/bin//sh'
        xor     eax, eax
        push    rax             ; null-terminate program name
        push    rbx             ; /bin//sh
        mov     rdi, rsp        ; program
        mov     al, 0x3b        ; execv(program,argv,envp)
        syscall

Comments