FilesExpand file tree

 master

/

exploit_06.asm

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

148 lines (134 loc) · 2.89 KB

 master

/

exploit_06.asm

Top

File metadata and controls

• Code
• Blame

148 lines (134 loc) · 2.89 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

format ELF executable $03

entry _start

struc string data*& {

.: db data

.length = ($ - .)

}

struc auth data*& {

local _seed, _exit, _current, _start, _length

if (~(definite __auth_virtual))

virtual at $00

__auth_virtual::

end virtual

end if

virtual __auth_virtual

_start = $

db data

_length = ($ - _start)

end virtual

. = $00

_exit = $00

if (_length > $05)

load _seed byte from __auth_virtual:(_start+$03)

_seed = (_seed xor $1337) + $5EEDED

repeat _length

load _current byte from __auth_virtual:(_start+(%-$01))

if (_current <= $1F)

_exit = $01

break

end if

_current = _current xor _seed

_seed = _seed + (_current mod $0539)

end repeat

if (~(_exit))

. = _seed

end if

end if

}

macro itoa2Dec number* {

local _number, _modulo, _length

_number = (number)

if (_number < $00)

db "-"

_number = (-_number)

end if

_length = $00

if (~(definite __itoa2Dec_virtual))

virtual at $00

__itoa2Dec_virtual::

end virtual

end if

assert (_number eqtype $00)

while _number

_modulo = _number mod $0A

_number = _number / $0A

_length = _length + $01

virtual __itoa2Dec_virtual

db (_modulo+"0")

end virtual

end while

repeat _length

virtual __itoa2Dec_virtual

load _number byte from __itoa2Dec_virtual:($-%)

end virtual

db _number

end repeat

}

struc timespec {

.tv_sec: rq $01

.tv_nsec: rq $01

}

virtual at $00

timespec timespec

timespec.sizeof = $

end virtual

segment executable readable

_start:

and esp, not $0F

sub esp, $08

mov eax, $2A

mov ebx, esp

int $80

test eax, eax

jnz .exit

mov eax, $04

mov ebx, dword [esp+$04]

mov ecx, _payload

mov edx, _payload.length

int $80

mov eax, $3F

mov ebx, dword [esp]

xor ecx, ecx

int $80

mov eax, $02

int $80

test eax, eax

jz .child

mov ecx, timespec.sizeof

sub esp, ecx

xor al, al

mov edi, esp

rep stosb

mov byte [esp+timespec.tv_sec], $01

mov eax, $A2

mov ebx, esp

xor ecx, ecx

int $80

add esp, timespec.sizeof

mov eax, $04

mov ebx, dword [esp+$04]

mov ecx, _command

mov edx, _command.length

int $80

jmp .exit

.child:

mov eax, $0B

mov ebx, _program

xor edx, edx

push edx ebx

mov ecx, esp

int $80

.exit:

mov eax, $01

xor ebx, ebx

int $80

segment readable

_program: db "/home/users/level06/level06", $00

_command string "cat /home/users/level07/.pass", $0A

_login equ $2F, $2F, $2F, $2F, $2F, $2F

_serial auth _login

_payload:

db _login, $0A

itoa2Dec _serial

db $0A

_payload.length = ($ - _payload)