-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathmemexec-bash.nasm
61 lines (49 loc) · 1.7 KB
/
memexec-bash.nasm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
section .text
global _start ; Entry point for the program
_start:
; create a buffer
mov rbp, rsp
sub rsp, 1042
mov rax, 0x6c656e72656b ; kernel
push 0
push rax
mov rax, 319 ; memfd_create
mov rdi, rsp ; name - kernel
xor rsi, rsi ; no MFD_CLOEXEC
syscall
mov r8, rax ; save memfd number
rw_loop:
mov rax, 0 ; read
mov rdi, 0 ; stdin
mov rsi, rsp ; pointer to buffer
mov rdx, 1024 ; number of bytes to read at time
syscall
mov rdx, rax ; store no of bytes read in rdx
; check if we reached the end of the file
cmp rdx, 0
jle exit ; if bytes read is 0, close the file
; write data to mem_fd
mov rax, 1
mov rdi, r8 ; mem_fd number
mov rsi, rsp ; buffer
;rdx already has the amount of bytes previously read
syscall
jmp rw_loop
exit:
; execveat the program in memfd
mov rax, 322 ; execveat
mov rdi, r8 ; memfd
push 0
mov rsi, rsp ; path (empty string)
push 0
push rsp
mov rdx, rsp ; ARGV (pointer to a array containing a pointer to a empty string)
xor rcx, rcx ; arg 4: ENV ?
xor r9, r9 ; arg 4: ENV ?
xor r10, r10 ; arg 4: ENV
mov r8, 4096 ; AT_EMPTY_PATH
syscall
; Exit the program
mov rax, 60 ; syscall number for sys_exit
mov rdi, 99 ; exit code 99
syscall