7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
# File 'lib/msf/core/exploit/local/linux.rb', line 7
def linux_x86_syscall_wrappers(metasm_exe)
cparser.parse <<-EOC
#ifndef size_t
#define size_t int
#endif
#ifndef off_t
#define off_t unsigned long
#endif
#define O_CREAT 64
#define O_RDWR 2
#define MAP_PRIVATE 0x02
#define MAP_FIXED 0x10
#define MAP_ANONYMOUS 0x20
#define MAP_ANON MAP_ANONYMOUS
#define MAP_FAILED ((void *)-1)
#define PROT_READ 0x1
#define PROT_WRITE 0x2
#define PROT_EXEC 0x4
void exit(int status);
int read(int fd, void *buf, size_t count);
int write(int fd, void *buf, size_t count);
int open(const char *pathname, int flags, int mode);
int unlink(const char *pathname);
int ftruncate(int fd, off_t length);
int socket(int, int, int);
int sendfile(int in_fd, int out_fd, void *, int count);
void *__mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t offset);
#ifdef DEBUGGING
void sigtrap();
#else
#define sigtrap()
#endif
void *__get_tls();
EOC
metasm_exe.parse <<-EOS
sigtrap:
int 3
ret
exit:
mov eax, 1 ; sys_exit
mov ebx, [esp+4]
int 0x80
ret
read:
mov eax, 3 ; sys_write
mov edx,[esp+12] ; length
mov ecx,[esp+8] ; string
mov ebx,[esp+4] ; file descriptor
int 0x80
ret
write:
mov eax, 4 ; sys_write
mov edx,[esp+12] ; length
mov ecx,[esp+8] ; string
mov ebx,[esp+4] ; file descriptor
int 0x80
ret
open:
mov eax, 5 ; sys_open
mov edx,[esp+12] ; mode
mov ecx,[esp+8] ; flags
mov ebx,[esp+4] ; file name
int 0x80
cmp eax, -129
jb 1f
neg eax
push eax
call __set_errno
add esp, 4
or eax, -1
1:
ret
ftruncate:
push ebx
push ecx
mov eax, 93 ; sys_ftruncate
mov ecx,[esp+16] ; file descriptor
mov ebx,[esp+12] ; size
int 0x80
cmp eax, -129
jb 1f
neg eax
push eax
call __set_errno
add esp, 4
or eax, -1
1:
pop ecx
pop ebx
ret
socket:
push ebx
push ecx
mov eax, 102 ; sys_socketcall
mov ebx, 1
mov ecx, esp
add ecx, 12
int 0x80
cmp eax, -129
jb 1f
neg eax
push eax
call __set_errno
add esp, 4
or eax, -1
1:
pop ecx
pop ebx
ret
sendfile:
push ebx
push ecx
push edx
push esi
mov eax, 187 ; sys_sendfile
mov esi,[esp+32] ; size
mov edx,[esp+28] ; offset
mov ecx,[esp+24] ; out_fd
mov ebx,[esp+20] ; in_fd
int 0x80
cmp eax, -129
jb 1f
neg eax
push eax
call __set_errno
add esp, 4
or eax, -1
1:
pop esi
pop edx
pop ecx
pop ebx
ret
unlink:
mov eax, 10 ; sys_unlink
mov ebx,[esp+4] ; filename
int 0x80
ret
; stolen from bionic
__mmap2:
push ebx
push ecx
push edx
push esi
push edi
push ebp
mov eax, 192
mov ebx, [esp+28]
mov ecx, [esp+32]
mov edx, [esp+36]
mov esi, [esp+40]
mov edi, [esp+44]
mov ebp, [esp+48]
int 0x80
cmp eax, -129
jb 1f
neg eax
push eax
call __set_errno
add esp, 4
or eax, -1
1:
pop ebp
pop edi
pop esi
pop edx
pop ecx
pop ebx
ret
; Thread Local Storage, used by errno
__get_tls:
mov eax, gs:[0]
ret
EOS
end
|