| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The shell-spawning shellcodes are rewritten to address the following
concerns:
- The array parameters to execve are now set properly, to valid
arrays on the stack, instead of NULL pointers.
- The cdq instruction is no longer used to sign-extend the rax
register, since it has not been producing the expected results in
gdb.
- Labels, sections, and other file metadata are removed in order to
support concatenation of shellcode samples to make more complex
code.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This is mainly done to keep the top working directory (where the
Makefile lives) cleaner.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This issue was discovered a while back, during one of the CTFs, and was
particularly a problem with the 32-bit shellcode. Because the third
kernel argument register was not being set by the payload, we would
essentially pass garbage.
I'm only committing this now, as I've recently been able to reproduce
the related failure and demonstrate this patch working. I never
actually observed the 64-bit shellcode fail for this reason on a target,
but it is also patched for correctness.
Argument 3 to execve() is the environment pointer, a pointer to array of
strings to define the process's environment variables. Although this
argument should point to an empty array (ptr to NULL) if empty, Linux
allows the pointer itself to be NULL in this case - thus the xor of the
register.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
