Rizin
unix-like reverse engineering framework and cli tools
Functions | Variables
egg_exec.c File Reference
#include <rz_egg.h>

Go to the source code of this file.

Functions

static RzBufferbuild (RzEgg *egg)
 

Variables

static ut8 x86_osx_suid_binsh []
 
static ut8 x86_osx_binsh []
 
static ut8 x86_linux_binsh []
 
static ut8 x86_64_linux_binsh []
 
static ut8 arm_linux_binsh []
 
static ut8 thumb_linux_binsh []
 
RzEggPlugin rz_egg_plugin_exec
 
RZ_API RzLibStruct rizin_plugin
 

Function Documentation

◆ build()

static RzBuffer* build ( RzEgg egg)
static

Definition at line 59 of file egg_exec.c.

59  {
60  RzBuffer *buf = rz_buf_new_with_bytes(NULL, 0);
61  const ut8 *sc = NULL;
62  int cd = 0;
63  char *shell = rz_egg_option_get(egg, "cmd");
64  char *suid = rz_egg_option_get(egg, "suid");
65  // TODO: last char must not be \x00 .. or what? :D
66  if (suid && *suid == 'f') { // false
67  free(suid);
68  suid = NULL;
69  }
70  switch (egg->os) {
71  case RZ_EGG_OS_OSX:
72  case RZ_EGG_OS_DARWIN:
73  switch (egg->arch) {
74  case RZ_SYS_ARCH_X86:
75  if (suid) {
76  sc = x86_osx_suid_binsh;
77  cd = 7 + 36;
78  } else {
79  sc = x86_osx_binsh;
80  cd = 36;
81  }
82  case RZ_SYS_ARCH_ARM:
83  // TODO
84  break;
85  }
86  break;
87  case RZ_EGG_OS_LINUX:
88  if (suid) {
89  eprintf("no suid for this platform\n");
90  }
91  suid = 0;
92  switch (egg->arch) {
93  case RZ_SYS_ARCH_X86:
94  switch (egg->bits) {
95  case 32:
96  sc = x86_linux_binsh;
97  break;
98  case 64:
99  sc = x86_64_linux_binsh;
100  if (shell && *shell) {
101  int len = strlen(shell);
102  if (len > sizeof(st64) - 1) {
103  *shell = 0;
104  eprintf("Unsupported CMD length\n");
105  break;
106  }
107  st64 b = 0;
108  memcpy(&b, shell, strlen(shell));
109  b = -b;
110  shell = realloc(shell, sizeof(st64) + 1);
111  if (!shell) {
112  break;
113  }
114  rz_str_ncpy(shell, (char *)&b, sizeof(st64));
115  shell[sizeof(st64)] = 0;
116  cd = 4;
117  rz_buf_set_bytes(buf, sc, strlen((const char *)sc));
118  rz_buf_write_at(buf, cd, (const ut8 *)shell, sizeof(st64));
119  sc = 0;
120  }
121  break;
122  default:
123  eprintf("Unsupported arch %d bits\n", egg->bits);
124  }
125  break;
126  case RZ_SYS_ARCH_ARM:
127  switch (egg->bits) {
128  case 16:
129  sc = thumb_linux_binsh;
130  break;
131  case 32:
132  sc = arm_linux_binsh;
133  break;
134  default:
135  eprintf("Unsupported arch %d bits\n", egg->bits);
136  }
137  break;
138  }
139  break;
140  default:
141  eprintf("Unsupported os %x\n", egg->os);
142  break;
143  }
144 
145  if (sc) {
146  rz_buf_set_bytes(buf, sc, strlen((const char *)sc));
147  if (shell && *shell) {
148  if (cd) {
149  rz_buf_write_at(buf, cd, (const ut8 *)shell, strlen(shell) + 1);
150  } else {
151  eprintf("Cannot set shell\n");
152  }
153  }
154  }
155  free(suid);
156  free(shell);
157  return buf;
158 }
len
size_t len
Definition: 6502dis.c:15
cd
static csh cd
Definition: asm_mips_cs.c:10
NULL
#define NULL
Definition: cris-opc.c:27
rz_egg_option_get
RZ_API char * rz_egg_option_get(RzEgg *egg, const char *key)
Definition: egg.c:534
sc
static char sc[]
Definition: egg_cb.c:6
x86_64_linux_binsh
static ut8 x86_64_linux_binsh[]
Definition: egg_exec.c:46
thumb_linux_binsh
static ut8 thumb_linux_binsh[]
Definition: egg_exec.c:55
x86_linux_binsh
static ut8 x86_linux_binsh[]
Definition: egg_exec.c:34
x86_osx_suid_binsh
static ut8 x86_osx_suid_binsh[]
Definition: egg_exec.c:18
x86_osx_binsh
static ut8 x86_osx_binsh[]
Definition: egg_exec.c:25
arm_linux_binsh
static ut8 arm_linux_binsh[]
Definition: egg_exec.c:49
free
RZ_API void Ht_() free(HtName_(Ht) *ht)
Definition: ht_inc.c:130
buf
voidpf void * buf
Definition: ioapi.h:138
ut8
uint8_t ut8
Definition: lh5801.h:11
memcpy
memcpy(mem, inblock.get(), min(CONTAINING_RECORD(inblock.get(), MEMBLOCK, data) ->size, size))
realloc
void * realloc(void *ptr, size_t size)
Definition: malloc.c:144
eprintf
#define eprintf(x, y...)
Definition: rlcc.c:7
rz_buf_write_at
RZ_API st64 rz_buf_write_at(RZ_NONNULL RzBuffer *b, ut64 addr, RZ_NONNULL const ut8 *buf, ut64 len)
Write len bytes of the buffer at the specified address.
Definition: buf.c:1197
rz_buf_set_bytes
RZ_API bool rz_buf_set_bytes(RZ_NONNULL RzBuffer *b, RZ_NONNULL const ut8 *buf, ut64 len)
Replace the content of the buffer with the bytes array.
Definition: buf.c:905
rz_buf_new_with_bytes
RZ_API RZ_OWN RzBuffer * rz_buf_new_with_bytes(RZ_NULLABLE RZ_BORROW const ut8 *bytes, ut64 len)
Creates a new buffer with a bytes array.
Definition: buf.c:465
RZ_EGG_OS_DARWIN
#define RZ_EGG_OS_DARWIN
Definition: rz_egg.h:129
RZ_EGG_OS_OSX
#define RZ_EGG_OS_OSX
Definition: rz_egg.h:128
RZ_EGG_OS_LINUX
#define RZ_EGG_OS_LINUX
Definition: rz_egg.h:127
rz_str_ncpy
RZ_API size_t rz_str_ncpy(char *dst, const char *src, size_t n)
Secure string copy with null terminator.
Definition: str.c:923
RZ_SYS_ARCH_X86
@ RZ_SYS_ARCH_X86
Definition: rz_types.h:532
RZ_SYS_ARCH_ARM
@ RZ_SYS_ARCH_ARM
Definition: rz_types.h:533
st64
#define st64
Definition: rz_types_base.h:10
b
#define b(i)
Definition: sha256.c:42
rz_buf_t
Definition: rz_buf.h:43
rz_egg_t::bits
int bits
Definition: rz_egg.h:108
rz_egg_t::arch
int arch
Definition: rz_egg.h:106
rz_egg_t::os
ut32 os
Definition: rz_egg.h:109

References rz_egg_t::arch, arm_linux_binsh, b, rz_egg_t::bits, cd, eprintf, free(), len, memcpy(), NULL, rz_egg_t::os, realloc(), rz_buf_new_with_bytes(), rz_buf_set_bytes(), rz_buf_write_at(), rz_egg_option_get(), RZ_EGG_OS_DARWIN, RZ_EGG_OS_LINUX, RZ_EGG_OS_OSX, rz_str_ncpy(), RZ_SYS_ARCH_ARM, RZ_SYS_ARCH_X86, sc, st64, thumb_linux_binsh, x86_64_linux_binsh, x86_linux_binsh, x86_osx_binsh, and x86_osx_suid_binsh.

Variable Documentation

◆ arm_linux_binsh

ut8 arm_linux_binsh[]
static
Initial value:
=
"\x02\x20\x42\xe0\x1c\x30\x8f\xe2\x04\x30\x8d\xe5"
"\x08\x20\x8d\xe5\x13\x02\xa0\xe1\x07\x20\xc3\xe5\x04\x30\x8f\xe2"
"\x04\x10\x8d\xe2\x01\x20\xc3\xe5\x0b\x0b\x90\xef"
"\x2f\x62\x69\x6e\x2f\x73\x68"

Definition at line 49 of file egg_exec.c.

Referenced by build().

◆ rizin_plugin

RZ_API RzLibStruct rizin_plugin
Initial value:
= {
.type = RZ_LIB_TYPE_EGG,
.data = &rz_egg_plugin_exec,
.version = RZ_VERSION
}
rz_egg_plugin_exec
RzEggPlugin rz_egg_plugin_exec
Definition: egg_exec.c:161
RZ_LIB_TYPE_EGG
@ RZ_LIB_TYPE_EGG
Definition: rz_lib.h:84
RZ_VERSION
#define RZ_VERSION
Definition: rz_version.h:8

Definition at line 169 of file egg_exec.c.

◆ rz_egg_plugin_exec

RzEggPlugin rz_egg_plugin_exec
Initial value:
= {
.name = "exec",
.type = RZ_EGG_PLUGIN_SHELLCODE,
.desc = "execute cmd=/bin/sh suid=false",
.build = (void *)build
}
build
static RzBuffer * build(RzEgg *egg)
Definition: egg_exec.c:59
RZ_EGG_PLUGIN_SHELLCODE
#define RZ_EGG_PLUGIN_SHELLCODE
Definition: rz_egg.h:19

Definition at line 161 of file egg_exec.c.

◆ thumb_linux_binsh

ut8 thumb_linux_binsh[]
static
Initial value:
=
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x78\x46\x0c\x30\xc0\x46\x01\x90"
"\x49\x1a\x92\x1a\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68"

Definition at line 55 of file egg_exec.c.

Referenced by build().

◆ x86_64_linux_binsh

ut8 x86_64_linux_binsh[]
static
Initial value:
=
"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

Definition at line 46 of file egg_exec.c.

Referenced by build().

◆ x86_linux_binsh

ut8 x86_linux_binsh[]
static
Initial value:
=
"\x31\xc0\x50\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"

Definition at line 34 of file egg_exec.c.

Referenced by build().

◆ x86_osx_binsh

ut8 x86_osx_binsh[]
static
Initial value:
=
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17"
"\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52"
"\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68"

Definition at line 25 of file egg_exec.c.

Referenced by build().

◆ x86_osx_suid_binsh

ut8 x86_osx_suid_binsh[]
static
Initial value:
=
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17"
"\x31\xff\x4c\x89\xc0\x0f\x05"
"\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52"
"\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68"

Definition at line 18 of file egg_exec.c.

Referenced by build().