Commit 704b8dae authored by PoroCYon's avatar PoroCYon
Browse files

header-32 186->179 bytes

parent 49a5d7ba
; ==========================================
; ========= MACROS AND BOILERPLATE =========
; ==========================================
BITS 32
;%define USE_GZIP
org 0x08048000
jumptar2_addr equ 0x51
%include "syscalls-32.asm"
%define STDIN_FILENO 0
%define STDOUT_FILENO 1
%define STDERR_FILENO 2
; ==============================
; ========= ELF HEADER =========
; ==============================
%define SYS_memfd_create 356
%define SYS_fork 2
%define SYS_waitid 284
%define SYS_execve 11
%define SYS_open 5
%define SYS_lseek 19
%define SYS_dup2 63
ehdr: ; Elf64_Ehdr
e_ident:
db 0x7F, "ELF", 1, 1, 1, 0
bits 32
e_padding:
; times 8 db 0
mov ax, 356
mov ebx, esp
jmp e_shoff
org 0x00200000
e_type:
dw 2
e_machine:
dw 3
e_version:
xor ebx, ebx
jmp p_flags
; dd 1
e_entry:
dd e_padding
e_phoff:
dd phdr - $$
e_shoff:
e_flags:
ehdr:
db 0x7f,"ELF" ; e_ident
; jg short jumptar
; dec esp
; inc esi
; machine numbers, padding
_start.0:
mov ax, SYS_memfd_create
mov ebx, esp
int 0x80
mov al, sys_fork
pop ebp
mov al, SYS_fork
pop ecx
; e_type
jmp short ehdr.e_machine.mid
db 0
;dw 2 ;!e_type
db 3
ehdr.e_machine.mid:
add dl, dh ; 0x00 0xf2 ; benign garbage instruction
;dw 3 ;!e_machine
int 0x80
e_ehsize: ;begins halfway into jmp
jmp p_paddr
db 0
; dd 0
; dd 0
; dw ehdrsize
e_phentsize:
dw phdrsize
; e_phnum:
; dw 1
; e_shentsize:
; dw 0
; e_shnum:
; dw 0
; e_shstrndx:
; dw 0
ehdrsize equ $ - ehdr
; ==================================
; ========= PROGRAM HEADER =========
; ==================================
phdr: ; Elf32_Phdr
p_type:
dd 1
p_offset:
dd 0
p_vaddr:
dd $$
p_paddr:
test eax, eax
jz _child
; dd $$
p_filesz:
jmp e_version
dw 0
; dd filesize
p_memsz:
jmp e_version+4
dw 0
; dd filesize
p_flags:
mov ax, sys_waitid
p_align:
jmp _parent
dw 0
phdrsize equ $ - phdr
; ===========================
; ========= CODE!!! =========
; ===========================
;dd 0 ; e_version
db 0xEB ; jmp short jumptar2
dd _start ;!e_entry
dd phdr - ehdr ;!e_phoff
phdr:
dd 1 ; e_shoff ;!p_type
dd 0 ; e_flags ;!p_offset
dd ehdr ; e_ehsize ;!p_vaddr
;!e_phentsize
dw 1 ;!e_phnum ; p_paddr
;; TODO: put code here ; except that haxoring the filesize doesn't quite work
;; => TODO: try with phdr more at the end of the ehdr
dw 0 ; e_shentsize
dd filesize ; e_shnum ;~p_filesz ; can be larger than needed, but must be at least filesize
; e_shstrndx
ehdr.end:
dd filesize ;~p_memsz ; ^
_start:
jmp short _start.0
_child:
;~p_flags
mov ebx, __self
; p_align
;dd 5 ;~p_flags ; MUST have AT LEAST 4 or 1 set
mov edi, ebx ; back up for (much) later
;dd 0 ; p_align
dec ecx ; 0 == O_RDONLY
mov al, SYS_open
int 0x80
;fd1
push eax
; mov ax, 356
; mov ebx, esp
; int 0x80
; seek
mov al, SYS_lseek
pop ebx
push ebx
mov cl, filesize
int 0x80
jmp short _child.2
; times (0x47-($-ehdr)) db 0
;jumptar:
;int3
; mov al, sys_fork
; pop ecx
; int 0x80
; test eax, eax
; jz _child
times (jumptar2_addr-($-ehdr)) db 0
jumptar2:
test eax, eax
jz short _child
_parent:
xor ebx, ebx
mov ax, SYS_waitid
; xor ebx, ebx
; mov ax, sys_waitid
mov si, 4
int 0x80
......@@ -122,71 +111,88 @@ _parent:
mov dl, 16+8
add edx, esp
; execve demo
mov eax, sys_execve
;mov eax, SYS_open
;; mov ebx, ebx
;mov ecx, 4
;int 0x80
;mov ebx, eax
;mov eax, 3;SYS_read
;mov ecx, esp
;mov edx, filesize
;int 0x80
;mov edi, ebx
;mov ecx, esp
;mov eax, 4;SYS_write
;mov ebx, STDERR_FILENO
;;mov edx, filesize
;int 0x80
;mov ebx, edi
push SYS_execve
pop eax
mov ecx, esp ;use our args as args
int 0x80
_child:
; open self
mov ebx, __self
mov al, sys_open ;open
int 0x80
;fd1
push eax
;seek
mov al, sys_lseek ;lseek
pop ebx
push ebx
mov cl, filesize
int 0x80
_child.2:
;dup2 demo->stdout
mov al, sys_dup2
dec ebx
mov cl, 1 ;1 = stdout
mov al, SYS_dup2
mov cl, STDOUT_FILENO
int 0x80
;dup2 self->stdin
mov al, sys_dup2
mov al, SYS_dup2
pop ebx
dec ecx ; 1 minus 1 equals zero!
dec ecx ; 1 (STDOUT_FILENO) minus 1 equals zero! (STDIN_FILENO)
int 0x80
;execve
mov al, sys_execve
;push __zip ; one byte shorter
mov al, SYS_execve
%ifdef USE_GZIP
mov edi, __gzip
add edi, __zip-__self
mov ebx, edi
%else
push 0
push __gzip
push ecx
add edi, __zip-__self
push edi
;push __zip ; one byte shorter
pop ebx
push ebx
%endif
; use our arguments
mov ecx, esp
mov ecx, esp
; xor rdx, rdx ;empty environ
int 0x80
; ; ===========================
; ; ========= STRINGS =========
; ; ===========================
__gzip:
__self:
db '/proc/self/exe',0
__memfd:
db '/dev/','fd/3',0
__zip:
%ifdef USE_GZIP
db '/bin/zcat',0
%else
db '/usr/bin/xzcat',0
%endif
__self:
db '/proc/self/exe',0
__memfd:
db '/dev/fd/3',0
filesize equ $ - $$
END:
filesize equ END - ehdr
;%if jumptar-ehdr != 0x47
;%error "Bad jumptar!"
;%endif
%if ehdr.e_machine.mid-ehdr != 0x13
%error "Bad .e_machine.mid"
%endif
%if jumptar2-ehdr != jumptar2_addr
%error "Bad jumptar2"
%endif
payload:
; incbin "payload.bin"
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment