# -*- coding: binary -*- module Msf module Exploit::Local::Linux include Exploit::Local::CompileC def linux_x86_syscall_wrappers(metasm_exe) cparser.parse <<-EOC #ifndef size_t #define size_t int #endif #ifndef off_t #define off_t unsigned long #endif #define O_CREAT 64 #define O_RDWR 2 #define MAP_PRIVATE 0x02 #define MAP_FIXED 0x10 #define MAP_ANONYMOUS 0x20 #define MAP_ANON MAP_ANONYMOUS #define MAP_FAILED ((void *)-1) #define PROT_READ 0x1 #define PROT_WRITE 0x2 #define PROT_EXEC 0x4 void exit(int status); int read(int fd, void *buf, size_t count); int write(int fd, void *buf, size_t count); int open(const char *pathname, int flags, int mode); int unlink(const char *pathname); int ftruncate(int fd, off_t length); int socket(int, int, int); int sendfile(int in_fd, int out_fd, void *, int count); void *__mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t offset); #ifdef DEBUGGING void sigtrap(); #else #define sigtrap() #endif void *__get_tls(); EOC metasm_exe.parse <<-EOS sigtrap: int 3 ret exit: mov eax, 1 ; sys_exit mov ebx, [esp+4] int 0x80 ret read: mov eax, 3 ; sys_write mov edx,[esp+12] ; length mov ecx,[esp+8] ; string mov ebx,[esp+4] ; file descriptor int 0x80 ret write: mov eax, 4 ; sys_write mov edx,[esp+12] ; length mov ecx,[esp+8] ; string mov ebx,[esp+4] ; file descriptor int 0x80 ret open: mov eax, 5 ; sys_open mov edx,[esp+12] ; mode mov ecx,[esp+8] ; flags mov ebx,[esp+4] ; file name int 0x80 cmp eax, -129 jb 1f neg eax push eax call __set_errno add esp, 4 or eax, -1 1: ret ftruncate: push ebx push ecx mov eax, 93 ; sys_ftruncate mov ecx,[esp+16] ; file descriptor mov ebx,[esp+12] ; size int 0x80 cmp eax, -129 jb 1f neg eax push eax call __set_errno add esp, 4 or eax, -1 1: pop ecx pop ebx ret socket: push ebx push ecx mov eax, 102 ; sys_socketcall mov ebx, 1 mov ecx, esp add ecx, 12 int 0x80 cmp eax, -129 jb 1f neg eax push eax call __set_errno add esp, 4 or eax, -1 1: pop ecx pop ebx ret sendfile: push ebx push ecx push edx push esi mov eax, 187 ; sys_sendfile mov esi,[esp+32] ; size mov edx,[esp+28] ; offset mov ecx,[esp+24] ; out_fd mov ebx,[esp+20] ; in_fd int 0x80 cmp eax, -129 jb 1f neg eax push eax call __set_errno add esp, 4 or eax, -1 1: pop esi pop edx pop ecx pop ebx ret unlink: mov eax, 10 ; sys_unlink mov ebx,[esp+4] ; filename int 0x80 ret ; stolen from bionic __mmap2: push ebx push ecx push edx push esi push edi push ebp mov eax, 192 mov ebx, [esp+28] mov ecx, [esp+32] mov edx, [esp+36] mov esi, [esp+40] mov edi, [esp+44] mov ebp, [esp+48] int 0x80 cmp eax, -129 jb 1f neg eax push eax call __set_errno add esp, 4 or eax, -1 1: pop ebp pop edi pop esi pop edx pop ecx pop ebx ret ; Thread Local Storage, used by errno __get_tls: mov eax, gs:[0] ret EOS end end end