dwelch-r7
197 lines
4.4 KiB
Ruby
197 lines
4.4 KiB
Ruby
# -*- coding: binary -*-
|
|
|
|
module Msf
|
|
module Exploit::Local::Linux
|
|
include Exploit::Local::CompileC
|
|
|
|
def linux_x86_syscall_wrappers(metasm_exe)
|
|
cparser.parse <<-EOC
|
|
#ifndef size_t
|
|
#define size_t int
|
|
#endif
|
|
#ifndef off_t
|
|
#define off_t unsigned long
|
|
#endif
|
|
|
|
#define O_CREAT 64
|
|
#define O_RDWR 2
|
|
|
|
#define MAP_PRIVATE 0x02
|
|
#define MAP_FIXED 0x10
|
|
#define MAP_ANONYMOUS 0x20
|
|
#define MAP_ANON MAP_ANONYMOUS
|
|
#define MAP_FAILED ((void *)-1)
|
|
|
|
#define PROT_READ 0x1
|
|
#define PROT_WRITE 0x2
|
|
#define PROT_EXEC 0x4
|
|
|
|
void exit(int status);
|
|
int read(int fd, void *buf, size_t count);
|
|
int write(int fd, void *buf, size_t count);
|
|
int open(const char *pathname, int flags, int mode);
|
|
int unlink(const char *pathname);
|
|
int ftruncate(int fd, off_t length);
|
|
int socket(int, int, int);
|
|
int sendfile(int in_fd, int out_fd, void *, int count);
|
|
void *__mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t offset);
|
|
|
|
#ifdef DEBUGGING
|
|
void sigtrap();
|
|
#else
|
|
#define sigtrap()
|
|
#endif
|
|
void *__get_tls();
|
|
|
|
EOC
|
|
metasm_exe.parse <<-EOS
|
|
sigtrap:
|
|
int 3
|
|
ret
|
|
exit:
|
|
mov eax, 1 ; sys_exit
|
|
mov ebx, [esp+4]
|
|
int 0x80
|
|
ret
|
|
read:
|
|
mov eax, 3 ; sys_write
|
|
mov edx,[esp+12] ; length
|
|
mov ecx,[esp+8] ; string
|
|
mov ebx,[esp+4] ; file descriptor
|
|
int 0x80
|
|
ret
|
|
write:
|
|
mov eax, 4 ; sys_write
|
|
mov edx,[esp+12] ; length
|
|
mov ecx,[esp+8] ; string
|
|
mov ebx,[esp+4] ; file descriptor
|
|
int 0x80
|
|
ret
|
|
open:
|
|
mov eax, 5 ; sys_open
|
|
mov edx,[esp+12] ; mode
|
|
mov ecx,[esp+8] ; flags
|
|
mov ebx,[esp+4] ; file name
|
|
int 0x80
|
|
cmp eax, -129
|
|
jb 1f
|
|
neg eax
|
|
push eax
|
|
call __set_errno
|
|
add esp, 4
|
|
or eax, -1
|
|
1:
|
|
ret
|
|
ftruncate:
|
|
push ebx
|
|
push ecx
|
|
mov eax, 93 ; sys_ftruncate
|
|
mov ecx,[esp+16] ; file descriptor
|
|
mov ebx,[esp+12] ; size
|
|
int 0x80
|
|
cmp eax, -129
|
|
jb 1f
|
|
neg eax
|
|
push eax
|
|
call __set_errno
|
|
add esp, 4
|
|
or eax, -1
|
|
1:
|
|
pop ecx
|
|
pop ebx
|
|
ret
|
|
socket:
|
|
push ebx
|
|
push ecx
|
|
mov eax, 102 ; sys_socketcall
|
|
mov ebx, 1
|
|
mov ecx, esp
|
|
add ecx, 12
|
|
int 0x80
|
|
cmp eax, -129
|
|
jb 1f
|
|
neg eax
|
|
push eax
|
|
call __set_errno
|
|
add esp, 4
|
|
or eax, -1
|
|
1:
|
|
pop ecx
|
|
pop ebx
|
|
ret
|
|
sendfile:
|
|
push ebx
|
|
push ecx
|
|
push edx
|
|
push esi
|
|
|
|
mov eax, 187 ; sys_sendfile
|
|
mov esi,[esp+32] ; size
|
|
mov edx,[esp+28] ; offset
|
|
mov ecx,[esp+24] ; out_fd
|
|
mov ebx,[esp+20] ; in_fd
|
|
int 0x80
|
|
cmp eax, -129
|
|
jb 1f
|
|
neg eax
|
|
push eax
|
|
call __set_errno
|
|
add esp, 4
|
|
or eax, -1
|
|
1:
|
|
pop esi
|
|
pop edx
|
|
pop ecx
|
|
pop ebx
|
|
ret
|
|
|
|
unlink:
|
|
mov eax, 10 ; sys_unlink
|
|
mov ebx,[esp+4] ; filename
|
|
int 0x80
|
|
ret
|
|
|
|
; stolen from bionic
|
|
__mmap2:
|
|
push ebx
|
|
push ecx
|
|
push edx
|
|
push esi
|
|
push edi
|
|
push ebp
|
|
|
|
mov eax, 192
|
|
mov ebx, [esp+28]
|
|
mov ecx, [esp+32]
|
|
mov edx, [esp+36]
|
|
mov esi, [esp+40]
|
|
mov edi, [esp+44]
|
|
mov ebp, [esp+48]
|
|
int 0x80
|
|
cmp eax, -129
|
|
jb 1f
|
|
neg eax
|
|
push eax
|
|
call __set_errno
|
|
add esp, 4
|
|
or eax, -1
|
|
1:
|
|
pop ebp
|
|
pop edi
|
|
pop esi
|
|
pop edx
|
|
pop ecx
|
|
pop ebx
|
|
ret
|
|
|
|
; Thread Local Storage, used by errno
|
|
__get_tls:
|
|
mov eax, gs:[0]
|
|
ret
|
|
EOS
|
|
|
|
end
|
|
end
|
|
end
|
|
|