- Send a blob to the server, it will be emulated as x86_64 code in unicorn.
- The following syscalls are forwarded to the host OS:
readwritemmapmunmapexit/exit_group
- Any interrupt terminates the interpreter.
- Bug:
mmapandmunmapare forwarded without any checks whatsoever. - Use the binary search to find the binary in the
ELF_ET_DYN_BASE..ELF_ET_DYN_BASE + (1 << (CONFIG_ARCH_MMAP_RND_BITS + PAGE_SHIFT))range using theMAP_FIXED_NOREPLACEflag. - Map the shellcode over the third page of the binary using the
MAP_FIXEDflag.- This page contains code.
- Replacing it not-so-carefully will not crash the binary right away.
- It will mess up
syscall_abiarray though, so no further syscalls after this. Repairingsyscall_abiis possible, but not necessary.
- Trigger an interrupt to terminate the interpreter, this will execute the shellcode.
nasm_kit
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||