Guest User

SC_SecurityTube

a guest
Jul 18th, 2011
349
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /* Hello World shellcode execution example.
  2.  *
  3.  * Anonymous memory map code was taken from:
  4.  * www.thexploit.com/secdev/testing-your-shellcode-on-a-non-executable-stack-or-heap/
  5.  */
  6.  
  7. #include <stdio.h>
  8. #include <sys/mman.h>
  9. #include <string.h>
  10. #include <stdlib.h>
  11.  
  12. int (*sc)();
  13.  
  14. char shellcode[] =
  15.                 "\xeb\x19" // jmp intro
  16.        
  17.                 // thecode:
  18.                 "\x31\xc0" // xorl %eax, %eax # Flush the registers
  19.                 "\x31\xdb" // xorl %ebx, %ebx
  20.                 "\x31\xd2" // xorl %edx, %edx
  21.        
  22.                 "\xb0\x04" // movl $0x04, %al
  23.                 "\xb3\x01" // movl $0x01, %bl
  24.                 "\x59"     // pop %ecx
  25.                 "\xb2\x0c" // movl $0x0c, %dl # Length of the Hello World string
  26.                 "\xcd\x80" // int $0x80
  27.        
  28.                 "\x31\xc0" // xor eax, eax
  29.                 "\x31\xdb" // xor ebx, ebx
  30.                 "\xb0\x01" // mov al, 0x01 (exit())
  31.                 "\xb3\x01" // mov bl, 0x01 (exit with status 1)
  32.                 "\xcd\x80" // int 0x80
  33.  
  34.                 // intro:
  35.                 "\xe8\xe2\xff\xff\xff" // call thecode
  36.                 "\x48\x65\x6c\x6c\x6f\x20" // Continues below
  37.                 "\x57\x6f\x72\x6c\x64\x0a"; // .ascii "Hello World\n"
  38.  
  39. int main(int argc, char* argv[])
  40. {
  41.     // Shellcode size
  42.     int sc_size = sizeof(shellcode);
  43.    
  44.     // Create an anonymous memory map and get a pointer to it
  45.     void *ptr = mmap(0, sc_size,
  46.             PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON
  47.             | MAP_PRIVATE, -1, 0);
  48.  
  49.     if (ptr == MAP_FAILED) {
  50.         perror("mmap");
  51.         exit(-1);
  52.     }
  53.  
  54.     // Put the shellcode in the mmap
  55.     memcpy(ptr, shellcode, sc_size);
  56.     sc = ptr;
  57.  
  58.     // And finally execute it
  59.     sc();
  60. }
RAW Paste Data