Multi OS shellcode part 1 ------------------------- There are enough reasons to write shellcode that is able to run on multiple OS's. However, if this will be more effective then using an exploit that has the ability to fingerprint an OS.. I don't think so. To find out wether you are working on a BSD or Linux system is fairly easy. Just execute the same system call on both systems and analyze the returned value. I found that system call 39 is implemented on both BSD and Linux. However, the implementation of this system call is very different on BSD the on Linux. Linux --> mkdir() FreeBSD --> getppid() So on Linux syscall 39 can be used to create a directory. To do this the system call requires several argumentsi or it will return an error (nice). On FreeBSD the syscall 39 represents getppid, which can be used to get the parent process process ID. This system call does not require an argument and returns the process ID. By executing the following code on Linux and BSD xor eax, eax xor ebx, ebx mov al,39 int 0x80 An error is returned on Linux and a value on BSD. We can match on the error and use it to jump to the right code (see simple implementation below).So by executing syscall 39 (on BSD and Linux) with no arguments we will get the following return values: Linux --> Error (-1) FreeBSD --> A process ID From here it is possible to make the difference between the BSD's by using syscall 272. It's the same principle, we match on OpenBSD and can then isolate this OS from the other BSD's. More information can be found here: http://www.safemode.org/files/zillion/shellcode/multios/ zillion A simple implementation: ------------------------- xor eax, eax ; cleanup xor ebx, ebx ; cleanup mov al,39 ; syscall 39 (mkdir or getppid) int 0x80 ; call kernel test eax,eax js linux freebsd: ; Add FreeBSD assembly jmp short exit linux: ; Add Linux assembly exit: xor eax, eax mov al,1 int 0x80