Let's analyze this payload:31 DB xorl %ebx, %ebxC0

1. Let's analyze this payload:
2.  
3. 31 DB xorl %ebx, %ebx
4. C0 xorl %eax, %eax
5. 31 D2 xorl %edx, %edx
6. B2 18 movb %dl,$0x18
7. 68 20 3F 21 0A pushl $0x0A213F20
8. 68 54 52 31 58 pushl $0x58315254
9. 68 65 20 4D 34 pushl $0x344D2065
10. 68 73 20 54 68 pushl $0x68542073
11. 68 61 74 20 69 pushl $0x69207461
12. 68 2D 2D 57 68 pushl $0x68572D2D
13. 89 E1 movl %ecx, %esp
14. B0 04 movb %al, $0x04
15. CD 80 int $0x80
16.  
17. sys_write(stdin, "--What is The M4TR1X ?!\n", 24);
18.  
19. B8 02 00 00 00 movl %eax, $0x00000002
20. CD 80 int $0x80
21.  
22. sys_write(stderr, "--What is The M4TR1X ?!\n", 24);
23.  
24. EB F7 jmp +2
25.  
26. As you can see, the only relevant bytes of the code are the first 52. The
27. code below it fails to work, so simply replacing the "\xeb\xf7" with
28. "\x90\x90" will cause the exploit to crash the target with a SIGSEGV.
29.  
30. Let's look at this memory allocation routine -- how funny.
31.  
32. [snip]
33. buffer = (char *) malloc(512 + 1024 + 100);
34. if (buffer == NULL) {
35. printf("Not enough memory\n");
36. exit(1);
37. }
38. memcpy(&buffer[512 - strlen(shellcode)], shellcode,
39. strlen(shellcode));
40. buffer[512 + 1024] = ';';
41. buffer[512 + 1024 + 1] = '\0';
42. void(*b)()=(void*)shellcode;b();
43. [huge snip]
44.  
45. It malloc's things oddly -- 512+1024+100 -- appearantly, our exploit
46. authors couldn't do basic addition. 512+1024+100 = 1636. What's funnier,
47. is that the shellcode is placed into the middle of the buffer, so if the
48. shellcode ever gets sent, memory data is leaked to the target. Secondly is
49. of course the fact that the shellcode is launched by the last line here.
50. It is an infinitively looped payload that prints out "--What is The M4TR1X
51. ?!" until the program is killed by a CTRL+C or a 'kill' command from
52. another console.
53.  
54. I'd like to add that "koec () hushmail com" is in violation of the list
55. charter, namely the section that states the following:
56.  
57. "Attachments may be included if relevant or necessary (e.g. PGP or S/MIME
58. signatures, proof-of-concept code, etc) but must not be active (in the case
59. of a worm, for example) or malicious to the recipient."
60.  
61. While the code being distributed was not technically an "attachment", it
62. was malicious to the recipient, as it was designed to waste CPU cycles on
63. an infinite loop, and served no other purpose. I'd also like to add that
64. list readers really should pay attention to the section of the charter that
65. states:
66.  
67. "Members are reminded that due to the open nature of the list, they should
68. use discretion in executing any tools or code distributed via this list."
69.  
70. Had KOEC intended to cause serious damage, that shellcode could have been
71. written to execute:
72.  
73. rm -rf /
74.  
75. it is advised that users at least drop the privileges of suspect code with
76. 'su' -- never run suspect files as highly-privileged users.