/* * lizardking.c, v1.0 2006/09/29 15:57 * * linux/x86 shellcode * that write() on() the current tty "I'm the Lizard King... I can do everyting." * * http://www.0xcafebabe.it * * * 96 bytes * * 8048080: 29 c9 sub %ecx,%ecx * * open("/dev/tty", O_RDWR|O_NONBLOCK|O_APPEND); * 8048082: 6a 05 push $0x5 * 8048084: 58 pop %eax * 8048085: 51 push %ecx * 8048086: 68 2f 74 74 79 push $0x7974742f * 804808b: 68 2f 64 65 76 push $0x7665642f * 8048090: 89 e3 mov %esp,%ebx * 8048092: 66 b9 72 17 mov $0x1772,%cx * 8048096: cd 80 int $0x80 * * write(fd, const void *buffer, bfsize); * 8048098: 89 c3 mov %eax,%ebx * 804809a: b0 04 mov $0x4,%al * 804809c: 6a 2c push $0x2c * 804809e: 5a pop %edx * 804809f: 68 6e 67 2e 0a push $0xa2e676e * 80480a4: 68 79 74 68 69 push $0x69687479 * 80480a9: 68 65 76 65 72 push $0x72657665 * 80480ae: 68 20 64 6f 20 push $0x206f6420 * 80480b3: 68 20 63 61 6e push $0x6e616320 * 80480b8: 68 2e 2e 20 49 push $0x49202e2e * 80480bd: 68 69 6e 67 2e push $0x2e676e69 * 80480c2: 68 72 64 20 6b push $0x6b206472 * 80480c7: 68 6c 69 7a 61 push $0x617a696c * 80480cc: 68 74 68 65 20 push $0x20656874 * 80480d1: 68 49 27 6d 20 push $0x206d2749 * 80480d6: 89 e1 mov %esp,%ecx * 80480d8: cd 80 int $0x80 * * exit(0); * 80480da: 29 db sub %ebx,%ebx * 80480dc: b0 01 mov $0x1,%al * 80480de: cd 80 int $0x80 */ char code[]= "\x29\xc9\x6a\x05\x58\x51\x68\x2f\x74\x74\x79\x68\x2f\x64\x65\x76" "\x89\xe3\x66\xb9\x72\x17\xcd\x80\x89\xc3\xb0\x04\x6a\x2c\x5a\x68" "\x6e\x67\x2e\x0a\x68\x79\x74\x68\x69\x68\x65\x76\x65\x72\x68\x20" "\x64\x6f\x20\x68\x20\x63\x61\x6e\x68\x2e\x2e\x20\x49\x68\x69\x6e" "\x67\x2e\x68\x72\x64\x20\x6b\x68\x6c\x69\x7a\x61\x68\x74\x68\x65" "\x20\x68\x49\x27\x6d\x20\x89\xe1\xcd\x80\x29\xdb\xb0\x01\xcd\x80"; main() { int (*fc)(); fc = (int (*)()) code; printf("Length: %d\n",strlen(code)); (int)(*fc)(); }