[TOOL] Findshell Payload Finder

From: SecuriTeam (support_at_securiteam.com)
Date: 08/25/04

  • Next message: SecuriTeam: "[NT] Bird Chat DoS" 
    To: list@securiteam.com
Date: 25 Aug 2004 16:35:50 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Findshell Payload Finder
    ------------------------------------------------------------------------

    SUMMARY

    DETAILS

    Assuming that a remote buffer overflow target has limited buffer space and
    storing the bind shellcode in the buffer is difficult but you storing it
    "somewhere" is possible, this shellcode once executed scans the address
    space of the vulnerable process for a certain pattern. Once found it jumps
    into it.

    The code utilizes a trick found in the chdir() system call that enables
    the shellcode to scan the memory address space of the process without
    triggering any segmentation faults thus making the code more robust. The
    shellcode is contained in a normal C program for easy reference and its
    code is listed below.

    A small paper about un-initialized pointers and their exploitation is
    available at <http://home.paf.net/qobaiashi/uninp.html>
    http://home.paf.net/qobaiashi/uninp.html.

    Tool Source
    /*
     find_shell code
    -=================

    what is it?
    """""""""""
    assume you have a remote bof with limited buffer space so you can't store
    your
    bindshellcode in the buffer, but you can store it "somewhere". this code
    once
    executed scans the address space of the vulnerable process for a certain
    pattern.
    once found it jumps into it.

    scans address space...erm...segfaults?
    """""""""""""""""""""""""""""""""""""""
    no segfaults here (i hope). while looking for a way to avoid segfaults i
    was browsing
    through the linux syscall list and found syscall #13 (chdir) which only
    takes a ptr
    to the pathname. after playing around with it i noticed that it returns
    0xfffffffe if
    this ptr points to a valid (mapped) address and 0xfffffff2 for an invalid
    address.
    this fact is used in the code to avoid accessing unmapped memory causing
    sigsegv.

    how to use?
    """""""""""
    make sure you scan for at least "unlikely" patterns ;) if you modify the
    pattern make
    sure it is 0xPATTERN-1 because if 0xPATTERN exists as is in memory you
    could find
    _this_ scanner code and start an infinite loop..
    if size matters you could leave out the part that sets %ebx and re-use the
    remaining
    value from the attacked process. below is a timig of a scan starting from
    0x00000000
    to the data segment:

    qobaiashi@cocoon:~> time find_shell
    www.u-n-f.com

    real 5m48.650s
    user 0m25.510s
    sys 5m13.100s

    it should also be possible to split larger code in small pieces and have
    them stored
    at random locations. then the code parts would look like:

    shellcode_part_1
    pushad
    find_next_steps_pattern=0x11223344

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Bird Chat DoS"