Date: Mon, 28 Feb 2000 13:48:14 -0800 (PST) From: Michael Kyle <mfk@yahoo-inc.com> To: freebsd-hackers@freebsd.org Subject: Re: Shell Code... (fwd) Message-ID: <Pine.BSF.4.21.0002281346121.17097-100000@rootbeer.corp.yahoo.com>
next in thread | raw e-mail | index | archive | help
Doug suggested that I send a message similar to this to
the group, instead of my original. So, here is what I'd
re'd to Doug.
Information or other approaches is appreciated.
Mike.
Yahoo!
---------- Forwarded message ----------
Date: Thu, 24 Feb 2000 21:39:26 -0800 (PST)
From: Michael Kyle <mfk@yahoo-inc.com>
To: Doug White <dwhite@resnet.uoregon.edu>
Subject: Re: Shell Code...
Doug,
You've been a freeBSD advocate for a quite a while, I'm new to
the OS and new to Yahoo. I'm sure you know that Yahoo is a
freeBSD org. I really do need help whacking some of our development
stuff. One of the things I am trying to do is demonstrate that
I can obtain shells on some of our interally used code, in specific
instances. While I have never had a problem deriving my own shell code on
solaris, irix or linux, for some reason, everything I do on freebsd
fails.
Do you happen to know where the execve (syscall index 59) snaggs its
params? Clearly a gdb dump of the assembler of a simple prog that does
nothing more than call execve passing /bin/sh shows the following
(gdb) disas main
Dump of assembler code for function main:
0x804814c <main>: pushl %ebp
0x804814d <main+1>: movl %esp,%ebp # prolog stuff here
0x804814f <main+3>: subl $0x8,%esp # variables
0x8048152 <main+6>: movl $0x804833d,0xfffffff8(%ebp) # /bin/sh
0x8048159 <main+13>: movl $0x0,0xfffffffc(%ebp)
0x8048160 <main+20>: pushl $0x0 # param 2 to execve
0x8048162 <main+22>: leal 0xfffffff8(%ebp),%eax
0x8048165 <main+25>: pushl %eax # param 1
0x8048166 <main+26>: movl 0xfffffff8(%ebp),%eax
0x8048169 <main+29>: pushl %eax # param 0
0x804816a <main+30>: call 0x80481e8 <execve> # the call
0x804816f <main+35>: addl $0xc,%esp
0x8048172 <main+38>: leave
0x8048173 <main+39>: ret
and
(gdb) disas execve
Dump of assembler code for function execve:
0x80481e8 <execve>: leal 0x3b,%eax # syscall index
0x80481ee <execve+6>: int $0x80 # kernel call-- must know
# where to find params
0x80481f0 <execve+8>: jb 0x80481e0 <atexit+108> # a jump
0x80481f2 <execve+10>: ret
0x80481f3 <execve+11>: nop
End of assembler dump.
and for the jb,
(gdb) disas 0x80481e0
....
0x80481e0 <atexit+108>: jmp 0x8048307 <.cerror>
0x80481e5 <atexit+113>: leal 0x0(%esi),%esi
Clearly, a kernel call is performed (index 0x3b) with the
passed info on the stack and as an offset to the frame pointer
in main. I've tried referencing the values on the stack and
seem to screw it up.
Any suggestions? What you sent me..... do I need to
expand?
Mike.
On Thu, 24 Feb 2000, Doug White wrote:
> On Thu, 24 Feb 2000, Michael Kyle wrote:
>
> >
> > Hi does anyone have shellcode for freebsd. If not,
> > I'll disassemble execve, but I'd rather just pick
> > it up from the group.
>
> Yeah, the shellcode is
>
> 0xb238fb23b238gub2348b223bdfz23a89230934897a324987287bd8970d8997893981deadbeef21398778787aaa9797bb8979878d87f87
>
> Doug White | FreeBSD: The Power to Serve
> dwhite@resnet.uoregon.edu | www.FreeBSD.org
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0002281346121.17097-100000>