The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Findshell Payload Finder
------------------------------------------------------------------------
SUMMARY
DETAILS
Assuming that a remote buffer overflow target has limited buffer space and
storing the bind shellcode in the buffer is difficult but you storing it
"somewhere" is possible, this shellcode once executed scans the address
space of the vulnerable process for a certain pattern. Once found it jumps
into it.
The code utilizes a trick found in the chdir() system call that enables
the shellcode to scan the memory address space of the process without
triggering any segmentation faults thus making the code more robust. The
shellcode is contained in a normal C program for easy reference and its
code is listed below.
A small paper about un-initialized pointers and their exploitation is
available at <http://home.paf.net/qobaiashi/uninp.html>
http://home.paf.net/qobaiashi/uninp.html.
Tool Source
/*
find_shell code
-=================
what is it?
"""""""""""
assume you have a remote bof with limited buffer space so you can't store
your
bindshellcode in the buffer, but you can store it "somewhere". this code
once
executed scans the address space of the vulnerable process for a certain
pattern.
once found it jumps into it.
scans address space...erm...segfaults?
"""""""""""""""""""""""""""""""""""""""
no segfaults here (i hope). while looking for a way to avoid segfaults i
was browsing
through the linux syscall list and found syscall #13 (chdir) which only
takes a ptr
to the pathname. after playing around with it i noticed that it returns
0xfffffffe if
this ptr points to a valid (mapped) address and 0xfffffff2 for an invalid
address.
this fact is used in the code to avoid accessing unmapped memory causing
sigsegv.
how to use?
"""""""""""
make sure you scan for at least "unlikely" patterns ;) if you modify the
pattern make
sure it is 0xPATTERN-1 because if 0xPATTERN exists as is in memory you
could find
_this_ scanner code and start an infinite loop..
if size matters you could leave out the part that sets %ebx and re-use the
remaining
value from the attacked process. below is a timig of a scan starting from
0x00000000
to the data segment:
qobaiashi@cocoon:~> time find_shell
www.u-n-f.com
real 5m48.650s
user 0m25.510s
sys 5m13.100s
it should also be possible to split larger code in small pieces and have
them stored
at random locations. then the code parts would look like:
shellcode_part_1
pushad
find_next_steps_pattern=0x11223344
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
