Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] How to decrypt shell code of an exploit?
Hello Frank,
I think it's not necessary to decode the Assembler-commands, because they do
exactly what the name "shellcode" means: Starting a (root-) shell.
So the buffer consists of two Linux system calls:
(1) execve(/bin/bash) to start the shell
(2) exit(0) just in case execve returns with an error

So with that source code you found, you can only say which program was used to
break into your friends box, e.g. which service had the security hole.
To find out what your hacker did after the break-in, you could probably start
reading root's cmdline-history /root/.bash_history or /root/.sh-history.

For further information on buffer overflows read phrack magazine, issue 49
(www.phrack.com), "Smashing the stack for fun an profit".

Greetz,
Soeren.


> Hi list,
>
> the box of a friend was hacked: /bin/ps /bin/login /bin/ls were
> replaced / trojaned. The original files were placed in /bin/bincp
> (which is not shown by ls, but cd into that dir works fine)
>
> Luckyly I found some source within a log of
> another machine. Comments show that there is an
>
> unsigned char shellcode[] =
>
> with some rows of "\x ...\x" numbers. I assume that there is the
> coding of a shell command. Unfortunately I do not know how to "read"
> the command. Translating the hex numbers into decimal and using an
> ASCII table does not give a usefull result. Any idea?
> Tips who to detect which root kit was used are welcome, too.
>
> TIA
> Frank
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >
Follow Ups
References