Jun 10, 2018
27 comments
So you may ask yourself, like I did what is shellcode? And the deeper you dig the more questions you will ask yourself, well that's how it went with me. I am not a shellcode guru but I would like to share my knowlegde, when I write / teach about something, I understand (I think) it better. This is not a giant introduction explaining everything, it's more about a journey of digging in to shellcode. To answer the first question, shellcode is nothing more then a bunch of binary code like this:
\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05But what is shellcode really? And what the hell does the above code do?! I'll answer the second question direclty, it spawns a shell on a Linux 64-bit system. Now we get a hint, so shellcode is operating system and CPU architecture bound? Yup that's right, shellcode is operating system and CPU architecture specific. Now what is the code above? the code is binary, represented here as hexadecimal numbers. I didn't get it at first, at first I was like: "this is hex I just parse this with a hex parser" but these are bytes and it could be that they don't have an ASCII representation. But what is shellcode now really? shellcode is binary data that can be read direclty by a CPU. In fact it's 0 and 1, and a CPU, when you feed it this data, can read it and execute whatever it says. I don't believe you, show me the code!
Ok here it is:
#include <stdio.h>
char *code = "\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05";
int main () {
int (*ret)() = (int(*)()) code;
ret();
return 0;
}Compile it with gcc and run it:
$ gcc shell.c -o shell
$ ./shellYou will need to execute it on a 64-bit Linux system. If executed you will see it spawned /bin/sh.
So how this line int (...); really works I don't know a 100%. I do know is that it will take a pointer the character array "code" put it in memory and I want to say execute here, but it does not execute the shellcode, it does set up registers so something points to the address of the shellcode which was put into memory. Can you exlain it even vaguer? Sorry maybe next post explanation :). But now we go deeper in the shellcode, let's analyze that bunch of binary, let's try to see if there is something readable, the hexadecimal readable spectrum goes from 21 to 7E hex or 33 to 127 decimal see man ascii:
#include <stdio.h>
#include <string.h>
char * code = "\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05";
int main () {
for (int i = 0; i < strlen(code); i++) {
if ((int) code[i] > 33 && (int) code[i] < 128) {
printf("%c", code[i]);
}
}
printf("\n");
return 0;
}The output of the previous is:
RH/bin//shSH<$;So we see something like "/bin//sh", well interesting but this is not the right way to go, A better approach is to look at the assembly code, which is how I wrote the shellcode in the first place.
Disassembly of section .text:
0000000000400080 <_start>:
400080: f7 e6 mul esi
400082: 52 push rdx
400083: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
40008a: 2f 73 68
40008d: 53 push rbx
40008e: 48 8d 3c 24 lea rdi,[rsp]
400092: b0 3b mov al,0x3b
400094: 0f 05 syscall What the shit is "0x68732f2f6e69622f"?? Yeah my first reaction to, it is actually super straight forward, remember "/bin//sh" from 10 seconds ago? Well that is that:
| Lets take a look at this piece |
\xf7\xe6\x52\x48\xbb \x2f\x62\x69\x6e\x2f\x2f\x73\x68\ x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05
\x2f \x62 \x69 \x6e \x2f \x2f \x73 \x68\
Now there is something called little endian, I always forget about. you need to reverse per 8 bytes ea 64 bits
\x68\ \x73 \x2f \x2f \x6e \x69 \x62 \x2f
0x68732f2f6e69622f
hs//nib/
which if we reverse is /bin//shBut why /bin//sh and not /bin/sh, the most simple explanation; otherwise it won't work, you need the 2 "/" in the middle. There is another magic code in the assembly "0x3b", which is hex for 59, which is the opcode for the linux system call execve, see https://filippo.io/linux-syscall-table/ for a complete list about syscall codes.
Better commented assembly code:
Disassembly of section .text:
0000000000400080 <_start>:
400080: f7 e6 mul esi ; zero out value esi
400082: 52 push rdx ; push the value in rdx to the stack
400083: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f ; /bin/sh in hexadecimal
40008a: 2f 73 68
40008d: 53 push rbx ; push the string "/bin/sh" to the stack
; load the memory address of the stack pointer, which points to "/bin/sh"
40008e: 48 8d 3c 24 lea rdi,[rsp]
; load the value 59 into register al, which is used as an identifier for system calls
400092: b0 3b mov al,0x3b
; execute the system call according to the value in register al
400094: 0f 05 syscallProbably some people will ask: "But how can I hack with this?". Well there are 2 ways that I know of:
The first is inserting it, I am not going to explain this, there is enough on the internet about it. The way it goes is, a program has an ordered stack of instructions, when an instruction ends, the CPU will move on to the next instruction. Now at a certain point you insert shellcode in the program trying to move it between 2 instructions and with the goal that if an instruction ends and your CPU moves on the the next one it will execute your shellcode instead. This is possible by the fact you overflow a buffer so that the overflowed part is overflowing into the memory part where the instructions are. Your shellcode is part of the overflowing data and with some tweaking with a NOP sled, which are useless instructions added in front of your shellcode to move your shellcode to the right spot in memory.
I was able to find good info from your blog articles. where to buy cbd oil in ct where to buy cbd oil in ct
1Hello mates, how is all, and what you want to say concerning this piece of writing, in my viuew its genuinely awesome in support of me.
https://servicethesis.info help me write an essay help me write an essay https://servicethesis.info
1Hello there! This post couldn't be written any better! Reading this post reminds me of my good old room mate! He always kept chatting about this. I will forward this page to him. Pretty sure he will have a good read. Many thanks for sharing! https://essaywritingusauk.com/ law essay writing service buy essay uk services ukbuy essay uk services uk buy essay uk services uk buy essay uk services uk https://essaywritingusauk.com/ buy essay uk services uk https://essaywritingusauk.com
1Appreciate this post. Will try it out. https://buyessaysearch.com/ buy essays online buy essays online https://buyessaysearch.com/
1As the admin of this web page is working, no uncertainty very soon it will be famous, due to its feature contents. https://onlineessayforyou.com/ buy essay papers online essays orderonline essays order https://onlineessayforyou.com/ https://onlineessayforyou.com/
1Hi there, just wanted to say, I loved this post. It was helpful. Keep on posting! https://essaywritingtld.com/ best essay writing service cheap best essay writing service cheap https://essaywritingtld.com/
1Hello there! This is kind of off topic but I need some guidance from an established blog. Is it difficult to set up your own blog? I'm not very techincal but I can figure things out pretty quick. I'm thinking about creating my own but I'm not sure where to start. Do you have any ideas or suggestions? Cheers https://allbestessaywritingservice.com/ best custom writing help best custom writing help https://allbestessaywritingservice.com/
1Thanks for the auspicious writeup. It inn fact used to be a leeisure account it. Look complex to more brought agreeable from you! However, how couldd we communicate?
https://buycustomessay.info/ college application essay writing service college application essay writing service https://buycustomessay.info
1I don't even know the way I ended up right here, however I thought this put up used to be good. I don't know who you are but certainly you are going to a famous blogger when you aren't already. Cheers! https://essayservicesall.com/ student essay online student essay online https://essayservicesall.com
1Right now it sounds like Drupal is the preferred blogging platform out there right now.
(from what I've read) Is that what you're using on your blog?
https://essayhelpforall.com/ writing service writing service https://essayhelpforall.com/
1If you wish for to get much from this piece of writing then you have to apply such methods to your won website. my review here my review here https://vietnam-money.com
1Amazing blog! Do you have any recommendations for aspiring writers? I'm planning to start my own ebsite soon but I'm a little lost on everything. Woyld you advise starting with a free platform like Wordpress or go for a paid option? There are so many options outt there that I'm compltely confused .. Any tips? Many thanks! http://iyfgm.com/__media__/js/netsoltrademark.php?d=forum.plastic-surgeon.com.ua%2Fforumdisplay.php%3Ff%3D11 Akilah
1Great beat ! I wish to apprentice while you amend your site, how could i subscribe for a blog web site? The account helped me a acceptable deal. I had been a little bit acquainted of this your brooadcast provided bright clear concept https://klugprodrent.medium.com/character-essay-c1eda55c241c essay writing services essay writing services https://medium.com/@darnelllkpdxi3a/essay-1c08d356e4b3
1Touche. Solid arguments. Keep upp thee great work.
https://professionalessaywritingservice.com help me write my paper help me write my paper https://professionalessaywritingservice.com
1I could not refrain from commenting. Perfectly written! https://ordertermpaperonline.com buy custom essay online buy custom essay online https://ordertermpaperonline.com/
1The other day, while I was at work, my sister stole my iPad and tested to see if it can survive a 40 foot drop, just so she can be a youtube sensation. My apple ipad iis now destroyed and she has 83 views. I know this is completely off topic buut I had too share iit with someone!
http://hippiesaredead.blogspot.com/2009/06/clues-clues.html write my essay cheap write my essay cheap http://hippiesaredead.blogspot.com/2010/
1Yoou said that fantastically. Best Essay writing essay https://essayserviceusukua.com
1Howdy! I'm at work surfing around your blog from my new iphone 4! Just wanted to say I love reading your blog and loiok forward to all your posts! Carry on the fantastic work! https://essaygood.com writihg essay website writing essay website (Kristal) https://essaygood.com https://essaygood.com/
1Seriously tons of very good info! Best Essay writing https://tinyurl.com/yc9xe6c3 (Isis) https://tinyurl.com/y7pguqvh
1I think this is one of the most significant info for me. And i'm gld readibg your article. But shoulod remark on some general things, The website style is great, the articles is really nice : D. Good job, cheers https://www.patreon.com/posts/45476087 best custom essay writing service best custom essay writing service
1Useful info, Appreciate it! Best Essay writing https://images.google.com/url?q=https://qualitywritingpaper.com - Delila, http://www.google.ci/url?q=https://highqualitywritingservice.com
1Hi Dear, are you truly visiting this web page on a regular basis, if so then you will without doubt take pleasant know-how.
https://clients1.google.com.tj/url?q=https://bestwwwkratom.com Lauren Asa https://clients1.google.sm/url?q=https://cbdwwwkratom.com
1Thanks for any other informative blog. Where else may jut I get thast type of information written inn such an ideal means? I've a undertaking that I am simply now running on, and I've been att the look out foor such information. https://clients1.google.st/url?q=https://kratomwwwtea.com Jeremy Ervin https://clients1.google.me/url?q=https://kratomwwwtea.com
1Доставка алкоголя якутск
1Kudos! I enjoy it. Blondell https://americandental.ru/ - Melvin - https://americandental.ru/
1Hello, its good article about media print, we all be familuar with media is a enormous source of facts.
накачать мышцы для женщин webpage нарастить мышечную массу
1canadian pharmacy viagra 50 mg viagra pranks viagra online
1