These are some notes to myself about jmp/call shellcode and how to turn the asm into a character string for exploits.
Turning the assembly into a character string:
$ cat sc-gas.asm .text .global _start _start: jmp marka markb: pop %ecx # pop address of "you_win" into ecx xor %edx,%edx # clear edx mov $0x8, %dl # put len of string in low order edx xor %ebx,%ebx # clear ebx inc %ebx # put fd in ebx, 1 == stdout xor %eax,%eax # clear eax mov $0x4, %al # put syscall number in low order eax, 4 == sys_write int $0x80 xor %eax, %eax # clear eax mov $0x01, %al # put syscall number in low order eax, 1 == exit int $0x80 marka: call markb # call pushes the next address on the stack .string "you_win!" $ as -o sc-gas.o sc-gas.asm $ ld -o sc-gas sc-gas.o $ ./sc-gas you_win!$
Turning the assembly into a character string:
$ objdump -d sc-gas sc-gas: file format elf32-i386 Disassembly of section .text: 08048074 <_start>: 8048074: eb 14 jmp 804808a08048076 : 8048076: 59 pop %ecx 8048077: 31 d2 xor %edx,%edx 8048079: b2 08 mov $0x8,%dl 804807b: 31 db xor %ebx,%ebx 804807d: 43 inc %ebx 804807e: 31 c0 xor %eax,%eax 8048080: b0 04 mov $0x4,%al 8048082: cd 80 int $0x80 8048084: 31 c0 xor %eax,%eax 8048086: b0 01 mov $0x1,%al 8048088: cd 80 int $0x80 0804808a : 804808a: e8 e7 ff ff ff call 8048076 804808f: 79 6f jns 8048100 8048091: 75 5f jne 80480f2 8048093: 77 69 ja 80480fe 8048095: 6e outsb %ds:(%esi),(%dx) 8048096: 21 00 and %eax,(%eax) char shellcode[] = "\xeb\x14\x59\x31\xd2\xb2\x08\x31\xdb\x43\x31\xc0\xb0\x04\xcd\x80\x31\xc0" "\xb0\x01\xcd\x80\xe8\xe7\xff\xff\xffyou_win!"; int main() { int *ret; /* point occupies 4 bytes. ret + 8 points to the saved eip */ ret = (int *)&ret + 2; /* overwrite the saved eip to point to the address of shellcode */ (*ret) = (int)shellcode; /* on return from main, the saved eip is popped from the stack which now points to shellcode */ } $ gcc -o sc sc.c $ ./sc you_win!$
No comments:
Post a Comment