iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
[Linux\x86] Shellcode writing example [simple]
  • Sh3llc0d3
    Posts: 1,910
    I'm going to show one technique I learned for writing basic shellcode. The shellcode in this example I will be writing shellcode for x86 (if you don't know what that is then it's your first sign you will struggle with shellcode) processors running *nix OS's. Don't just copy what i've written here... create your own ASM code and play about with it. Also when learning ASM, if your a beginner it is VERY important to find a syntax that you are comfortable in. If your comfy in masm or intel then do the same in windows, although this tutorial will not help you. Don't be put off learning ASM in windows if you prefer. I prefer coding in linux so GNU ASM was a natural choice and I enjoy it.

    This shellcode will basically exit the program... simple but demonstrates the method of creating shellcode.

    First we create our ASM program that does nothing else but exit.

    # exit.s
    # Sh3llc0d3 - exit shellcode tutorial
    .section .text
            .globl _start
    _start:
            movl    $0, %ebx
            movl    $1, %eax
            int     $0x80


    The above is said code I wrote in GNU ASM. You can use intel syntax, nasm, masm or any other syntax. This only works with linux systems due to the syntax I've used.

    We then assemble and link the file:

    as exit.s -o exit.o


    ld exit.o -o exit



    We then run the program, "./exit" and the program will immediately exit. We use objdump to get the relevant machine code we need to create the shellcode.

    objdump -d exit


    Output:
    Disassembly of section .text:

    08048054 <_start>:
     8048054:	bb 00 00 00 00       	mov    $0x0,%ebx
     8048059:	b8 01 00 00 00       	mov    $0x1,%eax
     804805e:	cd 80                	int    $0x80


    We encorporate the machine code (centre column above) into a C program to produce and check our shellcode. Of course remembering \x as a prefix.

    // exit_shellcode.c
    char shellcode[] = \"\xbb\x00\x00\x00\x00\"
                    \"\xb8\x01\x00\x00\x00\"
                    \"\xcd\x80\";

    int main()
    {
            int *ret;
            ret = (int *)&ret + 2;
            (*ret) = (int)shellcode;
    }


    Compile:

    gcc -o exit_shellcode exit_shellcode.c



    We then trace the progression through the program and we see that the program exit's using the exit syscall. To view this use:

    strace ./exit_shellcode



    At the bottom of your output you will see exit(0) ? or exit_group(0) ?

    Congrats you've made your first piece of shellcode :)
  • chroniccommand
    Posts: 1,389
    Pretty nice guide, this is how I wrote my /bin/dash shellcode. Also it's great to learn the system calls.
    http://bluemaster.iu.hio.no/edu/dark/li ... calls.html

    execve is a good system call for executing commands.
  • Sh3llc0d3
    Posts: 1,910
    said:


    Pretty nice guide, this is how I wrote my /bin/dash shellcode. Also it's great to learn the system calls.
    http://bluemaster.iu.hio.no/edu/dark/li ... calls.html

    execve is a good system call for executing commands.



    Yeah I learned the syscalls I use most when I started learning ASM. Here's the info I used for anyone who needs/wants it:
    http://asm.sourceforge.net/syscall.html
  • Bursihido
    Posts: 406
    Great guide semetex :)
  • Sh3llc0d3
    Posts: 1,910
    Thanks Bursihido, I will eventually get time to switch my IRC nick too ;)
  • Xin
    Posts: 3,251
    Really nice guide Semt... *sh3llc0d3 lol :p
    Xin
  • Sh3llc0d3
    Posts: 1,910
    Lol thanks xin, glad you like it, short n simple example :) I'll write a more detailed/advanced one at some point.
  • Xin
    Posts: 3,251
    said:


    Lol thanks xin, glad you like it, short n simple example :) I'll write a more detailed/advanced one at some point.



    Is there much variation in linux /64 may i ask?
    Xin
  • sangf
    Posts: 203
    differences: http://www.x86-64.org/documentation/assembly.html
  • Sh3llc0d3
    Posts: 1,910
    To be honest mate ive not looked, i've seen 86_64 asm and sometimes the code can differ greatly side by side.
  • McKittrick
    Posts: 194
    have you done any in-line assembly yet? (where you merge asm into code like C for example)
  • Sh3llc0d3
    Posts: 1,910
    Very little, I've only done so while learning bof's, theory etc. When I've done a bit more ASM I'm going back to learning C++ and integrating the two. Why?
  • McKittrick
    Posts: 194
    because there are few people out there i know who do it. not many people even dabble with ASM these days (especially since you can now copy/paste an already made shellcode payload and fire away)
  • Sh3llc0d3
    Posts: 1,910
    Yeah this is why I wanted to learn, I'm not against metasploit it's quicker but I want the ability to do it 'on the fly' myself. It annoys me when I have/choose to use a pre-made snippet of code to do anything I can't do myself, personally it makes me want to learn more.
Add a Comment