Linux Shellcoding (Part 1.0)

AgentSniff · May 12, 2016, 11:17pm

i’ve tried to start the shell this way to, and works perfectly

but calling it from the stack is the point…

AgentSniff · May 12, 2016, 11:24pm

I agree, i don’t know why it does not work

Disassembly of section .text:

0000000000400080 <_start>:
400080: 48 31 c0 xor %rax,%rax
400083: 50 push %rax
400084: 68 2f 2f 73 68 pushq $0x68732f2f
400089: 68 2f 62 69 6e pushq $0x6e69622f
40008e: 48 89 e7 mov %rsp,%rdi
400091: 48 89 c6 mov %rax,%rsi
400094: 48 89 c2 mov %rax,%rdx
400097: b8 3b 00 00 00 mov $0x3b,%eax
40009c: 0f 05 syscall
40009e: b8 3c 00 00 00 mov $0x3c,%eax
4000a3: bf 00 00 00 00 mov $0x0,%edi
4000a8: 0f 05 syscall

IoTh1nkN0t · May 12, 2016, 11:45pm

Like I said, I didn’t test either of them.
I quite frankly have no clue as to why it doesnt work, I would have to see a hexdump with ascii on the side.
I personally think the 2nd program is way better, because it loads the string in the RBX register. This shows the potential of x64 shellcoding.

IoTh1nkN0t · May 12, 2016, 11:48pm

Woah this one is pretty, msg is on the stack right?
then pop/lea it in rdi?
also the add al, 0x3b was cool

AgentSniff · May 12, 2016, 11:53pm

The second one works fine!

sorry for the trouble!

IoTh1nkN0t · May 13, 2016, 12:01am

Woah no trouble at all
I’ve just checked it and there seems to go something wrong with the string /bin//sh
It seems a delimiter get’s added between the pushes. (Trying to figure out why).
Another method is using a short jump.

global _start
_start:
jmp short stuff

return:
pop rdi
xor rax, rax
(rest of the shellcode)

stuff:
db '/bin/sh',0
call return

AgentSniff · May 13, 2016, 12:12am

interesting, when you declare the ‘/bin/sh’,0 with no name, the program automatically pushes the string into the stack?

short jump is for relative jump right?

dtm · May 13, 2016, 3:47am

These two should be the other way around like so:

stuff:
call return
db '/bin/sh', 0

This pushes the string onto the stack because whenever a call is used, the address of the next instruction within db '/bin/sh', 0 gets pushed as the return value.

0x00pf · May 13, 2016, 5:08am

It is in the text segment and the address is read directly from the beginning of the text segment. A pop will not work. I wrote to try the RIP-relative addressing mode on the x64… as a shellcode it needs tweak… It has a null at the beginning

0x00pf · May 13, 2016, 5:21pm

Thanks for checking… Yep, I understood the point. It was just another example

IoTh1nkN0t · May 13, 2016, 7:17pm

Ooh yes, that’s what I meant

pry0cc · August 2, 2016, 11:42am

Does it still make you head hurt?

Fust3rCluck · August 6, 2016, 11:04pm

This was awesome, nice job!

EnergyWolf · August 7, 2016, 3:50pm

Thanks @unh0lys0da for the tutorial, found it nice and clear.
Just wanted to say for anyone on a 64bit system(which is surely most of us by now?) you can still compile and link everything as 32 bit like so:
nasm -f elf -o shell.o shell.asm << no change here
ld -m elf_i386 -o shell shell.o << use mode elf_i386
So you can follow along with the tut as it is for simplicity.

SynFl00der · May 21, 2017, 7:02am

Thanks for the tutorial.

n0tnu11 · May 22, 2017, 2:02pm

The quality of tutorials on this site never cease to amaze me.
Awesome work @IoTh1nkN0t!

IoTh1nkN0t · January 21, 2018, 12:43am

This topic was automatically closed after 30 days. New replies are no longer allowed.