91 lines
1.7 KiB
Markdown
91 lines
1.7 KiB
Markdown
|
## Shellcode
|
||
|
|
||
|
* [linux syscalls](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/) Are used to craft the shellcode in assembly language
|
||
|
* [asmtutor.com](https://asmtutor.com) to check the assembly
|
||
|
|
||
|
## Writing Shellcode
|
||
|
|
||
|
* Executing the shellcode relies on syscalls of the system
|
||
|
|
||
|
* A 32 bit version looks like this
|
||
|
```assembly
|
||
|
SECTION .data
|
||
|
msg db 'Hello World!', 0Ah
|
||
|
|
||
|
SECTION .text
|
||
|
global _start
|
||
|
|
||
|
_start:
|
||
|
|
||
|
mov edx, 13
|
||
|
mov ecx, msg
|
||
|
mov ebx, 1
|
||
|
mov eax, 4
|
||
|
int 80h
|
||
|
|
||
|
mov ebx, 0 ; return 0 status on exit - 'No Errors'
|
||
|
mov eax, 1 ; invoke SYS_EXIT (kernel opcode 1)
|
||
|
int 80h
|
||
|
```
|
||
|
|
||
|
* A 64 bit version looks like this
|
||
|
```assembly
|
||
|
global _start
|
||
|
|
||
|
section .text
|
||
|
_start:
|
||
|
jmp MESSAGE
|
||
|
|
||
|
OUTPUT:
|
||
|
mov rax, 0x1
|
||
|
mov rdi, 0x1
|
||
|
pop rsi
|
||
|
|
||
|
mov rdx, 0xd
|
||
|
syscall
|
||
|
|
||
|
mov rax, 0x3c
|
||
|
mov rdi, 0x0
|
||
|
syscall
|
||
|
|
||
|
MESSAGE:
|
||
|
call OUTPUT
|
||
|
db "Hello, world!", 0dh, 0ah
|
||
|
```
|
||
|
|
||
|
## Compilation
|
||
|
|
||
|
* Compile and link 32 bit
|
||
|
```sh
|
||
|
nasm -f elf helloworld.asm
|
||
|
ld -m elf_i386 helloworld.o -o helloworld
|
||
|
```
|
||
|
|
||
|
* Compile and link 64 bit
|
||
|
```sh
|
||
|
nasm -f elf64 helloworld.asm
|
||
|
ld helloworld.o -o helloworld
|
||
|
```
|
||
|
|
||
|
## Dump the binary
|
||
|
|
||
|
* Dump the binary with `objdump -d helloworld` and take a look at the text section
|
||
|
* Dump the text section into a file via
|
||
|
```sh
|
||
|
objcopy -j .text -O binary helloworld helloworld.text
|
||
|
```
|
||
|
|
||
|
## Format the Shellcode
|
||
|
|
||
|
* Format and test the code by dumping it into a c file
|
||
|
```
|
||
|
xxd -i helloworld.text > helloworld.c
|
||
|
sed -i '1s/^/#include<stdio.h>\n\n/' helloworld.c
|
||
|
echo -e "\n\t(*(void(*)())helloworld_text)();\n\treturn 0;\n}" >> helloworld.c
|
||
|
```
|
||
|
|
||
|
* Compile the c file with an exectuable stack
|
||
|
```sh
|
||
|
gcc -z execstack -g -o helloworld helloworld.c
|
||
|
```
|