shellcode linux

exploit/binaries/Shellcode.md

@@ -0,0 +1,90 @@
+## Shellcode
+
+* [linux syscalls](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/) Are used to craft the shellcode in assembly language
+* [asmtutor.com](https://asmtutor.com) to check the assembly
+
+## Writing Shellcode
+
+* Executing the shellcode relies on syscalls of the system
+
+* A 32 bit version looks like this
+```assembly
+SECTION .data
+msg     db      'Hello World!', 0Ah
+ 
+SECTION .text
+global  _start
+ 
+_start:
+ 
+    mov     edx, 13
+    mov     ecx, msg
+    mov     ebx, 1
+    mov     eax, 4
+    int     80h
+ 
+    mov     ebx, 0      ; return 0 status on exit - 'No Errors'
+    mov     eax, 1      ; invoke SYS_EXIT (kernel opcode 1)
+    int     80h
+```
+
+* A 64 bit version looks like this 
+```assembly
+global _start
+
+section .text
+_start:
+    jmp MESSAGE      
+
+OUTPUT:
+    mov rax, 0x1
+    mov rdi, 0x1
+    pop rsi          
+
+    mov rdx, 0xd
+    syscall
+
+    mov rax, 0x3c
+    mov rdi, 0x0
+    syscall
+
+MESSAGE:
+    call OUTPUT       
+    db "Hello, world!", 0dh, 0ah
+```
+
+## Compilation
+
+* Compile and link 32 bit
+```sh
+nasm -f elf helloworld.asm
+ld -m elf_i386 helloworld.o -o helloworld
+```
+
+* Compile and link 64 bit
+```sh
+nasm -f elf64 helloworld.asm
+ld helloworld.o -o helloworld
+```
+
+## Dump the binary
+
+* Dump the binary with `objdump -d helloworld` and take a look at the text section
+* Dump the text section into a file via
+```sh
+objcopy -j .text -O binary helloworld helloworld.text
+```
+
+## Format the Shellcode
+
+* Format and test the code by dumping it into a c file
+```
+xxd -i helloworld.text > helloworld.c
+sed -i '1s/^/#include<stdio.h>\n\n/' helloworld.c
+echo -e "\n\t(*(void(*)())helloworld_text)();\n\treturn 0;\n}" >> helloworld.c
+```
+
+* Compile the c file with an exectuable stack
+```sh
+gcc -z execstack -g -o helloworld helloworld.c
+```