diff --git a/exploit/binaries/Shellcode.md b/exploit/binaries/Shellcode.md new file mode 100644 index 0000000..4a90a94 --- /dev/null +++ b/exploit/binaries/Shellcode.md @@ -0,0 +1,90 @@ +## Shellcode + +* [linux syscalls](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/) Are used to craft the shellcode in assembly language +* [asmtutor.com](https://asmtutor.com) to check the assembly + +## Writing Shellcode + +* Executing the shellcode relies on syscalls of the system + +* A 32 bit version looks like this +```assembly +SECTION .data +msg db 'Hello World!', 0Ah + +SECTION .text +global _start + +_start: + + mov edx, 13 + mov ecx, msg + mov ebx, 1 + mov eax, 4 + int 80h + + mov ebx, 0 ; return 0 status on exit - 'No Errors' + mov eax, 1 ; invoke SYS_EXIT (kernel opcode 1) + int 80h +``` + +* A 64 bit version looks like this +```assembly +global _start + +section .text +_start: + jmp MESSAGE + +OUTPUT: + mov rax, 0x1 + mov rdi, 0x1 + pop rsi + + mov rdx, 0xd + syscall + + mov rax, 0x3c + mov rdi, 0x0 + syscall + +MESSAGE: + call OUTPUT + db "Hello, world!", 0dh, 0ah +``` + +## Compilation + +* Compile and link 32 bit +```sh +nasm -f elf helloworld.asm +ld -m elf_i386 helloworld.o -o helloworld +``` + +* Compile and link 64 bit +```sh +nasm -f elf64 helloworld.asm +ld helloworld.o -o helloworld +``` + +## Dump the binary + +* Dump the binary with `objdump -d helloworld` and take a look at the text section +* Dump the text section into a file via +```sh +objcopy -j .text -O binary helloworld helloworld.text +``` + +## Format the Shellcode + +* Format and test the code by dumping it into a c file +``` +xxd -i helloworld.text > helloworld.c +sed -i '1s/^/#include\n\n/' helloworld.c +echo -e "\n\t(*(void(*)())helloworld_text)();\n\treturn 0;\n}" >> helloworld.c +``` + +* Compile the c file with an exectuable stack +```sh +gcc -z execstack -g -o helloworld helloworld.c +```