Writing Shellcodes in Linux

(Traditional format)

Fri Sep 3 12:45:35 2004 Writing Shellcodes in Linux
Posted by Amitesh Singh
Search Keys: security

Introduction
------------

Shellcoding is a skill to write your machine codes in hexadecimal form. Many people lack it. From the view of security it is very important, as hackers use it to exploit vulnerable applications. In this article, we are working on Linux using the IA-32(x86) architecture. Basic knowledge of C, ASM(AT&T style) and working with debuggers (gdb & objdump)is required.


Let's Start
-----------

Consider a simple program

######exit.c###########
int main()
{
exit(0);
}
###########EOP########

$ make exit && ./exit
cc 3.c -o 3
$ echo $?
0
$
Syntax of exit() is "void exit(int status)".The exit() function causes normal program termination and the the value of status return to the parent. Here in the above program status return to main is 0.you can check it by altering the code

int main()
{ exit(1);
}

$ make exit && ./exit
cc 3.c -o 3
$ echo $?
1
$


Writing ASM code for above program
----------------------------------

Since the operating system features are accessed through System calls. These are invoked by setting the registers in special way and issuing the instruction int $0x80.

For function<6 arguments
------------------------

EAX<<=========function(EBX,ECX,EDX,EDI,ESI)
The syscall number of function stores in EAX and arguments store in EBX,ECX & so on.
You can view Linux SYSCALLS in file 'unistd.h'. For our function exit(0),the syscall no. of exit is 1 hence EAX is to be loaded with 1 and EBX with the exit status which is 0 here.

######exit.s######
.globl main
main:

movl $0,%ebx
movl $1,%eax
int $0x80
#######EOP###########

Now compile it and disassemble it using 'gdb' or 'objdump'
$as -o exit.o exit.s && ld -o exit exit.o
$objdump -d a.out

08048314 <main>:
8048314: bb 00 00 00 00 mov $0x0,%ebx
8048319: b8 01 00 00 00 mov $0x1,%eax
804831e: cd 80 int $0x80

Too many null bytes there. Any null byte in the shellcode will be considered the end of string, hence only the first byte of the shellcode to be copied into the buffer. To get the shellcode copy into the buffer properly, all of the null bytes must be eliminated.

Using XOR we can eliminate null bytes.

A B A XOR B
0 0 0
0 1 1
1 0 1
1 1 0

hence XOR a,a gives a=0
movl $0,%ebx =====>>> xorl %ebx,%ebx
Now for second line
"movl $1,%eax"

Let first understand EAX in detail
-----------------------------------

As here we are only working with 1 byte so there is no need to use %eax. You could just use %ah or %al. %ax is the least-significant half of the %eax and further %ax is divided into 2 parts %ah(most significant byte) & %al(least significant byte).

 _______EAX________
|                  |
 __________________
|   |    | AH | AL |
|___|____|____|____|
         
         |____AX___|    
 

Loading any value into %eax will wipe out whatever value in %ah & %al (and also %ax).Similarly loading any value into either %ah or %al(also %ax) will corrupt whatever value that was formerly in %eax. Hence it's ok to use a register for either a byte or a word but never both at the same time.

movl $1,%eax =====>> movb $1,%al

Again writing ASM code

.globl main
main:

xorl %ebx,%ebx
movl %1,%al
int $0x80

Now disassembling our modified program

08048314 <main>:
8048314: 31 db xor %ebx,%ebx
8048316: b0 01 mov $0x1,%al
8048318: cd 80 int $0x80
804831a: 90 nop
804831b: 90 nop

Another way to eliminate null bytes
------------------------------------

Well we can write "movl $1,%eax" in different way by eliminating the null bytes.

movl %1,%eax =========>> movl %ebx,%eax
incl %eax
Disasssembling.......
08048314 <main>:
8048314: 31 db xor %ebx,%ebx
8048316: 89 d8 mov %ebx,%eax
8048318: 40 inc %eax
8048319: cd 80 int $0x80
804831b: 90 nop
but the size of the shellcode is larger than previous one so later one is better.
Finally it's time to write the shellcode
"\x31\xdb\xb\x01\xcd\x80"

######exit.s############
char shellcode[]="\x31\xdb\xb\x01\xcd\x80";
int main(int argc,char *argv[])
{ int *ret;

*((char**)(&ret+8))=shellcode;

}
##################EOP#############
now compiling it

$ make exit && ./exit
cc 3.c -o 3
$ echo $?
0
$

Great it works.....

Author: Amitesh Singh
amitesh4u_ism@rediffmail.com

More Articles by Amitesh Singh

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.