Shellcoding for Linux/i386

{LANG_NAVORIGIN} Exploits
Masood Mehmood 09/28/2004

Content

Shellcoding?
Why My own shellcode?
Writing Shellcode
Why Shellcode is in HEX?
Removing NULL byte
Remove NULL operands
Executing shellcode
Important Syscalls
Removing Static addresses

Shellcoding
    Shellcoding is an art of making a set of assembly instruction for doing a specific task. These instructions, after passing tests, are called Shellcode. There are several techniques involves in making a shellcode. Learning all those techniques and successfully implementing them to produce a shellcode is called shellcoding.

Why My own shellcode?
    No one knows about the nature of victim system and its security level and as my research tells me, IDS is the biggest enemy of shellcode. For example, you download a shell-exploit for XYZ service and that exploit contain string “/bin/sh” and the victims system takes all string and make it capital, so what you say your shell-exploit will work? No way. So what you do now, a part from waiting for another shell-exploit, which will cover this problem. That’s why learning shellcoding is important. Not only you can make changes to the existing shellcode but also you can study it for your personal knowledge.

Writing Shellcode
    Shellcoding is not that hard, if you have knowledge of assembly and C programming then here we go. As I said earlier shellcode consist of assembly instructions. And you need C for testing and making a structure for what you will do next in Assembly in a form of a C program like this.

/*******exit.c************************/
main()
{
  exit(0);
}
/***********************************/

    It’s a simple C program and we want to shellcode it. The first thing we need to know is the Linux system call for exit(). And that can be found in asm/unistd.h. syscalls are just like API’s in windows, you call them with different parameters/arguments.
    In the above example we need just a one system call and that is exit() and its syscall number is 1 and parameters is 0, they will be store in eax, ebx respectively. That’s how parameters are passed to syscall.

#exit.asm
movl $1,%eax
movl $0,%ebx
int $0x80

    Wasn’t that simple?. Now compile it and extract the shellcode. For compiling use

# as –o exit.o exit.asm && ld –o exit exit.o
# ./exit
# objdump –d exit

    Extract all these Hexadecimal values because this is our shellcode. And each set of hexadecimal value represents our assembly instruction.
“xb8x01x00x00x00xbbx00x00x00x00xcdx80”

    Wait! Wait! Wait! If you remember I said shellcode is a set assembly instruction but after passing some test. Those test are, removing NULL byte, removing NULL operand., and removing static address locations.

Why Shellcode is in HEX?
    Using hexadecimal values we can put any ASCII value in the range of 0-255 in a one byte. And I think Hexadecimal do justice with a character by using it in the form of nibble.

Removing NULL byte.
    In the above example we got a sting “xb8x01x00x00x00xbbx00x00x00x00xcdx80” but as you can see we have so many null bytes. We can easily remove them by taking an 8-bit register instead of 32 bits.

#exit.asm
mov $1,%al
mov $0,%bl
int $0x80

    Again compiling it and dumping it.

# as –o exit.o exit.asm && ld –o exit exit.o
# ./exit
# objdump –d exit

    Now the shellcode we have is “xb0x01xb3x00xcdx80”. Again we have a Null byte but this time its not because of register. It’s because of NULL operand. How to remove it? Is coming next.

Removing NULL operands
    Null operand in over case is on mov $0,%bl When want ebx to represent a 0 value this can be done by xorl %ebx,%ebx and the result will be empty %ebx (empty mean 0) lets try this

#exit.asm
mov $1,%al
xorl %ebx,%ebx
int $0x80

    Again compiling it and dumping it.

# as –o exit.o exit.asm && ld –o exit exit.o
# ./exit
# objdump –d exit

    Now that’s cool just copy the hex value. “xb0x01xb3xdbxcdx80” that’s over shellcode.

Testing shellcode
    For testing our newly develop exit shellcode we use two C programs, one is a simple functions and the other one replaces the return address with its shellcode address. Lets try both of them.

/*******example-1**********************/
  char shellcode[]=”Paste Your shell Code here”;
main()
  {
    int (*shellcode)()
    code=shellcode;
    code();
  }
/*********end************************/

/*******example-2********************/
  char shellcode[]=”Paste Your shell Code here”;
main()
  {
    int *ret;
    ret=(int*)&ret+2;
    (*ret)=(int)shellcode;
  }
/*********end************************/

    Just put your shellcode in place of the char array and compile the program using gcc or make utility like.

# make
# gcc –o program program.c
# ./program

Important Syscalls
    Shellcoding can be done for any syscall in Linux but these syscall are the most important syscalls. Try practicing them and make your own shellcode for them.

open()
write()
close()
execve()
socket(All its set)

Removing Static Address
    Static address mostly refer to some string or ascii data stage location like for example

#asm code

movl $data,%ecx

data:
.ascii “Hello World”

    In the above example we are transferring the address of the memory “Hello world” to ECX register, which is static. We probably will use our shellcode in the stack memory of another program and GOD knows which starting address over shellcode owns. The best solution for this kind of problem is to use jmp and call instructions. HOW?

#asm code
jmp data
start:
popl %ecx

data:
call start
.ascii “Hello World”

    The jmp instruction jumps to the data portions and from there call start instruction executed. CALL instruction when calling; push the address of the next instruction to the stack and the next instruction hold our string. After calling start, label name of the memory location, we pop the address to ECX. That’s how we get the address of over string in runtime.

Conclusion:
In this article I try my best to explain you the main concept of shellcoding. We learn some main tips and tricks of removing some errors and making shellcode more dynamic. Though I haven’t included how to inject shellcode but will be available soon.

Author: Masood Mehmood
Email: masud.sp@gmail.com
Date: 27-08-2004
Version = 1.0

E-Mail Link

Your IP address will be sent with this e-mail

From e-mail to e-mail