Shellcode 3: Write shellcode

Statement: The main content is from the shellcoder's handbook, which extracts Important Notes and adds some personal understanding. If there is something wrong, be sure to point it out.

System Call

Shellcode is a set of injecting commands that can be run in the attacked program. Because shellcode needs to directly operate registers, it is usually written and translated into a hexadecimal operating code in assembly language. We want the target program to run in a different and unexpected way, and one of the ways to manipulate the program is to force it to produce system calls.

In Linux, there are two methods for executing system calls. The indirect method is libc. The direct method is to call the Soft Interrupt Execution System Call using the Assembly command. In Linux, the program uses the int 0x80 Soft Interrupt to execute the system call. The call process is as follows:

1. Load the system call number into eax;

2. Press the system call parameters into other registers. Up to six parameters can be saved in EBX, ECx, EDX, ESI, EDI, and EBP respectively;

3. Execute the int 0x80 command;

4. Switch the CPU to the kernel mode;

5. Execute system functions.

How to get a shellcode

Note:
1. shellcode should be as compact as possible to inject smaller buffers;

2. shellcode should be injecting. When an attack occurs, the memory area most likely to be used to save shellcode is the character Array Buffer opened to save users' input. Therefore, shellcode should not contain null values (/x00). In the character array, null values are used to terminate strings. The existence of null values causes exceptions when shellcode is copied to the buffer zone.

The following uses exit () as an example to write a shellcode. The system number of exit () is 1. Using assembly instructions:

Section .text    global _start_start:    mov ebx,0    mov eax,1    int 0x80

Use NASM to compile and generate the target file, use the GNU linker to link the target file, and use objdump to display the corresponding operation code (marked as _ start ):

sep@debian66:~/shellcode$ nasm -f elf shellcode.asmsep@debian66:~/shellcode$ ld -o shellcode shellcode.o sep@debian66:~/shellcode$ objdump -d shellcodeshellcode: file format elf32-i386Disassembly of section .text:08048080 <_start>: 8048080: bb 00 00 00 00 mov $0x0,%ebx 8048085: b8 01 00 00 00 mov $0x1,%eax 804808a: cd 80          int $0x80sep@debian66:~/shellcode$

Shellcode [] = {"/xbb/x00/x00/x00/x00/xb8/x01/x00/x00/x00/x00/XCD/X80"}, you can find many null values, based on shellcode's testability, we need to find a way to convert null values into non-empty operation codes. There are two methods:

1. directly use other commands with the same functions to replace those that generate null values;

2. Add a null value to the Command during running.

The 2nd methods are complex. We will discuss the 1st methods for the moment. Based on the objdump results, it is found that mov EBX, 0, and mov eax, 1 both generate null values. To understand the assembly language, you can modify it to the following code:

Section .text    global _start_start:    xor ebx,ebx    mov al,1    int 0x80

Compilation, link, and disassembly. text section:

sep@debian66:~/shellcode$ nasm -f elf shellcode.asmsep@debian66:~/shellcode$ ld -o shellcode shellcode.o sep@debian66:~/shellcode$ objdump -d shellcodeshellcode: file format elf32-i386Disassembly of section .text:08048080 <_start>: 8048080: 31 db xor %ebx,%ebx 8048082: b0 01 mov $0x1,%al 8048084: cd 80 int $0x80sep@debian66:~/shellcode$

We can see that the shellcode null value disappears and the length is reduced. The shellcode can be injected.

Derived Shell

For details about how to write a shell-derived shellcode, refer to the original book p39. Now, I only need to have a general understanding of shellcode acquisition, and then look at the details when implementing it.