# Author: Flavio do Carmo Junior aka waKKu
# URL: Author’s Webpage
# Date: February 04, 2011
# Category: Food for Thoughts, Programming
You are probably sick of these blog names making reference to l33t assembly instructions but, (un)fortunately, this is another one:
http://fnstenv.blogspot.com – Nbrito
http://x9090.blogspot.com – x9090
http://xorl.wordpress.com – xorl
To those who doesn’t realize the meaning of our blog’s name, here is a
not so short explanation:
“Show me the code!” – People shouted ;)…
Let’s begin with a simple “shellcode”…
Goal: Perform the syscall exit() with “123” as parameter.
waKKu@0xcd80: blog$ cat 0xcd80.s .text .globl _start _start: movl $1, %eax movl $123, %ebx int $0x80
Ok, let’s assembly it. I’m using a x86_64 (64 bits) machine so I’ll specify the parameter
--32, so the code will be generated as a 32bits code (actually, in this simple example there is no diference between 32 or 64 bits code).
waKKu@0xcd80: blog$ as --32 -o 0xcd80.o 0xcd80.s
Once assembled, the (object) file 0xcd80.o has been created.
Let’s take a look on opcodes generated by our code:
waKKu@0xcd80: blog$ objdump -d 0xcd80.o 0xcd80.o: file format elf32-i386 Disassembly of section .text: 00000000 <_start>: 0: b8 01 00 00 00 mov $0x1,%eax 5: bb 39 05 00 00 mov $0x7b,%ebx a: cd 80 int $0x80
Some of you probably have found our blog already ;).
For those who still didn’t, I want to introduce you to one of my tools that I always keep into my toolbox.
Here is the makesc.sh
waKKu@0xcd80: blog$ ./makesc.sh 0xcd80.o ***** NULL BYTE FOUND (5) ***** Using 16 opcodes/line // ShellCode -> [ 'File:0xcd80.o', 'Size:12 bytes', 'NULLs: 5' ] "\xb8\x01\x00\x00\x00\xbb\x39\x05\x00\x00\xcd\x80" waKKu@0xcd80: blog$
Hooray!, there is our “\xcd\x80”…
Well, all these lines to say: 0xcd80 or “\xcd\x80” are the opcodes responsible by assembly instruction: int $0x80 when using a Linux x86 system.
What does this instruction do? This is subject for another post ;)
Well, we’ve got so far.. Let’s execute our shellcode, but first we need to link it.
I’ll be using the 32 bits libraries here:
waKKu@0xcd80: blog$ ld -m elf_i386 -o 0xcd80 0xcd80.o waKKu@0xcd80: blog$ file 0xcd80 0xcd80: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped waKKu@0xcd80: blog$ objdump -d 0xcd80 0xcd80: file format elf32-i386 Disassembly of section .text: 08048074 <_start>: 8048074: b8 01 00 00 00 mov $0x1,%eax 8048079: bb 7b 00 00 00 mov $0x7b,%ebx 804807e: cd 80 int $0x80 waKKu@0xcd80: blog$
Trying to ring some bells, another binary’s dump after we’ve linked it. Check the instructions addresses.
And at last but not least, we execute it:
waKKu@0xcd80: blog$ ./0xcd80 waKKu@0xcd80: blog$ echo $? 123
There is it, as promised, a beautiful exit(123) executed… Outstanding, no? :X
That’s all folks!
PS: If you notice that “NULL BYTE FOUND” warning when using makesc.sh, don’t worry we’ll be talking a lot about it soon.