0xcd80!?!? What tha f…   Leave a comment

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: February 04, 2011
      # Category: Food for Thoughts, Programming

    You are probably sick of these blog names making reference to l33t assembly instructions but, (un)fortunately, this is another one:
    http://fnstenv.blogspot.com – Nbrito
    http://x9090.blogspot.com – x9090
    http://xorl.wordpress.com – xorl

    To those who doesn’t realize the meaning of our blog’s name, here is a not so short explanation:
    “Show me the code!” – People shouted ;)…

    Let’s begin with a simple “shellcode”
    Goal: Perform the syscall exit() with “123” as parameter.

    waKKu@0xcd80: blog$ cat 0xcd80.s
    .text
    .globl _start
    
    _start:
            movl $1, %eax
            movl $123, %ebx
            int $0x80
    

    Ok, let’s assembly it. I’m using a x86_64 (64 bits) machine so I’ll specify the parameter --32, so the code will be generated as a 32bits code (actually, in this simple example there is no diference between 32 or 64 bits code).

    waKKu@0xcd80: blog$ as --32 -o 0xcd80.o 0xcd80.s
    

    Once assembled, the (object) file 0xcd80.o has been created.
    Let’s take a look on opcodes generated by our code:

    waKKu@0xcd80: blog$ objdump -d 0xcd80.o
    
    0xcd80.o:     file format elf32-i386
    
    Disassembly of section .text:
    
    00000000 <_start>:
       0:   b8 01 00 00 00          mov    $0x1,%eax
       5:   bb 39 05 00 00          mov    $0x7b,%ebx
       a:   cd 80                   int    $0x80
    

    Some of you probably have found our blog already ;).

    For those who still didn’t, I want to introduce you to one of my tools that I always keep into my toolbox.
    Here is the makesc.sh

    waKKu@0xcd80: blog$ ./makesc.sh 0xcd80.o
    ***** NULL BYTE FOUND (5) *****
    Using 16 opcodes/line
    
    // ShellCode -> [ 'File:0xcd80.o', 'Size:12 bytes', 'NULLs: 5' ]
    "\xb8\x01\x00\x00\x00\xbb\x39\x05\x00\x00\xcd\x80"
    
    waKKu@0xcd80: blog$
    

    Hooray!, there is our “\xcd\x80”

    Well, all these lines to say: 0xcd80 or “\xcd\x80” are the opcodes responsible by assembly instruction: int $0x80 when using a Linux x86 system.

    What does this instruction do? This is subject for another post ;)

    Well, we’ve got so far.. Let’s execute our shellcode, but first we need to link it.
    I’ll be using the 32 bits libraries here:

    waKKu@0xcd80: blog$ ld -m elf_i386 -o 0xcd80 0xcd80.o
    waKKu@0xcd80: blog$ file 0xcd80
    0xcd80: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
    waKKu@0xcd80: blog$ objdump -d 0xcd80
    
    0xcd80:     file format elf32-i386
    
    Disassembly of section .text:
    
    08048074 <_start>:
     8048074:       b8 01 00 00 00          mov    $0x1,%eax
     8048079:       bb 7b 00 00 00          mov    $0x7b,%ebx
     804807e:       cd 80                   int    $0x80
    waKKu@0xcd80: blog$
    

    Trying to ring some bells, another binary’s dump after we’ve linked it. Check the instructions addresses.

    And at last but not least, we execute it:

    waKKu@0xcd80: blog$ ./0xcd80
    waKKu@0xcd80: blog$ echo $?
    123
    

    There is it, as promised, a beautiful exit(123) executed… Outstanding, no? :X

    That’s all folks!

    PS: If you notice that “NULL BYTE FOUND” warning when using makesc.sh, don’t worry we’ll be talking a lot about it soon.

    waKKu

    Advertisements

    Posted February 4, 2011 by waKKu in Assembly, Food for thoughts

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    %d bloggers like this: