1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to make a simple shellcode (The basics)

Discussion in 'Ethical hacking Tips' started by lionaneesh, Feb 9, 2011.

  1. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Shell-code is a piece of object codes that can be injected into the executable stack to get the execution access...Shell-code is so called because it is basically used to get a shell (/bin/bash).. We'll see how make a simple exit shell-code..

    This article assumes basic knowledge of Assembly x86 as prerequisites for this article

    Shell-Codding



    First lets just type the basic exit routine in assembly ( x86 , intel format)..

    shell.asm
    Code:
    section .text
    
    global _start
    
    _start :
    
    	mov eax,1
    
    	mov ebx,7
    
    	int 0x80
    
    Assembling and linking
    Code:
    aneesh@aneesh-laptop:~/articles/ASM$ nasm -f elf32  shell.asm -o shell.o
    
    aneesh@aneesh-laptop:~/articles/ASM$ ld shell.o -o shell
    
    Lets run the code and check the exit status … so that we know that it runs without errors..
    Code:
    aneesh@aneesh-laptop:~/articles/ASM$ ./shell
    
    aneesh@aneesh-laptop:~/articles/ASM$ echo $?
    
    7
    
    Perfect!!

    Now lets dump the shellcode's opcodes that are of main concern to us as we need opcodes to attach the shell code to the executable stack..

    lets dump the code with objdump
    Code:
    aneesh@aneesh-laptop:~/articles/ASM$ objdump -d shell
    
    shell:     file format elf32-i386
    
    Disassembly of section .text:
    
    08048060 <_start>:
    
     8048060:	b8 01 00 00 00       	mov    $0x1,%eax
    
     8048065:	bb 07 00 00 00       	mov    $0x7,%ebx
    
     804806a:	cd 80                	int    $0x80
    
    Just run that command for now.. I'll write a tutorial on objdump soon!!...

    Now as we see there are lots and lots of nuls out there in the opcodes..

    So we need to remove that because as we will be using this shellcode to run it in a executable stack so..The program will be reading the opcodes only till it finds a null (assume the functionallity like that of strcpy()).. As it finds a null it will return to the main program..

    So our shell-code will not work..

    Now lets try to remove the nulls...

    New shell.asm
    Code:
    section .text
    
    global _start
    
    _start :
    
    	xor eax,eax ; zero the eax
    
    	mov al,1
         ; move 1 to lower bit of eax which is 1 byte so we'll loose the null
    	xor ebx,ebx
     ;
    	mov bl,7
         ; 
    	int 0x80
          ; call the kernel..
    
    Assembling and linking :-
    Code:
    aneesh@aneesh-laptop:~/articles/ASM$ nasm -f elf32  shell.asm -o shell.o
    
    aneesh@aneesh-laptop:~/articles/ASM$ ld shell.o -o shell
    
    Testing
    Code:
    aneesh@aneesh-laptop:~/articles/ASM$ ./shell
    
    aneesh@aneesh-laptop:~/articles/ASM$ echo $?
    
    7
    
    Dump the opcodes
    Code:
    aneesh@aneesh-laptop:~/articles/ASM$ objdump -d shell
    
    shell:     file format elf32-i386
    
    Disassembly of section .text:
    
    08048060 <_start>:
    
     8048060:	31 c0                	xor    %eax,%eax
    
     8048062:	b0 01                	mov    $0x1,%al
    
     8048064:	31 db                	xor    %ebx,%ebx
    
     8048066:	b3 07                	mov    $0x7,%bl
    
     8048068:	cd 80                	int    $0x80
    
    Yupi... We eliminated all the NULL's..This makes the Shell-Code Complete..

    I'll be writing a article soon on how to test this shellcode while inserting in in the executable stack..Stay tuned...
     
  2. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    thanks for accepting my tutorial...
    Be ready for more..
     

Share This Page