Shell-code is a piece of object codes that can be injected into the executable stack to get the execution access...Shell-code is so called because it is basically used to get a shell (/bin/bash).. We'll see how make a simple exit shell-code..
This article assumes basic knowledge of Assembly x86 as prerequisites for this article
First lets just type the basic exit routine in assembly ( x86 , intel format)..
shell.asm
Assembling and linking
Lets run the code and check the exit status … so that we know that it runs without errors..
Perfect!!
Now lets dump the shellcode's opcodes that are of main concern to us as we need opcodes to attach the shell code to the executable stack..
lets dump the code with objdump
Just run that command for now.. I'll write a tutorial on objdump soon!!...
Now as we see there are lots and lots of nuls out there in the opcodes..
So we need to remove that because as we will be using this shellcode to run it in a executable stack so..The program will be reading the opcodes only till it finds a null (assume the functionallity like that of strcpy()).. As it finds a null it will return to the main program..
So our shell-code will not work..
Now lets try to remove the nulls...
New shell.asm
Assembling and linking :-
Testing
Dump the opcodes
Yupi... We eliminated all the NULL's..This makes the Shell-Code Complete..
I'll be writing a article soon on how to test this shellcode while inserting in in the executable stack..Stay tuned...
This article assumes basic knowledge of Assembly x86 as prerequisites for this article
Shell-Codding
First lets just type the basic exit routine in assembly ( x86 , intel format)..
shell.asm
Code:
section .text global _start _start : mov eax,1 mov ebx,7 int 0x80
Code:
aneesh@aneesh-laptop:~/articles/ASM$ nasm -f elf32 shell.asm -o shell.o aneesh@aneesh-laptop:~/articles/ASM$ ld shell.o -o shell
Code:
aneesh@aneesh-laptop:~/articles/ASM$ ./shell aneesh@aneesh-laptop:~/articles/ASM$ echo $? 7
Now lets dump the shellcode's opcodes that are of main concern to us as we need opcodes to attach the shell code to the executable stack..
lets dump the code with objdump
Code:
aneesh@aneesh-laptop:~/articles/ASM$ objdump -d shell shell: file format elf32-i386 Disassembly of section .text: 08048060 <_start>: 8048060: b8 01 00 00 00 mov $0x1,%eax 8048065: bb 07 00 00 00 mov $0x7,%ebx 804806a: cd 80 int $0x80
Now as we see there are lots and lots of nuls out there in the opcodes..
So we need to remove that because as we will be using this shellcode to run it in a executable stack so..The program will be reading the opcodes only till it finds a null (assume the functionallity like that of strcpy()).. As it finds a null it will return to the main program..
So our shell-code will not work..
Now lets try to remove the nulls...
New shell.asm
Code:
section .text
global _start
_start :
xor eax,eax ; zero the eax
mov al,1
; move 1 to lower bit of eax which is 1 byte so we'll loose the null
xor ebx,ebx
;
mov bl,7
;
int 0x80
; call the kernel..
Code:
aneesh@aneesh-laptop:~/articles/ASM$ nasm -f elf32 shell.asm -o shell.o aneesh@aneesh-laptop:~/articles/ASM$ ld shell.o -o shell
Code:
aneesh@aneesh-laptop:~/articles/ASM$ ./shell aneesh@aneesh-laptop:~/articles/ASM$ echo $? 7
Code:
aneesh@aneesh-laptop:~/articles/ASM$ objdump -d shell shell: file format elf32-i386 Disassembly of section .text: 08048060 <_start>: 8048060: 31 c0 xor %eax,%eax 8048062: b0 01 mov $0x1,%al 8048064: 31 db xor %ebx,%ebx 8048066: b3 07 mov $0x7,%bl 8048068: cd 80 int $0x80
I'll be writing a article soon on how to test this shellcode while inserting in in the executable stack..Stay tuned...
