Re: shellcode -> asm?

From: Eloy A. Paris (peloy@chapus.net)
Date: 10/08/02


Date: Tue, 8 Oct 2002 16:19:25 -0400
To: Sean Zadig <seanzadig@hotmail.com>
From: "Eloy A. Paris" <peloy@chapus.net>

Don't know if this is what you are looking for, but let's try an
example:

Get http://www.immunitysec.com/GOBBLES/exploits/apache-scalp.c. The
shell code is in a the char array "shellcode". To see the code:

peloy@canaima:~$ gcc -g -o apache-scalp apache-scalp.c
peloy@canaima:~$ gdb ./apache-scalp
GNU gdb 2002-08-18-cvs
[...]
(gdb) x /10i shellcode
0x804ac20 <shellcode>: mov %esp,%edx
0x804ac22 <shellcode+2>: sub $0x10,%esp
0x804ac25 <shellcode+5>: push $0x10
0x804ac27 <shellcode+7>: push %esp
0x804ac28 <shellcode+8>: push %edx
0x804ac29 <shellcode+9>: push $0x0
0x804ac2b <shellcode+11>: push $0x0
0x804ac2d <shellcode+13>: mov $0x1f,%eax
0x804ac32 <shellcode+18>: int $0x80
0x804ac34 <shellcode+20>: cmpb $0x2,0x1(%edx)
(gdb)

The 'x' gdb command is your friend. It allows you to see anything the
way you want (instructions, bytes, words, strings, etc.) If you don't
have the source code you still use the 'x' command and give it '/i
memory_address' where memory_address is the place where the shell code
lives.

Cheers,

Eloy.-

On Tue, Oct 08, 2002 at 12:12:21PM -0700, Sean Zadig wrote:
> Hi,
> I'm doing some research into creating variants of common attacks, but I ran
> into a problem of sorts. For most of the attacks I have, the shellcode
> consists of the overflow and the actual malicious code that is run. I want
> to be able to isolate the overflow from the rest of the shellcode and use
> that to create attack variants. Problem is, I don't know where one ends and
> the other begins! I figure if I turn the hex-encoded shellcode back into
> assembly code, I could probably figure it out. I'm familiar with how to do
> the reverse in gdb, but is it possible to do what I want? To restate:
> shellcode -> asm is what I need. If this is a simple thing, my apologies -
> but the security-basics list rejected my post =)
> -Sean Zadig
>
> -----
> Sean Zadig
> Student, UC Davis
> PGP Key ID: 0xDE44A79F
> 7EE1 C80A A0C1 B224 45CE F74B 5835 0115 DE44 A79F
>
>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com



Relevant Pages

  • Re: shellcode -> asm?
    ... For most of the attacks I have, the shellcode ... > that to create attack variants. ... > the reverse in gdb, but is it possible to do what I want? ...
    (Vuln-Dev)
  • Re: shellcode -> asm?
    ... You can try to actually call the shellcode from a simple program you have ... and then debug it using gdb or any other program in whatever ... > I'm doing some research into creating variants of common attacks, ... > consists of the overflow and the actual malicious code that is run. ...
    (Vuln-Dev)
  • Doubts in shellcode !?
    ... I'm reading a tutorial about shellcode, ... That will execute the /bin/sh. ... And we must, compile it, and open gdb and get the hex value with ... x/xb main+3 ...
    (comp.security.unix)
  • Re: Problem exploiting a CGI overflow
    ... Second, I wrote a shellcode without 0x0b,0x0c, but it didnt work because ... int main(int argc, char *argv) { ... $ ./post.cgi < buffer ... gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, ...
    (Vuln-Dev)
  • Re: Problem exploiting a CGI overflow
    ... looking at the gdb output- it looks like you are on the right ... There is a problem with the shellcode, ... >> char txt; ... >> Violación de segmento (core dumped) ...
    (Vuln-Dev)