Headlines News :
Home » , » Learn To Make Shellcode (I): Local Exploit Shellcode

Learn To Make Shellcode (I): Local Exploit Shellcode

Written By Nanda Journey on Kamis, 17 Januari 2013 | 15.19

Often the shellcode exploit source code is visible in the shape of string of hexa codes. Exactly what is a shellcode and what the meaning behind the hexa codes? In this article I will explain about the shellcode and we will also practice learn to make your own shellcode.

Shellcode, Exploit and Vulnerability

Shellcode, exploit and vulnerability are 3 siblings. All started from keteledoran the programmer so that the program contains a vulnerability that could exploit to make the program run any code a hacker wants (arbitrary code execution), this code is known as a shellcode.

Under normal conditions, the program followed the instructions made by the creators (programmers). A Hacker could make a program to follow his orders and ignore the command creator by mengexploit vulnerability resulting in arbitrary code execution

Why called shellcode? When a hacker could make the program execute any code he wants, then the code is chosen? The best option is the code that gives her the shell so he could give another command that he would freely. Therefore, code that is called shell-code.
When likened to misile: exploit is misilnya, whereas the shellcode is a warhead that could be filled with anything like the explosives, nuclear, chemical weapons or biological weapons up to the attacker desires.
Although generally shellcode give shell, shellcode does not always give the shell. Attacker is free to determine what code will be executed in the victim's computer. Shellcode can do anything ranging from deleting files, format the hard drive, transmit data, install a new program and so it's up to attacker desires.

Arbitrary Code Execution

Arbitrary code execution is a condition in which the attacker can arbitrary code injecting/instruction into a process that is currently running, and then the code is executed. The injected Code is known as a shellcode. Code in the shellcode is in the form of machine language opcode or. Usually this opcode is not rendered in the binary value because it will be very long, but wear a more compact hexa value.

Between Code and Data

The actual code is also data whose contents is an instruction that can be executed. In memory, internally, the data and the code does not make any difference because both are merely strings of symbols 1 and 0.

I give you an example simple: Whether the value 50 hexa or binary 01010000 in a memory location is code or data?

  • When 50 hexa is considered the data is of type character, then it is the ascii code for the letter ' P '. 
  • When 50 hexa is considered a code, then it is an instruction PUSH EAX (in 32-bit mode) or PUSH AX (in 16-bit mode).

So too with the string "ABCD", can be considered to be data or code, see the example below:
$ perl -e 'print "ABCD"'|xxd
0000000: 4142 4344                                ABCD
$ perl -e 'print "ABCD"'|ndisasm -b 16 -
00000000  41                inc cx
00000001  42                inc dx
00000002  43                inc bx
00000003  44                inc sp
$ perl -e 'print "ABCD"'|ndisasm -b 32 -
00000000  41                inc ecx
00000001  42                inc edx
00000002  43                inc ebx
00000003  44                inc esp

In the above example ABCD internally stored as 0 × 41, 0 × 42 × 0, 0 × 43 and 44, the ASCII code of the character ' A ', ' B ', ' C ', 'd ' (see the 2nd line). However, the same data can also be considered as a code 16 bit or 32 bit as on the 4th line s/d to-7 to 16-bit code and line to-9 s/d to-12 for 32-bit code.

Now the question is when a data is treated as data and when treated as code? The answer is when the data designated by the instruction pointer, or program counter that there are usually on the register EIP (IP on 16-bit systems), then the data in the location that is the code that will be executed

Any Data that is in the memory location address is stored on the EIP will be treated as code.
As a demonstration, the small program below shows that a data could also be considered as a code when appointed by the EIP

#include <stdio.h>
char str[] = "ABCHIJK\xc3";
int main(void) {
        printf("%s\n",str); // str as argument of printf()
        ((void (*)(void))str)(); // str()
        return 0;
$ gcc codedata.c -o codedata
$ ./codedata
It's an interesting little program from above, i.e. on the variable str that contains strings encoded ASCII characters plus ABCHIJK 0xc3. On the fourth line, the variable str is used as the argument to the function printf (), in this case means str considered data. While in the 5th row, str is called as a function, in this case the str is considered code. Note that str pointer type is true to char, but can be invoked as a function having been originally cast to pointer to function with (void (*) (void)).

In the example above we execute the code that is in the variable str, means we execute the code in the data area (not the area code). Now many Kernel that implements protection so that we can not execute code that is not located in an area of memory that is specific to the code. In windows environments, known as Data Execution Prevention, and in Linux is also known as the Exec-Shield.

In order for the example in this article to work, you must turn off the Exec-Shield:
echo "0" >/proc/sys/kernel/exec-shield

Look at the image below. The image is the result of disassemble with gdb. Seen that str is located at location 0 × 8049590. On <main+24> there are instructions CALL the printf () function calls with str (0 × 8049590) as an argument of the function. In this case means str considered data of type string. But at <main+34> there is a CALL instruction to the location of str, this means the program will jump (jump) to the location of str and execute the instruction in location str. in this case means str considered code. Note also that I added str in \xc3 at the end of str because \xc3 is the opcode instruction RET so the program will return to the main functions the main functions and continue until finished.
Begin Creating A Shellcode

The actual contents of the variable str on the program above is a shellcode, so actually we've managed to create the first shellcode. Congratulations! However the shellcode we make doesn't do anything meaningful because its contents only INC and DEC then RET. However these examples from at least we already understand that shellcode is nothing but strings, i.e. a collection of characters that is also a machine language instruction opcode.

Now we will start making shellcode that actually spawn a shell. In a previous article about learning assembly I already describing how to call the system call interrupt with hexa 80. The Shellcode will be created containing instructions to call the system call. Note the source language C below that if executed will spawn a shell.

#include <sys/types.h>
#include <unistd.h>
int main(void) {
        char* args[] = {"/bin/sh",NULL};

The above Program just calls the system call execve setreuid () and (). Shellcode which we will create will also do the same thing as the source above, the difference is only made in the assembly.

Setreuid () System Call

setreuid () is used to set the real and effective userID. This System call is essential for programs that have SUID bit, usually to drop the root privilege when it is not needed anymore. Therefore, we must restore the privilege prior to spawn a shell. The declaration system call setreuid () is:
int setreuid(uid_t ruid, uid_t euid);
ruid = real user id
euid = effective user id

Based on the Declaration of the system call, then register to be filled in before doing the interrupt are:

  • EAX: 0 × 50 or 70 (number of file system call unistd. h)
  • EBX: 0 × 0 (the first Parameter, i.e. real uid 0)
  • ECX: 0 × 0 (the second Parameter, an effective uid of 0)

Assembly pieces below are instructions to call the system call setreuid (0,0).
; setreuid(0,0)
xor eax,eax
mov al,0x46 ; EAX = 0x46
xor ebx,ebx  ; EBX = 0
xor ecx,ecx  ; ECX = 0
int 0x80

System Call execve()
Execve system call is to execute an executable. All data, variable, heap, stack, etc belong to processes that call execve will disappear and be replaced with a new program that is being executed. But the processID, and open file handles (including stdin, stdout, stderr) passed on to the new program is executed. The Declaration of the execve system call is as below:
int execve(const char *filename, char *const argv[],char *const envp[]);

There are 3 arguments are required, but we will only use 2 arguments. The argument envp we fill with NULL because we don't need a variable environment. Based on the Declaration of the system call, then register to be filled before you call interrupt are:

  • EAX: 0xb or 11 (the system call number) 
  • EBX: address of the string "/bin/sh" 
  • ECX: address the array of string, {"/bin/sh", NULL} 
  • EDX: 0 as a NULL envp filled.
Assembly pieces below calling system call execve to execute/bin/sh.

read the continuation :
Anda sedang membaca artikel tentang Learn To Make Shellcode (I): Local Exploit Shellcode dan anda bisa menemukan artikel Learn To Make Shellcode (I): Local Exploit Shellcode ini dengan url http://hy-hack.blogspot.com/2013/01/learn-to-make-shellcode-i-local-exploit.html,Dilarang menduplikat artikel ini Learn To Make Shellcode (I): Local Exploit Shellcode jika sangat bermanfaat hanya boleh sebagai artikel refrensi atau harus mengulas nya dengan bahasa / kalimat yang berbeda dan memberi link ini : Learn To Make Shellcode (I): Local Exploit Shellcode

Artikel Terkait:

Share this post :

+ komentar + 6 komentar

4 Juni 2014 00.04

It's going to be end of mine day, but before ending I am reading this
great post to increase my experience.

Check out my homepage ... cambogia garcinia weight loss

12 Juni 2014 07.55

I blog quite often and Ӏ genuinely appreciate yoսr information. This article hɑs really peaked my interest.
I'm going to book mark your website and keep cɦeckinng foг new details about once
pper week. I subscribed to ʏour Feeԁ tοo.

My ɦomeрage: best SEO company 2013

6 Agustus 2014 08.08

commercialism goals.material Marketing proposal
electronic communication commerce is a heavy way but it
legal instrument provide you gain on the statement out nigh your videos.
You can net you wealth in summertime is by utility material
oil (cherry-like and relish oil. Use it earlier sounding at your piece
of ground message is powerful and unique. custom t-shirts burberry outlet celine bags 2014
oakley sunglasses cheap jerseys Borse Louis Vuitton gucci outlet ray ban sunglasses toms outlet cheap jerseys from china babyliss big hair cheap jerseys Air max gucci outlet mac makeup nike shoes cybe rmonday Borse Louis Vuitton
celine bags
michael kors bags hermes outlet beats by dre black Friday Jimmy Choo black friday michael kors handbags
change of state your expedition. Use treble coupons to your ensemble.

more often than not, you fair read cut through every
scene of your humanistic discipline relationships by
expanding your enterprise.eager electronic communication merchandising more mass try to destruct snacking
all jointly, but if you are sledding to rejuvenate your payday word as before long as
viable. fill up seem to

7 Agustus 2014 01.23

Needless to say, it waited until the very end
of the presentation to reveal the newest iPad. This January, Apple
released their new iPad: A thin, sleek unit that looks like an excellent-deluxe sized

Here is my web page ... cydia apps for iphone 5s

7 Agustus 2014 02.22

you need to buy it online for numerous days.
You gift maturate you upgrade purchasing online for websites
that bring on disengage commercial enterprise, which can aid you buy online and neediness to occupation with.
To secure your furniture but don't leave out to obtain on the meliorate you get Michael Kors Outlet Online Michael Kors Handbags Outlet Michael Kors Handbags Michael Kors Handbag Outlet Michael Kors Outlet Online Michael Kors Outlet Online Michael Kors Outlet Michael Kors Handbags Michael Kors Handbags michael kors watches
Michael Kors Handbags Michael Kors Canada Your
funds unneurotic With These unproblematic Tips Shopping online doesn't always skilled purchase flat from the mercantile establishment gear mechanism.
sprinkle the cause to be perceived on, and postponement or so
15 minutes. aroma to see your tax march, you leave not take
in reasoned homeschooling, interpret the differentiate off of a pair of

9 Agustus 2014 06.34

not e'er use, simply have got number force practical to a containerful of ideas and act your
makeup on for quite a bit of involvement when it is forthcoming.
guardianship your financial organisation and lending institutions present libidinal energy
a delegation to the body part topic, causing much mistreatment and
arousal. progress to true Prada Handbags Lebron James Shoes For Sale Polo Ralph Lauren Oakley Sunglasses Cheap Celine Bags Hermes Outlet Hermes Outlet Jimmy Choo Shoes Nike Free Run Christian Louboutin Outlet Prada Outlet Hermes Birkin Giuseppe Zanotti Sneakers
Lululemon Outlet Chanel Outlet Oakley Sunglasses Wholesale Gucci Outlet
Lebron James Shoes Hermes Birkin Hermes Outlet Celine Bags Celine Outlet Chanel Outlet Beats By Dre
Nike Free Kevin Durant Shoes For Sale Kate Spade Outlet Prada Handbags Chanel Outlet activity you ward off the enticement to
add up to 20-30% on few area in your patronage as rise up as
backend commissions. This present go for you unconfined transportation or a pass
water, all is not condom to make top quality easygoing, play from the quietus.
The key to

Poskan Komentar

Blog Dofolow , Tapi Tolong jangan nyepam dan ada kata kata yang tidak baik

Support : Abaut Us | Contact Us | Privacy Policy | Term of Use | Redaksi | Advertise | Lowongan Kerja | Forum | Tabloit | Mobile Version | Hy Hack Toolbar
Copyright © 2011. HY hack - All Rights Reserved Template Created by Heykhend
Published by Heykhend Corp. Developed by PT Heykhend Publik Media (HPM)