,
Headlines News :
Home » , » Learn To Make Shellcode (I): Local Exploit Shellcode

Learn To Make Shellcode (I): Local Exploit Shellcode

Written By Unknown on Kamis, 17 Januari 2013 | 15.19

Often the shellcode exploit source code is visible in the shape of string of hexa codes. Exactly what is a shellcode and what the meaning behind the hexa codes? In this article I will explain about the shellcode and we will also practice learn to make your own shellcode.

Shellcode, Exploit and Vulnerability

Shellcode, exploit and vulnerability are 3 siblings. All started from keteledoran the programmer so that the program contains a vulnerability that could exploit to make the program run any code a hacker wants (arbitrary code execution), this code is known as a shellcode.

Under normal conditions, the program followed the instructions made by the creators (programmers). A Hacker could make a program to follow his orders and ignore the command creator by mengexploit vulnerability resulting in arbitrary code execution



Why called shellcode? When a hacker could make the program execute any code he wants, then the code is chosen? The best option is the code that gives her the shell so he could give another command that he would freely. Therefore, code that is called shell-code.
When likened to misile: exploit is misilnya, whereas the shellcode is a warhead that could be filled with anything like the explosives, nuclear, chemical weapons or biological weapons up to the attacker desires.
Although generally shellcode give shell, shellcode does not always give the shell. Attacker is free to determine what code will be executed in the victim's computer. Shellcode can do anything ranging from deleting files, format the hard drive, transmit data, install a new program and so it's up to attacker desires.

Arbitrary Code Execution

Arbitrary code execution is a condition in which the attacker can arbitrary code injecting/instruction into a process that is currently running, and then the code is executed. The injected Code is known as a shellcode. Code in the shellcode is in the form of machine language opcode or. Usually this opcode is not rendered in the binary value because it will be very long, but wear a more compact hexa value.

Between Code and Data

The actual code is also data whose contents is an instruction that can be executed. In memory, internally, the data and the code does not make any difference because both are merely strings of symbols 1 and 0.

I give you an example simple: Whether the value 50 hexa or binary 01010000 in a memory location is code or data?

  • When 50 hexa is considered the data is of type character, then it is the ascii code for the letter ' P '. 
  • When 50 hexa is considered a code, then it is an instruction PUSH EAX (in 32-bit mode) or PUSH AX (in 16-bit mode).

So too with the string "ABCD", can be considered to be data or code, see the example below:
1
2
3
4
5
6
7
8
9
10
11
12
$ perl -e 'print "ABCD"'|xxd
0000000: 4142 4344                                ABCD
$ perl -e 'print "ABCD"'|ndisasm -b 16 -
00000000  41                inc cx
00000001  42                inc dx
00000002  43                inc bx
00000003  44                inc sp
$ perl -e 'print "ABCD"'|ndisasm -b 32 -
00000000  41                inc ecx
00000001  42                inc edx
00000002  43                inc ebx
00000003  44                inc esp

In the above example ABCD internally stored as 0 × 41, 0 × 42 × 0, 0 × 43 and 44, the ASCII code of the character ' A ', ' B ', ' C ', 'd ' (see the 2nd line). However, the same data can also be considered as a code 16 bit or 32 bit as on the 4th line s/d to-7 to 16-bit code and line to-9 s/d to-12 for 32-bit code.

Now the question is when a data is treated as data and when treated as code? The answer is when the data designated by the instruction pointer, or program counter that there are usually on the register EIP (IP on 16-bit systems), then the data in the location that is the code that will be executed

Any Data that is in the memory location address is stored on the EIP will be treated as code.
As a demonstration, the small program below shows that a data could also be considered as a code when appointed by the EIP

1
2
3
4
5
6
7
#include <stdio.h>
char str[] = "ABCHIJK\xc3";
int main(void) {
        printf("%s\n",str); // str as argument of printf()
        ((void (*)(void))str)(); // str()
        return 0;
}
$ gcc codedata.c -o codedata
$ ./codedata
ABCHIJKÃ
It's an interesting little program from above, i.e. on the variable str that contains strings encoded ASCII characters plus ABCHIJK 0xc3. On the fourth line, the variable str is used as the argument to the function printf (), in this case means str considered data. While in the 5th row, str is called as a function, in this case the str is considered code. Note that str pointer type is true to char, but can be invoked as a function having been originally cast to pointer to function with (void (*) (void)).

In the example above we execute the code that is in the variable str, means we execute the code in the data area (not the area code). Now many Kernel that implements protection so that we can not execute code that is not located in an area of memory that is specific to the code. In windows environments, known as Data Execution Prevention, and in Linux is also known as the Exec-Shield.

In order for the example in this article to work, you must turn off the Exec-Shield:
echo "0" >/proc/sys/kernel/exec-shield


Look at the image below. The image is the result of disassemble with gdb. Seen that str is located at location 0 × 8049590. On <main+24> there are instructions CALL the printf () function calls with str (0 × 8049590) as an argument of the function. In this case means str considered data of type string. But at <main+34> there is a CALL instruction to the location of str, this means the program will jump (jump) to the location of str and execute the instruction in location str. in this case means str considered code. Note also that I added str in \xc3 at the end of str because \xc3 is the opcode instruction RET so the program will return to the main functions the main functions and continue until finished.
strascodeanddata
Begin Creating A Shellcode

The actual contents of the variable str on the program above is a shellcode, so actually we've managed to create the first shellcode. Congratulations! However the shellcode we make doesn't do anything meaningful because its contents only INC and DEC then RET. However these examples from at least we already understand that shellcode is nothing but strings, i.e. a collection of characters that is also a machine language instruction opcode.

Now we will start making shellcode that actually spawn a shell. In a previous article about learning assembly I already describing how to call the system call interrupt with hexa 80. The Shellcode will be created containing instructions to call the system call. Note the source language C below that if executed will spawn a shell.

1
2
3
4
5
6
7
#include <sys/types.h>
#include <unistd.h>
int main(void) {
        char* args[] = {"/bin/sh",NULL};
        setreuid(0,0);
        execve("/bin/sh",args,NULL);
}

The above Program just calls the system call execve setreuid () and (). Shellcode which we will create will also do the same thing as the source above, the difference is only made in the assembly.

Setreuid () System Call

setreuid () is used to set the real and effective userID. This System call is essential for programs that have SUID bit, usually to drop the root privilege when it is not needed anymore. Therefore, we must restore the privilege prior to spawn a shell. The declaration system call setreuid () is:
int setreuid(uid_t ruid, uid_t euid);
ruid = real user id
euid = effective user id

Based on the Declaration of the system call, then register to be filled in before doing the interrupt are:

  • EAX: 0 × 50 or 70 (number of file system call unistd. h)
  • EBX: 0 × 0 (the first Parameter, i.e. real uid 0)
  • ECX: 0 × 0 (the second Parameter, an effective uid of 0)

Assembly pieces below are instructions to call the system call setreuid (0,0).
1
2
3
4
5
6
; setreuid(0,0)
xor eax,eax
mov al,0x46 ; EAX = 0x46
xor ebx,ebx  ; EBX = 0
xor ecx,ecx  ; ECX = 0
int 0x80

System Call execve()
Execve system call is to execute an executable. All data, variable, heap, stack, etc belong to processes that call execve will disappear and be replaced with a new program that is being executed. But the processID, and open file handles (including stdin, stdout, stderr) passed on to the new program is executed. The Declaration of the execve system call is as below:
 
int execve(const char *filename, char *const argv[],char *const envp[]);
 
 

There are 3 arguments are required, but we will only use 2 arguments. The argument envp we fill with NULL because we don't need a variable environment. Based on the Declaration of the system call, then register to be filled before you call interrupt are:

  • EAX: 0xb or 11 (the system call number) 
  • EBX: address of the string "/bin/sh" 
  • ECX: address the array of string, {"/bin/sh", NULL} 
  • EDX: 0 as a NULL envp filled.
Assembly pieces below calling system call execve to execute/bin/sh.

read the continuation :
Anda sedang membaca artikel tentang Learn To Make Shellcode (I): Local Exploit Shellcode dan anda bisa menemukan artikel Learn To Make Shellcode (I): Local Exploit Shellcode ini dengan url http://hy-hack.blogspot.com/2013/01/learn-to-make-shellcode-i-local-exploit.html,Dilarang menduplikat artikel ini Learn To Make Shellcode (I): Local Exploit Shellcode jika sangat bermanfaat hanya boleh sebagai artikel refrensi atau harus mengulas nya dengan bahasa / kalimat yang berbeda dan memberi link ini : Learn To Make Shellcode (I): Local Exploit Shellcode


Artikel Terkait:

Share this post :

+ komentar + 37 komentar

Anonim
4 Juni 2014 pukul 00.04

It's going to be end of mine day, but before ending I am reading this
great post to increase my experience.

Check out my homepage ... cambogia garcinia weight loss

Anonim
12 Juni 2014 pukul 07.55

I blog quite often and Ӏ genuinely appreciate yoսr information. This article hɑs really peaked my interest.
I'm going to book mark your website and keep cɦeckinng foг new details about once
pper week. I subscribed to ʏour Feeԁ tοo.

My ɦomeрage: best SEO company 2013

Anonim
8 September 2014 pukul 04.22

Hi everyone, it's my first pay a quick visit at this site, and article is really fruitful designed
for me, keep up posting such articles or reviews.



Feel free to surf to my blog - free microsoft points codes

27 April 2018 pukul 00.42

My partner and I absolutely love your blog and find many of your post’s to be exactly what I’m looking for.
resep donat empuk
cara membuat sosis
cara membuat gulali
mesin es serut
fungsi manajemen
resep donat empuk
thanks

27 September 2018 pukul 05.12

العديد من النساء ليس لديهن الوقت لتنظيف منزلهن ، لذلك يتعين عليهن التعامل مع شركة تنظيف متخصصة ، حيث شركة تنظيف كنب عجمان

شركة الصفا للتنظيف
افضل شركة تنظيف بعجمان
يعتبر التنظيف الكامل لجميع الأدوات المنزلية في المنزل شركة تنظيف بعجمان

هي واحدة من أكبر شركات تنظيف بالبخار في عجمان ، تقدم لعملائها مزايا وخدمات
لتنظيف جميع المنازل والبيوت وتحتوي على أحدث الأدوات ومعدات التعقيم لترتيب العديد من الغرف في المنازل ، لأنها تعمل على تنظيف المنازل من الغبار داخلها وإزالتها بشكل دائم.
أهم الخدمات والمزايا التي يقدمها الصفا هي خدمات التنظيف في عجمان
شركة تنظيف في عجمان
واحدة من شركات التنظيف الرائدة ، تقدم العديد من الخدمات والمزايا ، هي شركة تنظيف بالبخار في عجمان
يتم تقديم جميع هذه الخدمات بأسعار تنافسية لجميع الشركات الأخرى. اليوم نقدم لك جميع خدمات ومزايا شركة تنظيف منازل بعجمان
شركة تنظيف سجاد في عجمان
.العديد من الخدمات والأسعار رخيصة جدا وبسبب السعر الرائع فهي تجتذب العديد من العملاء ، شركة تنظيف شقق بعجمان
مع تخفيضات تصل إلى 50٪ على تكاليف التنظيف في الشركات الأخرى العاملة في هذا المجال.
• تمتلك شركة تنظيف الفلل في عجمان
العديد من الأساليب الحديثة ، ولديها فريق ماهر في مجال التنظيف ، لا تستخدم أحد العمال فقط للحصول على شهادة ISO الدولية في مجال التنظيف ولديها خبرة لا تقل عن خمس سنوات ، وهي متاحة في التوظيف في شركة تنظيف مباني بعجمان

خبرة ودقة في الأداء والعمل حتى تكون واحدة من أكبر الشركات المتخصصة في هذا المجال.

Anonim
30 Maret 2022 pukul 14.38

Learn To Make Shellcode (I): Local Exploit Shellcode >>>>> Download Now

>>>>> Download Full

Learn To Make Shellcode (I): Local Exploit Shellcode >>>>> Download LINK

>>>>> Download Now

Learn To Make Shellcode (I): Local Exploit Shellcode >>>>> Download Full

>>>>> Download LINK

25 Oktober 2022 pukul 13.54

Congratulations on your article, it was very helpful and successful. 9e6829aa5ca03ecfbc353706e82217ab
website kurma
sms onay
numara onay

29 Oktober 2022 pukul 01.46

Thank you for your explanation, very good content. b0497b6761a3f34a677da80d39c02be4
define dedektörü

16 November 2022 pukul 16.10

Thanks for your article. fb98f21b352e60778bb0c3207a0f1357
evden iş imkanı

murat
18 Desember 2022 pukul 09.52

instagram takipçi satın al
casino siteleri
sms onay
6ADNZZ

28 Desember 2022 pukul 21.50

Good content. You write beautiful things.
vbet
mrbahis
taksi
mrbahis
sportsbet
hacklink
vbet
sportsbet
hacklink

8 Maret 2023 pukul 02.30

<a href="https://coinhesapacma.com.tr/%22%3Ecoin hesap acma</a>

mehmet
1 Agustus 2023 pukul 20.58

mersin
zonguldak
afyon
kocaeli
kayseri

JNQ5

Evran
1 Oktober 2023 pukul 10.42

Gümüşhane
Karaman
Kocaeli
Sakarya
Samsun
XQSLDD

Çisil1
4 Oktober 2023 pukul 08.02

van
kastamonu
elazığ
tokat
sakarya
M5İ8

Posting Komentar

Blog Dofolow , Tapi Tolong jangan nyepam dan ada kata kata yang tidak baik

 
Support : Abaut Us | Contact Us | Privacy Policy | Term of Use | Redaksi | Advertise | Lowongan Kerja | Forum | Tabloit | Mobile Version | Hy Hack Toolbar
Copyright © 2011. HY hack - All Rights Reserved Template Created by Heykhend
Published by Heykhend Corp. Developed by PT Heykhend Publik Media (HPM)