{"id":3293,"date":"2021-07-09T17:20:01","date_gmt":"2021-07-09T15:20:01","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=3293"},"modified":"2025-03-21T09:49:57","modified_gmt":"2025-03-21T08:49:57","slug":"shellcode","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=3293","title":{"rendered":"Shellcode"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=356\" data-type=\"post\" data-id=\"356\">See also the Buffer Over\u00adflow&nbsp;post<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Execute shellcode<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario: You have shell\u00adcode. You want to run it to ana\u00adlyze it in a debugger.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">On Windows<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>#include &lt;windows.h&gt;\n\nchar shellcode[] = \"\\xcc$hereTheShellcode\"; \/\/ \\xcc =&gt; breakpoint\n\nvoid main(int argc, char **argv) {\n\tDWORD oldprot;\n\tVirtualProtect(shellcode, sizeof(shellcode), 0x40, &amp;oldprot);\n\tvoid (*func)();\n\tfunc = (void (*)()) shellcode;\n\t(*func)();\n}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Add the shell\u00adcode after the break\u00adpoint&nbsp;with<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">i686-w64-mingw32-cc s.c -o s.exe<br>x86_64-w64-mingw32-cc s.c -o s.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">and run it in a debugger.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">On Linux<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>#include &lt;sys\/mman.h&gt;\n\nchar shellcode[] = \"\\xcc%hereTheShellcode\"; \/\/ For debugging, prepend with \\xcc\n\nvoid main(int argc, char **argv) {\n\tunsigned long sh_addr = (unsigned long)shellcode;\n\t\/\/ Address for mprotect must be aligned\n\tunsigned long b_addr = sh_addr &amp; 0xfffffffffffff000;\n\tunsigned long size = (sh_addr - b_addr) + sizeof(shellcode);\n\tmprotect((void*)b_addr, size, PROT_READ|PROT_WRITE|PROT_EXEC);\n\tvoid (*func)();\n\tfunc = (void (*)()) shellcode;\n\t(*func)();\n}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Add the shell\u00adcode after the break\u00adpoint with <code>gcc [-m32] s.c<\/code> and run it in a debugger.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Write shellcode<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This x86 shell\u00adcode calls the <a href=\"https:\/\/man7.org\/linux\/man-pages\/man2\/setreuid.2.html\">setreuid() syscall<\/a> with argu\u00adment 0 so that the process runs as <span class=\"caps\">UID<\/span> 0 again. (Assum\u00ading that the pro\u00adgram was orig\u00adi\u00adnal\u00adly start\u00aded with <span class=\"caps\">UID<\/span> 0 and dropped the priv\u00adi\u00adleges before our&nbsp;call.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1. Cre\u00adate the assem\u00adbly file <em>a.asm<\/em>.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>BITS 32 ; set architecture\nmov eax, 0x00\nmov ebx, 0x00\nmov ecx, 0x00\nmov edx, 0x00\nmov eax, 0x46\nint 0x80<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">2. Trans\u00adlate it into an sta\u00adt\u00adic object file.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>nasm a.asm<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">3. Inspect the gen\u00ader\u00adat\u00aded machine code.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>xxd -ps a\n66b80000000066bb0000000066b90000000066ba0000000066b846000000<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If you should need a hex rep\u00adre\u00adsen\u00adta\u00adtion with \\x, use&nbsp;this:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>echo 66b800 | sed -e 's\/..\/\\\\x&amp;\/g'\n\\x66\\xb8\\x00<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">4. The pre\u00advi\u00adous code con\u00adtained mul\u00adti\u00adple null bytes. This is bad, because most input meth\u00adods like <code>sprintf()<\/code> will ter\u00admi\u00adnate at the null byte. There\u00adfore, we have to set the argu\u00adment reg\u00adis\u00adters with\u00adout using a null byte in our shell\u00adcode. Using <code>a xor a<\/code> to cre\u00adate a null val\u00adue with\u00adout using a null byte, we got a new shellcode:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>BITS 32 ; set architecture\nxor eax, eax\nxor ebx, ebx\nxor ecx, ecx\nxor edx, edx\nmov eax, 0x46\nint 0x80<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>See also the Buffer Over\u00adflow&nbsp;post Exe\u00adcute shell\u00adcode Sce\u00adnario: You have shell\u00adcode. You want to run it to ana\u00adlyze it in a debug\u00adger. On Win\u00addows Add the shell\u00adcode after the break\u00adpoint&nbsp;with i686-w64-ming\u00adw32-cc s.c \u2011o s.exex86_64-w64-mingw32-cc s.c \u2011o s.exe and run it in a debug\u00adger. On Lin\u00adux Add the shell\u00adcode after the break\u00adpoint with gcc [-m32] s.c [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[355],"tags":[423,237,56,422],"class_list":["post-3293","post","type-post","status-publish","format-standard","hentry","category-reverse-engineering","tag-assembly","tag-disassembler","tag-reverse-shell","tag-shellcode"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3293"}],"version-history":[{"count":7,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3293\/revisions"}],"predecessor-version":[{"id":4802,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3293\/revisions\/4802"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}