Hi, If I don't have the source code, how can I discover the memory address where the shellcode lives, to use with the '/i memory_address' command? Regards, -Rafael > ---------- Mensagem original ----------- > > De : "Eloy A. Paris" <peloyat_private> > Para : Sean Zadig <seanzadigat_private> > Cc : vuln-devat_private > Data : Tue, 8 Oct 2002 16:19:25 -0400 > Assunto : Re: shellcode -> asm? > > Don't know if this is what you are looking for, but let's try an > example: > > Get http://www.immunitysec.com/GOBBLES/exploits/apache-scalp.c. The > shell code is in a the char array "shellcode". To see the code: > > peloy@canaima:~$ gcc -g -o apache-scalp apache-scalp.c > peloy@canaima:~$ gdb ./apache-scalp > GNU gdb 2002-08-18-cvs > [...] > (gdb) x /10i shellcode > 0x804ac20 <shellcode>: mov %esp,%edx > 0x804ac22 <shellcode+2>: sub $0x10,%esp > 0x804ac25 <shellcode+5>: push $0x10 > 0x804ac27 <shellcode+7>: push %esp > 0x804ac28 <shellcode+8>: push %edx > 0x804ac29 <shellcode+9>: push $0x0 > 0x804ac2b <shellcode+11>: push $0x0 > 0x804ac2d <shellcode+13>: mov $0x1f,%eax > 0x804ac32 <shellcode+18>: int $0x80 > 0x804ac34 <shellcode+20>: cmpb $0x2,0x1(%edx) > (gdb) > > The 'x' gdb command is your friend. It allows you to see anything th e > way you want (instructions, bytes, words, strings, etc.) If you don' t > have the source code you still use the 'x' command and give it '/i > memory_address' where memory_address is the place where the shell co de > lives. > > Cheers, > > Eloy.- > > On Tue, Oct 08, 2002 at 12:12:21PM -0700, Sean Zadig wrote: > > Hi, > > I'm doing some research into creating variants of common attacks, but I ran > > into a problem of sorts. For most of the attacks I have, the shell code > > consists of the overflow and the actual malicious code that is run . I want > > to be able to isolate the overflow from the rest of the shellcode and use > > that to create attack variants. Problem is, I don't know where one ends and > > the other begins! I figure if I turn the hex- encoded shellcode back into > > assembly code, I could probably figure it out. I'm familiar with h ow to do > > the reverse in gdb, but is it possible to do what I want? To resta te: > > shellcode - > asm is what I need. If this is a simple thing, my apologies - > > but the security-basics list rejected my post =) > > -Sean Zadig > > > > ----- > > Sean Zadig > > Student, UC Davis > > PGP Key ID: 0xDE44A79F > > 7EE1 C80A A0C1 B224 45CE F74B 5835 0115 DE44 A79F > > > > > > _________________________________________________________________ > > Chat with friends online, try MSN Messenger: http://messenger.msn. com > >
This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 09:59:47 PDT