Re: shellcode -> asm?

From: stallman (stallmanat_private)
Date: Thu Oct 24 2002 - 04:39:06 PDT

Next message: Jose Nazario: "Re: Covert Channels"

Previous message: Cade Cairns: "RE: Covert Channels"
Maybe in reply to: Sean Zadig: "shellcode -> asm?"
Next in thread: Sean Zadig: "Re: shellcode -> asm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

If I don't have the source code, how can I discover the memory 
address where the shellcode lives, to use with the '/i 
memory_address' command?

Regards,

-Rafael

> ---------- Mensagem original -----------
> 
> De      : "Eloy A. Paris" <peloyat_private>
> Para    : Sean Zadig <seanzadigat_private>
> Cc      : vuln-devat_private
> Data    : Tue, 8 Oct 2002 16:19:25 -0400
> Assunto : Re: shellcode -> asm?
> 
> Don't know if this is what you are looking for, but let's try an
> example:
> 
> Get http://www.immunitysec.com/GOBBLES/exploits/apache-scalp.c. The
> shell code is in a the char array "shellcode". To see the code:
> 
> peloy@canaima:~$ gcc -g -o apache-scalp apache-scalp.c
> peloy@canaima:~$ gdb ./apache-scalp
> GNU gdb 2002-08-18-cvs
> [...]
> (gdb) x /10i shellcode
> 0x804ac20 <shellcode>:  mov    %esp,%edx
> 0x804ac22 <shellcode+2>:        sub    $0x10,%esp
> 0x804ac25 <shellcode+5>:        push   $0x10
> 0x804ac27 <shellcode+7>:        push   %esp
> 0x804ac28 <shellcode+8>:        push   %edx
> 0x804ac29 <shellcode+9>:        push   $0x0
> 0x804ac2b <shellcode+11>:       push   $0x0
> 0x804ac2d <shellcode+13>:       mov    $0x1f,%eax
> 0x804ac32 <shellcode+18>:       int    $0x80
> 0x804ac34 <shellcode+20>:       cmpb   $0x2,0x1(%edx)
> (gdb)
> 
> The 'x' gdb command is your friend. It allows you to see anything th
e
> way you want (instructions, bytes, words, strings, etc.) If you don'
t
> have the source code you still use the 'x' command and give it '/i
> memory_address' where memory_address is the place where the shell co
de
> lives.
> 
> Cheers,
> 
> Eloy.-
> 
> On Tue, Oct 08, 2002 at 12:12:21PM -0700, Sean Zadig wrote:
> > Hi,
> > I'm doing some research into creating variants of common attacks, 
but I ran 
> > into a problem of sorts. For most of the attacks I have, the shell
code 
> > consists of the overflow and the actual malicious code that is run
. I want 
> > to be able to isolate the overflow from the rest of the shellcode 
and use 
> > that to create attack variants. Problem is, I don't know where one
 ends and 
> > the other begins! I figure if I turn the hex-
encoded shellcode back into 
> > assembly code, I could probably figure it out. I'm familiar with h
ow to do 
> > the reverse in gdb, but is it possible to do what I want? To resta
te: 
> > shellcode -
> asm is what I need. If this is a simple thing, my apologies - 
> > but the security-basics list rejected my post =)
> >   -Sean Zadig
> > 
> > -----
> > Sean Zadig
> > Student, UC Davis
> > PGP Key ID: 0xDE44A79F
> > 7EE1 C80A A0C1 B224 45CE  F74B 5835 0115 DE44 A79F
> > 
> > 
> > _________________________________________________________________
> > Chat with friends online, try MSN Messenger: http://messenger.msn.
com
> 
>

Next message: Jose Nazario: "Re: Covert Channels"
Previous message: Cade Cairns: "RE: Covert Channels"
Maybe in reply to: Sean Zadig: "shellcode -> asm?"
Next in thread: Sean Zadig: "Re: shellcode -> asm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 09:59:47 PDT