Re: shellcode -> asm?

From: Sean Zadig (seanzadigat_private)
Date: Thu Oct 24 2002 - 10:59:47 PDT

Next message: David Wagner: "Re: Covert Channels"

Previous message: David Wagner: "Re: Covert Channels"
Maybe in reply to: Sean Zadig: "shellcode -> asm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Unless the shellcode is declared outside the scope of a function, like this:

void getNum();
char shellcode[] = "\x55\x8b...";
int main(..)

objdump and gdb won't pick up on the labels and it will be pretty difficult 
to determine where your shellcode starts. Of course, I'm sort of a newbie to 
this sort of thing, so if someone knows differently...

I'm interested, what sort of project are you working on?

           -Sean
-----
Sean Zadig
Student, UC Davis
PGP Key ID: 0xDE44A79F
7EE1 C80A A0C1 B224 45CE  F74B 5835 0115 DE44 A79F

>From: "stallman" <stallmanat_private>
>To: "peloy" <peloyat_private>
>CC: "seanzadig" <seanzadigat_private>, "vuln-dev" 
><vuln-devat_private>
>Subject: Re: shellcode -> asm?
>Date: Thu, 24 Oct 2002 08:39:06 -0300
>MIME-Version: 1.0
>Received: from caravelas.terra.com.br ([200.176.3.26]) by 
>mc1-f15.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 24 
>Oct 2002 04:39:08 -0700
>Received: from sr1.terra.com.br (sr1.terra.com.br [200.176.3.16])by 
>caravelas.terra.com.br (Postfix) with ESMTP id D29AE14509Afor 
><seanzadigat_private>; Thu, 24 Oct 2002 08:39:06 -0300 (BRT)
>Received: from penha.terra.com.br (penha.terra.com.br [200.176.3.43])by 
>sr1.terra.com.br (Postfix) with ESMTPid BF9096EDE1; Thu, 24 Oct 2002 
>08:39:06 -0300 (BRT)
>Received: from terra.com.br (webmail2.terra.com.br 
>[200.176.3.177])(authenticated user stallman)by penha.terra.com.br 
>(Postfix) with ESMTPid 1971C68236; Thu, 24 Oct 2002 08:39:06 -0300 (BRT)
>Message-Id: <H4HHP6$F8BCA3A08B3DF96A6E8FE9ED74E2B6DEat_private>
>X-XaM3-API-Version: 2.4 R5 B5 JSC SMTP AUTH
>X-SenderIP: 200.169.112.121
>Return-Path: stallmanat_private
>X-OriginalArrivalTime: 24 Oct 2002 11:39:09.0072 (UTC) 
>FILETIME=[F742E900:01C27B51]
>
>Hi,
>
>If I don't have the source code, how can I discover the memory
>address where the shellcode lives, to use with the '/i
>memory_address' command?
>
>Regards,
>
>-Rafael
>
> > ---------- Mensagem original -----------
> >
> > De      : "Eloy A. Paris" <peloyat_private>
> > Para    : Sean Zadig <seanzadigat_private>
> > Cc      : vuln-devat_private
> > Data    : Tue, 8 Oct 2002 16:19:25 -0400
> > Assunto : Re: shellcode -> asm?
> >
> > Don't know if this is what you are looking for, but let's try an
> > example:
> >
> > Get http://www.immunitysec.com/GOBBLES/exploits/apache-scalp.c. The
> > shell code is in a the char array "shellcode". To see the code:
> >
> > peloy@canaima:~$ gcc -g -o apache-scalp apache-scalp.c
> > peloy@canaima:~$ gdb ./apache-scalp
> > GNU gdb 2002-08-18-cvs
> > [...]
> > (gdb) x /10i shellcode
> > 0x804ac20 <shellcode>:  mov    %esp,%edx
> > 0x804ac22 <shellcode+2>:        sub    $0x10,%esp
> > 0x804ac25 <shellcode+5>:        push   $0x10
> > 0x804ac27 <shellcode+7>:        push   %esp
> > 0x804ac28 <shellcode+8>:        push   %edx
> > 0x804ac29 <shellcode+9>:        push   $0x0
> > 0x804ac2b <shellcode+11>:       push   $0x0
> > 0x804ac2d <shellcode+13>:       mov    $0x1f,%eax
> > 0x804ac32 <shellcode+18>:       int    $0x80
> > 0x804ac34 <shellcode+20>:       cmpb   $0x2,0x1(%edx)
> > (gdb)
> >
> > The 'x' gdb command is your friend. It allows you to see anything th
>e
> > way you want (instructions, bytes, words, strings, etc.) If you don'
>t
> > have the source code you still use the 'x' command and give it '/i
> > memory_address' where memory_address is the place where the shell co
>de
> > lives.
> >
> > Cheers,
> >
> > Eloy.-
> >
> > On Tue, Oct 08, 2002 at 12:12:21PM -0700, Sean Zadig wrote:
> > > Hi,
> > > I'm doing some research into creating variants of common attacks,
>but I ran
> > > into a problem of sorts. For most of the attacks I have, the shell
>code
> > > consists of the overflow and the actual malicious code that is run
>. I want
> > > to be able to isolate the overflow from the rest of the shellcode
>and use
> > > that to create attack variants. Problem is, I don't know where one
>  ends and
> > > the other begins! I figure if I turn the hex-
>encoded shellcode back into
> > > assembly code, I could probably figure it out. I'm familiar with h
>ow to do
> > > the reverse in gdb, but is it possible to do what I want? To resta
>te:
> > > shellcode -
> > asm is what I need. If this is a simple thing, my apologies -
> > > but the security-basics list rejected my post =)
> > >   -Sean Zadig
> > >
> > > -----
> > > Sean Zadig
> > > Student, UC Davis
> > > PGP Key ID: 0xDE44A79F
> > > 7EE1 C80A A0C1 B224 45CE  F74B 5835 0115 DE44 A79F
> > >
> > >
> > > _________________________________________________________________
> > > Chat with friends online, try MSN Messenger: http://messenger.msn.
>com
> >
> >

_________________________________________________________________
Unlimited Internet access for only $21.95/month.  Try MSN! 
http://resourcecenter.msn.com/access/plans/2monthsfree.asp

Next message: David Wagner: "Re: Covert Channels"
Previous message: David Wagner: "Re: Covert Channels"
Maybe in reply to: Sean Zadig: "shellcode -> asm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 12:06:28 PDT