Unless the shellcode is declared outside the scope of a function, like this: void getNum(); char shellcode[] = "\x55\x8b..."; int main(..) objdump and gdb won't pick up on the labels and it will be pretty difficult to determine where your shellcode starts. Of course, I'm sort of a newbie to this sort of thing, so if someone knows differently... I'm interested, what sort of project are you working on? -Sean ----- Sean Zadig Student, UC Davis PGP Key ID: 0xDE44A79F 7EE1 C80A A0C1 B224 45CE F74B 5835 0115 DE44 A79F >From: "stallman" <stallmanat_private> >To: "peloy" <peloyat_private> >CC: "seanzadig" <seanzadigat_private>, "vuln-dev" ><vuln-devat_private> >Subject: Re: shellcode -> asm? >Date: Thu, 24 Oct 2002 08:39:06 -0300 >MIME-Version: 1.0 >Received: from caravelas.terra.com.br ([200.176.3.26]) by >mc1-f15.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 24 >Oct 2002 04:39:08 -0700 >Received: from sr1.terra.com.br (sr1.terra.com.br [200.176.3.16])by >caravelas.terra.com.br (Postfix) with ESMTP id D29AE14509Afor ><seanzadigat_private>; Thu, 24 Oct 2002 08:39:06 -0300 (BRT) >Received: from penha.terra.com.br (penha.terra.com.br [200.176.3.43])by >sr1.terra.com.br (Postfix) with ESMTPid BF9096EDE1; Thu, 24 Oct 2002 >08:39:06 -0300 (BRT) >Received: from terra.com.br (webmail2.terra.com.br >[200.176.3.177])(authenticated user stallman)by penha.terra.com.br >(Postfix) with ESMTPid 1971C68236; Thu, 24 Oct 2002 08:39:06 -0300 (BRT) >Message-Id: <H4HHP6$F8BCA3A08B3DF96A6E8FE9ED74E2B6DEat_private> >X-XaM3-API-Version: 2.4 R5 B5 JSC SMTP AUTH >X-SenderIP: 200.169.112.121 >Return-Path: stallmanat_private >X-OriginalArrivalTime: 24 Oct 2002 11:39:09.0072 (UTC) >FILETIME=[F742E900:01C27B51] > >Hi, > >If I don't have the source code, how can I discover the memory >address where the shellcode lives, to use with the '/i >memory_address' command? > >Regards, > >-Rafael > > > ---------- Mensagem original ----------- > > > > De : "Eloy A. Paris" <peloyat_private> > > Para : Sean Zadig <seanzadigat_private> > > Cc : vuln-devat_private > > Data : Tue, 8 Oct 2002 16:19:25 -0400 > > Assunto : Re: shellcode -> asm? > > > > Don't know if this is what you are looking for, but let's try an > > example: > > > > Get http://www.immunitysec.com/GOBBLES/exploits/apache-scalp.c. The > > shell code is in a the char array "shellcode". To see the code: > > > > peloy@canaima:~$ gcc -g -o apache-scalp apache-scalp.c > > peloy@canaima:~$ gdb ./apache-scalp > > GNU gdb 2002-08-18-cvs > > [...] > > (gdb) x /10i shellcode > > 0x804ac20 <shellcode>: mov %esp,%edx > > 0x804ac22 <shellcode+2>: sub $0x10,%esp > > 0x804ac25 <shellcode+5>: push $0x10 > > 0x804ac27 <shellcode+7>: push %esp > > 0x804ac28 <shellcode+8>: push %edx > > 0x804ac29 <shellcode+9>: push $0x0 > > 0x804ac2b <shellcode+11>: push $0x0 > > 0x804ac2d <shellcode+13>: mov $0x1f,%eax > > 0x804ac32 <shellcode+18>: int $0x80 > > 0x804ac34 <shellcode+20>: cmpb $0x2,0x1(%edx) > > (gdb) > > > > The 'x' gdb command is your friend. It allows you to see anything th >e > > way you want (instructions, bytes, words, strings, etc.) If you don' >t > > have the source code you still use the 'x' command and give it '/i > > memory_address' where memory_address is the place where the shell co >de > > lives. > > > > Cheers, > > > > Eloy.- > > > > On Tue, Oct 08, 2002 at 12:12:21PM -0700, Sean Zadig wrote: > > > Hi, > > > I'm doing some research into creating variants of common attacks, >but I ran > > > into a problem of sorts. For most of the attacks I have, the shell >code > > > consists of the overflow and the actual malicious code that is run >. I want > > > to be able to isolate the overflow from the rest of the shellcode >and use > > > that to create attack variants. Problem is, I don't know where one > ends and > > > the other begins! I figure if I turn the hex- >encoded shellcode back into > > > assembly code, I could probably figure it out. I'm familiar with h >ow to do > > > the reverse in gdb, but is it possible to do what I want? To resta >te: > > > shellcode - > > asm is what I need. If this is a simple thing, my apologies - > > > but the security-basics list rejected my post =) > > > -Sean Zadig > > > > > > ----- > > > Sean Zadig > > > Student, UC Davis > > > PGP Key ID: 0xDE44A79F > > > 7EE1 C80A A0C1 B224 45CE F74B 5835 0115 DE44 A79F > > > > > > > > > _________________________________________________________________ > > > Chat with friends online, try MSN Messenger: http://messenger.msn. >com > > > > _________________________________________________________________ Unlimited Internet access for only $21.95/month. Try MSN! http://resourcecenter.msn.com/access/plans/2monthsfree.asp
This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 12:06:28 PDT