In either case, you will generally find yourself without an assembly language
listing to tell you exactly what the shellcode does. Alternatively, you may simply see a
Gray Hat Hacking: The Ethical Hacker??™s Handbook
206
Figure 9-8
Shellcode layout
in a stack
overflow
Chapter 9: Shellcode Strategies
207
PART III
piece of code published as a blob of hex bytes and wonder whether is does what it claims to
do. Some security-related mailing lists routinely see posted shellcode claiming to perform
something useful, when in fact it performs some malicious action. Regardless of your reason
forwanting to disassemble a piece of shellcode, it is a relatively easy process given only a
compiler and a debugger. Borrowing the Aleph1 shellcode used in Chapters 7 and 8,we create
the simple program that follows as shellcode.c:
char shellcode[] =
/* the Aleph One shellcode */
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main() {}
Compiling this code will cause the shellcode hex blob to be encoded as binary, which
we can observe in a debugger as shown here:
# gcc -o shellcode shellcode.
Pages:
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404