Happy Hacking!

Hello, in this post I will explain how to use execve syscall in a shellcode using the stack technique, the purpose of this shellcode is the same as the last shellcode from the previous post. As I told you in that article, I’m currently studying SLAE certification, and this is a part of the great content of the course.

In this case, we are going to save the data in the stack before moving it to the registers. The data should be saved as multiple of four to get it from the stack using push method.

As you can see the string “/bin/bash” is not a multiple of 4, so we are going to change it to: “////bin/bash”.

The structure that is going to have the stack will be like this, from low memory to high memory:

ECX [////bin/bash address], EDX [0x00000000], EBX ["////bin/bash"], EAX [0x00000000] 

1) EAX register:

xor eax, eax
push eax

2) EBX will store the “////bin/bash” string. The first thing we need to do is to convert this string to hex, to do this we can use this tool that Vivek Ramachandran shows in the course:

#!/usr/bin/python

import sys
input = sys.argv[1]

print 'String length : ' +str(len(input))
stringList = [input[i:i+4] for i in range(0, len(input), 4)]

for item in stringList[::-1] :
	print item[::-1] + ' : ' + str(item[::-1].encode('hex'))

You can see in the image below how I used the script to convert the string to hex and put it in the inverse order.

To save this to the stack we need to do 3 pushes, and after we should save the top of the stack to ebx.

push 0x68736162
push 0x2f6e6962
push 0x2f2f2f2f
mov ebx, esp

3) A null to EDX

push eax
mov edx, esp

4) ECX needs to contain the address of the string

push ebx,
mov ecx, esp

5) Invoke the syscall

mov al, 11
int 0x80

This is the final Assembly code:

; Filename: execve-stack.nasm
; Author:  Vivek Ramachandran
; Website:  https://www.pentesteracademy.com
; Student: Xavi Bel

global _start			

section .text
_start:

	xor eax, eax
	push eax

	push 0x68736162
	push 0x2f6e6962
	push 0x2f2f2f2f

	mov ebx, esp

	push eax
	mov edx, esp

	push ebx,
	mov ecx, esp

	mov al, 11
	int 0x80

I hope this could be useful for someone. See you! 🙂

Following the last article content, we are going to pop a shell instead of printing Hello World in the screen. To do this we are going to use the Execve syscall. This syscall allows us to execute a new program within the shellcode.

Using man execve we can see what parameters does it need.

As you see in the man image, it needs 3 parameters:

• Parameter 1: Filename: “/bin/bash”, 0x0
• Parameter 2: Address of /bin/bash, 0x00000000
• Parameter 3: 0x00000000

If you followed the last post of this blog, you already know what is the JMP-CALL-POP technique. In this case we are going to use it, just to be clear I copy below just the part of the shellcode that is using that technique.

global _start			

section .text
_start:
	jmp short call_shellcode

shellcode:
	pop esi
        ...

call_shellcode:
	call shellcode	
	; A=0 B=address of /bin/bash C=0x00000000
	message db "/bin/bashABBBBCCCC"

Before continuing with the shellcode creation, I’m going to stop here, to remember some Assembly instructions that are going to be useful in this particular case.

mov eax, message ; move address into eax
mov eax, [message] ; move value into eax
mov dword [esi, +10], bl ; move from register into memory starting in position 10
; lea = load efective address = load pointer value
lea ebx, [esi]

Now that we already have a clear scheme of JMP-CALL-POP technique and we refreshed some Assembly instructions, let’s focus in understand how we are going to modify the message string to contain what we need.

We need to modify 3 parts, the A, the BBBB and the CCCC.

1) Convert A into 0x0

xor ebx, ebx
mov byte [esi +9], bl

2) Convert BBBB to address of “/bin/bash” = ESI

; mov dword because is an address
mov dword [esi +10], esi

3) Convert CCCC into 0x00000000

mov dword [esi +14], ebx

Now that we have our message string already prepared, we need to prepare EAX, EBX, ECX and EDX to be able to run execve syscall.

4) EBX must contain the filename

lea ebx, [esi]

5) ECX should be the address of /bin/bash

lea ecx, [esi +10]

6) EDX is null

lea edx, [esi +14]

7) EAX has to contain the syscall number. We can check it in this file:

So EAX needs to be 11, 0xb in hexadecimal

xor eax, eax
mov al, 0xb

The final thing is to invoke the syscall using 0x80. In this call we don’t need to use an exit syscall, it’s exlained in the man page of execve.

Here is the final code:

; Filename: execve.nasm
; Author:  Vivek Ramachandran
; Website:  https://www.pentesteracademy.com
; Student: Xavi Bel

global _start			

section .text
_start:
	jmp short call_shellcode

shellcode:
	pop esi

	xor ebx, ebx
	mov byte [esi +9], bl
	mov dword [esi +10], esi
	mov dword [esi +14], ebx

	lea ebx, [esi]
	lea ecx, [esi +10]
	lea edx, [esi +14]
	xor eax, eax
	mov al, 0xb
	int 0x80

call_shellcode:
	call shellcode	
	; A=0 B=address of /bin/bash C=0x00000000
	message db "/bin/bashABBBBCCCC"

We extract the shellcode using objdump with the beautiful greps and seds command:

objdump -d ./execve|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

We put the shellcode inside this little c program:

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x1a\x5e\x31\xdb\x88\x5e\x09\x89\x76\x0a\x89\x5e\x0e\x8d\x1e\x8d\x4e\x0a\x8d\x56\x0e\x31\xc0\xb0\x0b\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43";

main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

And we compile it:

gcc -fno-stack-protector -z execstack shellcode.c -o shellcode

Finally, when we execute it, we are generating another /bin/bash process.

Doing a small modification of the code, when can use /bin/sh instead:

I hope you liked it. See you!

Currently I’m studying SLAE certification of Pentester Academy and I found a really interesting video that explained this technique. I’m going to follow the course instructions step by step and try to explain it here the best as I can. By the way, I totally recommend this course, everything is really well explained and the content is really good.

So, following the SLAE topics, in this second article related with Assembly I am going to explain how to develop a small shellcode that prints “Hello World!” in the screen. In the last blog post, I already showed you how to write a Hello World, but to convert this into a shellcode we have 2 restrictions:

1) We can not have any 0x00 instructions. This are null bytes and usually break our shellcode execution.

2) We can not use any hard coded addresses. Our code should be able to run in different computer and programs, and the addresses need to be generated dynamically.

We start from this code:

; HelloWorld.nasm
; Author:  Vivek Ramachandran
; Website:  https://www.pentesteracademy.com
; Student: Xavi Bel

global _start

section .text

_start:

	; write syscall
	mov eax, 0x4
	mov ebx, 0x1
	mov ecx, message
	mov edx, mlen
	int 0x80

	; exit syscall
	mov eax, 0x1
	mov ebx, 0x0
	int 0x80

section .data

	message: db "Hello World!"
	mlen equ $-message

So let’s check if our code contains any null values or hard coded addresses. To do this we can use objdump utility:

objdump -d HelloWorldShellcode -M intel

So we have both problems, we have a lot of null bytes and the memory address of the “Hello World!” string.

Let’s start removing the null bytes, to do that we need to modify all the mov instructions that generated null bytes to equivalent instructions.

The way to do this is the following:
When we use an xor operation between the same values, the result is always zero. There is another thing that we need to know, the register EAX, can be segmented in AH(High) and AL(Low), please watch the image below, So we can mov a 4 into AL.

So instead of:

mov eax, 0x4

We can do:

xor eax, eax
mov al, 0x4

We can repeat this process for all the mov instructions that generated a 0x00.

Once we do that, we need to fix the other problem, the hard coded address of the variable message. I will explain what we are going to do: first we are going to move the array declaration inside the data segment, after that we are going to create a jmp to a procedure named call_shellcode, this procedure will contain two lines, the first one is a call shellcode, and the second one is the message, so once the call shellcode instruction will be executed, the direction of message will be saved in ecx register and we fix the original problem.

So, being squematic, the code will have this structure:

jmp short call_shellcode

shellcode:
   ...
   ...
   pop ecx ; So now the memory address of message is saved in ecx
   ...
   ...

call_shellcode:
   call shellcode
   message: db "Hello World!", 0xA

Doing this we are going to fix the 2 problems and now our shellcode is going to work correctly.

Here is the final code:

; HelloWorldShellcode.nasm
; Author:  Vivek Ramachandran
; Website:  https://www.pentesteracademy.com
; Student: Xavi Bel

global _start

section .text

_start:
jmp short call_shellcode

shellcode:

	pop ecx;
	
	; write syscall
	xor eax, eax
	mov al, 0x4

	xor ebx, ebx
	mov bl, 0x1	

	
	mov edx, 13
	int 0x80

	; exit syscall
	xor eax, eax
	mov al, 0x1

	xor ebx, ebx

	int 0x80


call_shellcode:
	call shellcode
	message: db "Hello World!", 0xA

Now we can extract the instructions using objdump:

objdump -d ./HelloWorldShellcode|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

And we can verify, that we have not any null bytes.

Now using this small C program we can verify ir our shellcode works:

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x18\x59\x31\xc0\xb0\x04\x31\xdb\xb3\x01\xba\x0d\x00\x00\x00\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe3\xff\xff\xff\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x0a";

main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

We compile it using:

gcc -fno-stack-protector -z execstack shellcode.c -o shellcode

And it works!

I hope you liked the post, probably I’m going to write a new one soon. See you!

In this article I’m going to write a quick introduction to intel x86 assembly language. We are going to create a program, that is going to print a sentence in the screen.

Before starting programming, we need to know a couple of things, what is a system call, what is the instruction 0x80 and what are assembly registers.

• A system call, is a the programmatic way in which a computer program request a service from the kernel of the operating system it is executed on.
• Int 0x80 is the assembly language instruction that is used to invoke system calls in Linux on x86 (i.e., Intel-compatible) processors.
• Also we need to know what are assembly registers EAX, EBX, ECX, etc. A register store data elements for processing without having to access the memory, and all these are General Purpose registers.

In the image below, you can see the content of the file “/usr/include/i386-linux-gnu/asm/unistd_32.h” that contains all the linux 32 bits system calls.

We can see that the system call write is the number 4. To see in more detail what is this system call and how to use it, we can execute the command “man 2 write”.

This sytem call, needs 3 arguments. To set them to the value that we need, we just have to use the assembly registers:
EAX – 1st argument
EBX – 2nd argument
ECX – 3rd argument
EDX – 4th argument
ESI – 5th argument
EDI – 6th argument

So, lets write “Hello World!” using write syscall:

• EAX has to be 4, because write is the syscall number 4.
• EBX, needs to be 1, because we want to write to file descriptor 1, that is stdout.
• ECX needs to contain the message, in this case the variable message.
• EDX, needs to contain the length of message, that is 12.
  The last thing we need to do, is to use 0x80 to invoke the system call.

So this is the final code:

; write syscall
mov eax, 0x4
mov ebx, 0x1
mov ecx, message
mov edx, 12
int 0x80

And this will be the full program:

; HelloWorld.asm
; Author: Xavi Beltran

global _start

section .text

_start:

	; write syscall
	mov eax, 0x4
	mov ebx, 0x1
	mov ecx, message
	mov edx, mlen
	int 0x80

	; exit syscall
	mov eax, 0x1
	mov ebx, 0x0
	int 0x80

section .data

	message: db "Hello World!"
	mlen equ $-message

To compile it we must run:
nasm -f elf32 -o HelloWorld.asm -o HelloWorld.o HelloWorld.asm
ld -o HelloWorld HelloWorld.o

And here you can see the execution of the program:

That’s all for the first introduction to assembly language!