 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
shellcodes |
 |
 Posted: Wed Jun 01, 2005 3:26 pm |
 |
|
| erg0t |
| Valuable expert |
 |
|
| Joined: Apr 08, 2005 |
| Posts: 55 |
| Location: Uruguay |
|
|
 |
|
 |
|
I made a quick guide to coding shellcodes, isn't focused in explotation only in how to write shellcodes, is in spanish but however you can only see the codes (or use a translator)
http://saure.zerosec.net/hack/shellcodes.txt
 |
|
|
|
|
| Posted: Wed Jun 01, 2005 5:22 pm |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
very good, i need learn much more about shellcode and asm  soon add this paper in my site. |
|
|
|
|
| Posted: Thu Jun 22, 2006 12:04 pm |
|
|
| colboy |
| Regular user |
 |
|
| Joined: Jun 21, 2006 |
| Posts: 9 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Mon Jun 26, 2006 7:03 pm |
|
|
| Heintz |
| Valuable expert |
|
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
i think any somewhat experienced c programmer knows the technique, but
the real thing is the exploitation. in other words making a schellcode from bytes which get through all kinds of different filters.
anyway when i was testing things i made a c++ source code,
feel free to play with it. if the code looks too fuzzy then best way to start learning is makeing simple programs like hello world and dissassemblying them under MS VC++ (preferably turing off compiler optimizations to make assembly look easier) and makeing programs more complicated like adding a function and observing how the function call looks like in assembly. perhaps a overview of registers is nessesary too if previouse assembly knowlege is zero. but google helps.
| Code: |
int doaddition(char * foo);
#include <stdio.h>
#include <iostream>
using namespace std;
#define GET_STACK_PTR(ptr) \
__asm \
{ \
mov ptr, esp \
}
#define STACK_WALKER(start_pointer) \
{ \
int c=0,pos=0; \
unsigned char * stack_ptr; \
if(start_pointer != NULL) \
{ \
stack_ptr = (unsigned char *)(start_pointer); \
} \
else \
{ \
/* get stack pointer */ \
GET_STACK_PTR(stack_ptr) \
} \
cout << "stack walker starting from address: " << hex << (unsigned int)stack_ptr << endl; \
while((c=getchar())!= 'q') \
{ \
/* note downwards means address increase, like it should */ \
if(c == 'd') \
{ \
cout << "walking 4 bytes downwards on stack" << endl; \
cout << (unsigned int *)stack_ptr << " dword: " << hex << *(unsigned int *)stack_ptr << endl; \
for(c=0;c<4;++c,++stack_ptr) \
{ \
cout << (unsigned int *)stack_ptr << ":" << (int)(*stack_ptr) << "-" << (char)(*stack_ptr) << endl; \
} \
pos += 4; \
cout << "walk end " << dec << pos << " bytes from walk start point" << endl; \
} \
else if(c == 'u') \
{ \
cout << "walking 4 bytes upwards on stack" << endl; \
cout << (unsigned int *)stack_ptr << " dword: " << hex << *(unsigned int *)stack_ptr << endl; \
for(c=0;c<4;++c,--stack_ptr) \
{ \
cout << (unsigned int *)stack_ptr << ":" << (int)(*stack_ptr) << "-" << (char)(*stack_ptr) << endl; \
} \
pos -= 4; \
cout << "walk end " << dec << pos << " bytes from walk start point" << endl; \
} \
else if(c == '\n') \
{ \
cout << "stack walker usage: q - quit, d - 4 bytes downwards on stack, u - 4 bytes upwards on stack" << endl; \
} \
} \
cout << "stack walker finishes at address: " << hex << (unsigned int)(stack_ptr) << endl; \
} \
char buf[] = "\x55\x8B\xEC" // push ebp, mov ebp,esp, put return address on stack and save current stack address
"\x83\xEC\x06" // sub esp,6 - reserve six bytes on stack
"\xC7\x04\x24\x68\x65\x6C\x6C" // mov dword ptr [esp],6C6C6568h; lleh
"\x66\xC7\x44\x24\x04\x6F\x00" // word ptr [esp+4],6Fh; 006F -> \0o
// now on stack hello\0
"\x8D\x04\x24" // lea eax,[esp]
"\x50" // push eax , now 10 bytes of stack
"\xB8\x05\x10\x40\x00" // mov eax, 401005h; offset of print function
"\xFF\xD0" // call eax
"\x83\xC4\x0A" // add esp,10; free stack up to return address
"\x5D\xC3"; // pop ebp, ret, get return address from stack and return
typedef void (* FUNCTION)();
int main()
{
/*
char b[6];
b[0]='h';b[1]='e';b[2]='l';b[3]='l';b[4]='o';b[5]='\0';
return doaddition(b);
*/
char baa[13];
gets(baa);
STACK_WALKER(NULL);
cout << "main: " << (unsigned int *)main << " &main: " << (unsigned int *)&main << endl;
/*__asm
{
sub esp,6
mov dword ptr [esp+0],6C6C6568h
mov word ptr [esp+4], 006Fh
lea eax,[esp+0]
push eax; // 10 bytes on stack
mov eax, 401005h
call eax
add esp,10
pop ebp
ret
}*/
return 0;
//((FUNCTION)(&buf[0]))();
}
int doaddition(char * foo)
{
return printf(foo);
}
|
|
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
www.waraxe.us Forum Index -> Assembler
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 76
Members: 0
Total: 76
