Re: creating shell code for exploits

[ghandi <ghandi () DOPESQUAD NET>]

On Mon, 1 Jan 2001, eke71 wrote:

> hi guys
>
> I am new to the list and was wondering how shell code is created for
> exploits ?

A lot of times old shellcode can be reused (find one for the target
operating system and architecture).  Jose Nazario listed a good number of
them on pen-test [1].  After that, the trick is just getting the
vulnerable program to jump to it.

If you are writing your own, follow Aleph One's "Smashing the Stack for
Fun and Profit" [2].  The basic procedure is:

  - Write the code in assembly (you can use the C compiler as a guide).
  - Hex-encode the machine code (use GNU 'objdump' or Solaris 'dis').
  - Get rid of any bytes that may be interpreted on input to the program
    (NULL bytes, other whitespace, etc).
  - Place the bytes in a string in the exploit and test it (cast the
    string pointer as a function pointer and call it).

I wrote some shellcode for SPARC/Solaris to exec /bin/sh and bind /bin/sh
to a TCP port [3].  I have both posted in assembly and as C header files.
The code to bind a shell was purged of (in addition to NULLs) all
whitespace chars, '?' (0x3f), and '&' (0x26) for passing through HTTP GET
requests.

I hope that sheds some light on the subject.

[1] - http://www.securityfocus.com/archive/101/150666
[2] - http://phrack.infonexus.com/search.phtml?view&article=p49-14
[3] - http://www.dopesquad.net/security

--
          ghandi / ghandi () dopesquad net / www.dopesquad.net
       "Bein' Crazy is the least of my worries." - Jack Kerouac
          C439 2B06 D8D2 A2D8 1ABB  0A55 A61D 9057 63F5 9B1F