Re: creating shell code for exploits

[Sebastian <scut () NB IN-BERLIN DE>]

> hi guys

Hi eke71 :-)

> I am new to the list and was wondering how shell code is created for
> exploits ?

Well shellcode is created by writing the machine code, or by converting
simple C code directly. For the later it's sometimes very useful to just
write some lines of C and have the shellcode directly printed. To do this,
use hellkit (www.team-teso.net/releases.php).

In more special situations, if you have limitations on length or allowed
characters, there is no way around writing it manually. There are some very
specialized shellcodes, some optimized for size (the smallest x86/linux ones
I know of: execve: 13 bytes, read(): 15 bytes, portshell: 86 bytes), and
some to filter out unallowed characters (most of the times just \x00, \0x0a,
\x0d and \x25). There are even printable-ASCII only shellcodes.

For the x86 platforms there are numerous articles, of which one from aleph1
and one from smiler come to my mind.
For other platforms than x86, like Sparc, MIPS and PPC, there are some
papers floating around somewhere.

In general, if you write shellcodes as .s file, you may find a small .c
source helpful to convert it (outp.c from www.team-teso.net/releases.php,
also) to hexcode.

ciao,
scut

--
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- CSMC_TOP_SECRET_ATOMAL.tar.bz2, 69043590 bytes received in 381.4 seconds --