Vulnerability Development mailing list archives
Re: shellcode -> asm?
From: "stallman" <stallman () terra com br>
Date: Thu, 24 Oct 2002 08:39:06 -0300
Hi, If I don't have the source code, how can I discover the memory address where the shellcode lives, to use with the '/i memory_address' command? Regards, -Rafael
---------- Mensagem original ----------- De : "Eloy A. Paris" <peloy () chapus net> Para : Sean Zadig <seanzadig () hotmail com> Cc : vuln-dev () securityfocus com Data : Tue, 8 Oct 2002 16:19:25 -0400 Assunto : Re: shellcode -> asm? Don't know if this is what you are looking for, but let's try an example: Get http://www.immunitysec.com/GOBBLES/exploits/apache-scalp.c. The shell code is in a the char array "shellcode". To see the code: peloy@canaima:~$ gcc -g -o apache-scalp apache-scalp.c peloy@canaima:~$ gdb ./apache-scalp GNU gdb 2002-08-18-cvs [...] (gdb) x /10i shellcode 0x804ac20 <shellcode>: mov %esp,%edx 0x804ac22 <shellcode+2>: sub $0x10,%esp 0x804ac25 <shellcode+5>: push $0x10 0x804ac27 <shellcode+7>: push %esp 0x804ac28 <shellcode+8>: push %edx 0x804ac29 <shellcode+9>: push $0x0 0x804ac2b <shellcode+11>: push $0x0 0x804ac2d <shellcode+13>: mov $0x1f,%eax 0x804ac32 <shellcode+18>: int $0x80 0x804ac34 <shellcode+20>: cmpb $0x2,0x1(%edx) (gdb) The 'x' gdb command is your friend. It allows you to see anything th
e
way you want (instructions, bytes, words, strings, etc.) If you don'
t
have the source code you still use the 'x' command and give it '/i memory_address' where memory_address is the place where the shell co
de
lives. Cheers, Eloy.- On Tue, Oct 08, 2002 at 12:12:21PM -0700, Sean Zadig wrote:Hi, I'm doing some research into creating variants of common attacks,
but I ran
into a problem of sorts. For most of the attacks I have, the shell
code
consists of the overflow and the actual malicious code that is run
. I want
to be able to isolate the overflow from the rest of the shellcode
and use
that to create attack variants. Problem is, I don't know where one
ends and
the other begins! I figure if I turn the hex-
encoded shellcode back into
assembly code, I could probably figure it out. I'm familiar with h
ow to do
the reverse in gdb, but is it possible to do what I want? To resta
te:
shellcode -asm is what I need. If this is a simple thing, my apologies -but the security-basics list rejected my post =) -Sean Zadig ----- Sean Zadig Student, UC Davis PGP Key ID: 0xDE44A79F 7EE1 C80A A0C1 B224 45CE F74B 5835 0115 DE44 A79F _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.
com
Current thread:
- shellcode -> asm? Sean Zadig (Oct 08)
- Re: shellcode -> asm? Eloy A. Paris (Oct 08)
- Re: shellcode -> asm? Stephen (Oct 08)
- Re: shellcode -> asm? Erik Sperling Johansen (Oct 08)
- Re: shellcode -> asm? Enrique A . Compañ Gzz . (Oct 08)
- RE: shellcode -> asm? Riley Hassell (Oct 08)
- Re: shellcode -> asm? Simon 'corecode' Schubert (Oct 09)
- Re: shellcode -> asm? Jedi/Sector One (Oct 10)
- Re: shellcode -> asm? Paweł Krawczyk (Oct 14)
- <Possible follow-ups>
- RE: shellcode -> asm? Sean Zadig (Oct 09)
- Re: shellcode -> asm? stallman (Oct 24)
- Re: shellcode -> asm? Sean Zadig (Oct 24)