Vulnerability Development mailing list archives

Re: shellcode -> asm?

From: "stallman" <stallman () terra com br>
Date: Thu, 24 Oct 2002 08:39:06 -0300

Hi,

If I don't have the source code, how can I discover the memory
address where the shellcode lives, to use with the '/i
memory_address' command?

Regards,

-Rafael

---------- Mensagem original -----------

De      : "Eloy A. Paris" <peloy () chapus net>
Para    : Sean Zadig <seanzadig () hotmail com>
Cc      : vuln-dev () securityfocus com
Data    : Tue, 8 Oct 2002 16:19:25 -0400
Assunto : Re: shellcode -> asm?

Don't know if this is what you are looking for, but let's try an
example:

Get http://www.immunitysec.com/GOBBLES/exploits/apache-scalp.c. The
shell code is in a the char array "shellcode". To see the code:

peloy@canaima:~$ gcc -g -o apache-scalp apache-scalp.c
peloy@canaima:~$ gdb ./apache-scalp
GNU gdb 2002-08-18-cvs
[...]
(gdb) x /10i shellcode
0x804ac20 <shellcode>:  mov    %esp,%edx
0x804ac22 <shellcode+2>:        sub    $0x10,%esp
0x804ac25 <shellcode+5>:        push   $0x10
0x804ac27 <shellcode+7>:        push   %esp
0x804ac28 <shellcode+8>:        push   %edx
0x804ac29 <shellcode+9>:        push   $0x0
0x804ac2b <shellcode+11>:       push   $0x0
0x804ac2d <shellcode+13>:       mov    $0x1f,%eax
0x804ac32 <shellcode+18>:       int    $0x80
0x804ac34 <shellcode+20>:       cmpb   $0x2,0x1(%edx)
(gdb)

The 'x' gdb command is your friend. It allows you to see anything th

way you want (instructions, bytes, words, strings, etc.) If you don'

have the source code you still use the 'x' command and give it '/i
memory_address' where memory_address is the place where the shell co

de

lives.

Cheers,

Eloy.-

On Tue, Oct 08, 2002 at 12:12:21PM -0700, Sean Zadig wrote:

Hi,
I'm doing some research into creating variants of common attacks,

but I ran

into a problem of sorts. For most of the attacks I have, the shell

code

consists of the overflow and the actual malicious code that is run

. I want

to be able to isolate the overflow from the rest of the shellcode

and use

that to create attack variants. Problem is, I don't know where one

 ends and

the other begins! I figure if I turn the hex-

encoded shellcode back into

assembly code, I could probably figure it out. I'm familiar with h

ow to do

the reverse in gdb, but is it possible to do what I want? To resta

te:

shellcode -

asm is what I need. If this is a simple thing, my apologies -

but the security-basics list rejected my post =)
  -Sean Zadig

-----
Sean Zadig
Student, UC Davis
PGP Key ID: 0xDE44A79F
7EE1 C80A A0C1 B224 45CE  F74B 5835 0115 DE44 A79F


_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.

com

Current thread:

shellcode -> asm? Sean Zadig (Oct 08)
- Re: shellcode -> asm? Eloy A. Paris (Oct 08)
- Re: shellcode -> asm? Stephen (Oct 08)
- Re: shellcode -> asm? Erik Sperling Johansen (Oct 08)
- Re: shellcode -> asm? Enrique A . Compañ Gzz . (Oct 08)
- RE: shellcode -> asm? Riley Hassell (Oct 08)
- Re: shellcode -> asm? Simon 'corecode' Schubert (Oct 09)
- Re: shellcode -> asm? Jedi/Sector One (Oct 10)
  - Re: shellcode -> asm? Paweł Krawczyk (Oct 14)
- <Possible follow-ups>
- RE: shellcode -> asm? Sean Zadig (Oct 09)
- Re: shellcode -> asm? stallman (Oct 24)
- Re: shellcode -> asm? Sean Zadig (Oct 24)