Don't like this style? Click here to change it! blue.css

LOGIN:
Welcome .... Click here to logout

Big Picture: Shellcode and ASM

The story I want to start to tell:

  1. Hijacking the Instruction Pointer via buffer overflow
  2. Detecting an "executable stack"
  3. Sending opcodes in your payload (Shellcode)
  4. Compiling ASM into shellcode
  5. Using pwntools to fetch and deploy shellcode

Now I might not tell this story in the sequential order, but I do want you to see the target.

(The reason for shuffling the order is so you can start Project 1.)

An Executable Stack

Take a look at the following program:

Compile this with some flags: gcc -m32 -z execstack raw.c

This crazy line: int (*ret)() = (int(*)())rawcode; declares a function pointer ret on the left hand side. While on the right hand side we cast an address to memory as a function pointer address. The fact that this could then actually be executed by ret() is amazing!

Note that the program had to be compiled with the -z execstack flag to allow the stack to hold executable instructions. That is because when shellcode was at it's most ferocious it was back around the turn of the millenium and stacks were executable by default. So now to study the historical exploits we have to turn back time.

I promise it is worth studying because it is the foundation of the modern exploits which have to jump through more and more hoops.

Compiling ASM from scratch

OK so the side-quest is to learn how to write and compile ASM.

Quick answer:

  1. Given a file called blah.asm
  2. For 64-bit do: nasm -f elf64 blah.asm creates blah.o
  3. Then do: ld -o thebinary blah.o to "link" the object file into an executable
  4. For 32-bit do: nasm -f elf blah.asm to make blah.o
  5. Then link with: ld -m elf_i386 -s -o thebinary blah.o

If you'd like to extract the shellcode from your compiles ASM you can run:

Now how do you actually craft ASM into a text file?

Here are some examples:

This one is the same but designed to not have null-bytes:

This shows the data segment:

OK all of these are leaning heavily on the syscall: int 0x80 to know how to do cool stuff with that use the following: SYSCALL TABLES

Now mix the output of one of these with the C snippet from above using the cute objdump command.

Project 1 Starter Code

pwntools

This is where we start our Python journey in this class.

I suspect we won't have time to get here today, but I'll include the notes just in case.

pip install pwntools

pwntools is my defacto exploit framework and here's a starter script that is usable for starting most pwns:

Now you're probably not ready for that so let's look at a baby pwntools setup: