This Document is intended for research & study purposes.
We warn you that any legal liability that arises when using this document for commercial or malicious purposes is at your own risk.
#Shell Code.
:In hacking, a shellcode is a small piece of code used as the payload in the exploitaion of a S/W vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. However, attempts at replacing the term have not gained wide acceptance. Shellcode is commonly written in machine code. --from Wikipedia#How to make Shell Code.
The procedure for creating shell code is as follows.
- Implement code that you want to run in C or another high-level language.
- Disassembling using GDB and finding the required part.
- Implement with only the essential parts required for system calls.
- Compile and Output the machine language using Objdump.
- If there is a null, Return a null value, Remove it by processing.
- Complete machine code with one sentence.
# Make the local shell code.
:Local Shell Code refers to the shell code that operates in the local environment.
The Shell Code to create is the code that executes the Root Shell using the execve function in Red Hat Linux 9. The code contents are as follows.
The execve function is itself a System call function. If we look at the prototype of the execve function, the arguments of the execve functions are the execution path, the start address of the argument array, and the address of the enviroment variable array, respectively.
Now, compile this code with the static option, and run it. we can see shell running as follows:
The static option is used to compile, not to use the shared lib, and to contain all the content used in the program.
To create a shell code, we first need to implement it in assembly language. Therefore, we use GDB to get the information we need when coding with ASM.
If we disassembly the execve using GDB, you can see the ASM commands above. Put a bp on execve +36 where int0x80 ix located. and look at the values of registers as shown below.
When expressing execve (str[1], str, &str[1]), use eax, ebx, ecx and edx. the system call number of execve is 11. the values of the execve receive as arguments are 0 address, the address of "/bin/sh", and "/bin/sh" and write as asm code, we can write as follows.
Use this code to check the machine code using objdump.
In order to function properly with the Shell Code, there must be no null characters. Examples of ways to remove null values include short jump, modify register width, and xor operation.
These methods use only enough space for their own use, they can not enter Null. because they do not have space left.
The modified code that removed the null value is as follows.
Check again with objdump to see if there is a null value that could not be removed.
The shell code is extracted using this file because the null value no longer exists.
If we run this shell code, the shell will run fine, but we will not be able to run the shell with root permission. because there is no code to get root's privileges. Therefore, We need to add the code about getting root previlege. ex. setuid(0)
we check the system call number of Setuid() in /usr/included/unistd.h. we can see that it is 23 as shown above.
If we implement setuid(0) with asm, as follows.
- mov eax,0x17
- mov ebx,0
- int 0x80
and we must remove the null values, the result is as follows.
- xor eax,eax
- mov ebx,eax
- mov al,0x17
- int 0x80
Then add the following to your existing file:
Now, we extract the completed asm file as shell code. then, Local shell code is completed.
Using the extracted shell code, make the following file.
If we compile this file and run it, we can see that Shell is run with root permission as follows.
No comments:
Post a Comment