Menu
This is a shellcode to exploit the bufferoverflow vulnerability. It sets the setuid(0) and spawns a shell using execve(). Below is the way I have interpreted it:
xor %ebx,%ebx ; Xoring to make ebx value 0
lea 0x17(%ebx),%eax ; adds 23 to 0 and loads effective addr to eax. for setuid()
int $0x80 ; interrupt
push %ebx ; push ebx
push $0x68732f6e ; push address // why this address only????
push $0x69622f2f ; push address // same question
mov %esp,%ebx
push %eax
push %ebx
mov %esp,%ecx
cltd ; mov execve sys call into al
mov $0xb,%al
int $0x80 ; interrupt
Can anyone explain the entire steps clearly?
294
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine.
What is Shellcode? Shellcode is a special type of code injected remotely which hackers use to exploit a variety of software vulnerabilities. It is so named because it typically spawns a command shell from which attackers can take control of the affected system.
Shellcode cannot be executed directly. In order to analyze what a shellcode attempts to do it must be loaded into another process. One common analysis technique is to write a small C program which holds the shellcode as a byte buffer, and then use a function pointer or use inline assembler to transfer execution to it.
The return address affects where the program should jump to when the function returns. If the return address field is modified due to a buffer overflow, when the function returns, it will return to a new place.
int is the opcode for triggering a software interrupt. Software interrupts are numbered (from 0 to 255) and handled by the kernel. On Linux systems, interrupt 128 (0x80) is the conventional entry point for system calls. The kernel expects the system call arguments in the registers; in particular, the %eax register identifies which system call we are talking about.
lea as "load effective address" but not memory access is involved; this is just a devious way of making an addition).setuid. That system call uses one argument (the target UID), to be found in %ebx, which conveniently contains 0 at that point (it was set in the first instruction). Note: upon return, registers are unmodified, except for %eax which contains the returned value of the system call, normally 0 (if the call was a success).setuid).execve system call will use as second argument.cltd is the AT&T syntax for what the Intel documentations call cdq. Since %eax is zero at that point, this sets %edx to zero too.execve. execve expects three arguments, in %ebx (pointer to a string naming the file to execute), %ecx (pointer to an array of pointers to strings, which are the program arguments, the first one being a copy of the program name, to be used by the invoked program itself) and %edx (pointer to an array of pointers to strings, which are the environment variables; Linux tolerates that value to be NULL, for an empty environment), respectively.So the code first calls setuid(0), then calls execve("//bin/sh", x, 0) where x points to an array of two pointers, first one being a pointer to "//bin/sh", while the other is NULL.
This code is quite convoluted because it wants to avoid zeros: when assembled into binary opcodes, the sequence of instruction uses only non-zero bytes. For instance, if the 12th instruction had been movl $0xb,%eax (setting the whole of %eax to 11), then the binary representation of that opcode would have contained three bytes of value 0. The lack of zero makes that sequence usable as the contents of a zero-terminated C string. This is meant for attacking buggy programs through buffer overflows, of course.
116
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
