Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a difference between MASM shellcode and NASM shellcode

I am new to StackOverflow. Recently, I began studying assembly and am fairly new to assembly, completely new to shellcode. I am using RadAsm to compile using MASM assembler and I tried studying shellcode from this website Shellcoding for Linux and Windows

I am using RadAsm on Windows 64-bit. The code I used is almost the same, except that I use the absolute name of the function rather than the address of the function in the DLL. The shellcode is supposed to use the sleep function with the parameter 5000.

This is the code that I am using in MASM.

.386
.model flat, stdcall
option casemap:none

include kernel32.inc
includelib kernel32.lib

.code
_start:
    xor eax, eax    ; zero out eax
    mov ebx, Sleep  ; function sleep goes in ebx
    mov ax, 5000    ; parameter goes in ax
    push eax        ; parameter on stack
    call ebx        ; call Sleep
end _start
end

This assembles with no errors in MASM.

The shellcode generated has null values and is slightly different from the website. It is as follows.

I used objdump -d nameofexecutable.exe to get the disassembly.

Disassembly of section .text
 00401000 <.text>:
  401000:       33 c0                   xor    %eax,%eax
  401002:       bb 0e 10 40 00          mov    $0x40100e,%
  401007:       66 b8 88 13             mov    $0x1388,%ax
  40100b:       50                      push   %eax
  40100c:       ff d3                   call   *%ebx
  40100e:       ff 25 00 20 40 00       jmp    *0x402000

But in the website, there are no 00 hex codes.

Disassembly of section .text:

08048080 <_start>:
 8048080:       31 c0                   xor    %eax,%eax
 8048082:       bb ea 1b e6 77          mov    $0x77e61bea,%ebx
 8048087:       66 b8 88 13             mov    $0x1388,%ax
 804808b:       50                      push   %eax
 804808c:       ff d3                   call   *%ebx

Could it be because I am using x64 to compile or because I am calling the function indirectly?

Any help would be appreciated, thank you.

like image 905
David Avatar asked Aug 28 '14 06:08

David


People also ask

Is Shellcode assembly language?

Shellcode is inherently written in low level assembly langugae following certain rules like no hardcoded address, and no nulls "0x00" etc. The assembler "assembles" and "links" this machine code and produces a hexcode output, which can be then be executed as an executable.

What is Shellcode Assembly?

Shellcode is machine code that when executed spawns a shell. Not all "Shellcode" spawns a. shell. Shellcode is a list of machine code instructions which are developed in a manner that. allows it to be injected in a vulnerable application during its runtime.

What is Windows shell code?

Shellcodes: In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability.


2 Answers

Your code is assembled to run at 0x00401000, so the highest byte of all addresses end up being 0x00. Their code is assembled to run at 0x08048080, so the highest byte of all their addresses end up being 0x08.

This is where all of your zeros come from.

like image 142
Brendan Avatar answered Sep 20 '22 12:09

Brendan


The simple answer is that MASM sucks!!

Cited from here "In the past I had developed 32-bit shellcode using the free and open-source Netwide Assembler (NASM), but when going through the exercise of learning the 64-bit variety I figured I would try it out with the Microsoft Assembler (MASM) instead. One problem quickly became apparent: MASM offers no way (that I know of) to generate raw binary machine code as opposed to an .exe file! All is not lost though, the code bytes can be extracted from the .exe file easily enough (but in the future I might go back to NASM).", it's harder to create shellcode.

I used NASM to create the shellcode for a program that says hey from the link you provided on windows x64, this is the result that I achieved, no null bytes. Turns out the example for sleep may not work correctly but the second example is fully functional.

"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x2f\x59\x88\x51\x0a"
"\xbb\x82\xf8\x60\x77\x51\xff\xd3\xeb\x31\x59\x31\xd2"
"\x88\x51\x0b\x51\x50\xbb\xe6\x4d\x61\x77\x59\x31\xd2"
"\x88\x51\x03\x31\xd2\x52\x51\x51\x52\x31\x32\xd2\x50"
"\xb8\xca\x3a\x61\x77\xe8\xcc\xff\xff\xff\x75\x73\x65"
"\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xca\xff\xff\xff"
"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8"
"\xc6\xff\xff\xff\x48\x65\x79\x4e"

NOTE: use nameofexecutable.o with objdump

ie. objdump -o nameofexecutable.o to get the shellcode and not nameofexecutable.exe

like image 44
Hawk Avatar answered Sep 22 '22 12:09

Hawk