I am new to StackOverflow. Recently, I began studying assembly and am fairly new to assembly, completely new to shellcode. I am using RadAsm to compile using MASM assembler and I tried studying shellcode from this website Shellcoding for Linux and Windows
I am using RadAsm on Windows 64-bit. The code I used is almost the same, except that I use the absolute name of the function rather than the address of the function in the DLL. The shellcode is supposed to use the sleep function with the parameter 5000
.
This is the code that I am using in MASM.
.386
.model flat, stdcall
option casemap:none
include kernel32.inc
includelib kernel32.lib
.code
_start:
xor eax, eax ; zero out eax
mov ebx, Sleep ; function sleep goes in ebx
mov ax, 5000 ; parameter goes in ax
push eax ; parameter on stack
call ebx ; call Sleep
end _start
end
This assembles with no errors in MASM.
The shellcode generated has null values and is slightly different from the website. It is as follows.
I used objdump -d nameofexecutable.exe
to get the disassembly.
Disassembly of section .text
00401000 <.text>:
401000: 33 c0 xor %eax,%eax
401002: bb 0e 10 40 00 mov $0x40100e,%
401007: 66 b8 88 13 mov $0x1388,%ax
40100b: 50 push %eax
40100c: ff d3 call *%ebx
40100e: ff 25 00 20 40 00 jmp *0x402000
But in the website, there are no 00
hex codes.
Disassembly of section .text:
08048080 <_start>:
8048080: 31 c0 xor %eax,%eax
8048082: bb ea 1b e6 77 mov $0x77e61bea,%ebx
8048087: 66 b8 88 13 mov $0x1388,%ax
804808b: 50 push %eax
804808c: ff d3 call *%ebx
Could it be because I am using x64 to compile or because I am calling the function indirectly?
Any help would be appreciated, thank you.
Shellcode is inherently written in low level assembly langugae following certain rules like no hardcoded address, and no nulls "0x00" etc. The assembler "assembles" and "links" this machine code and produces a hexcode output, which can be then be executed as an executable.
Shellcode is machine code that when executed spawns a shell. Not all "Shellcode" spawns a. shell. Shellcode is a list of machine code instructions which are developed in a manner that. allows it to be injected in a vulnerable application during its runtime.
Shellcodes: In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability.
Your code is assembled to run at 0x00401000, so the highest byte of all addresses end up being 0x00. Their code is assembled to run at 0x08048080, so the highest byte of all their addresses end up being 0x08.
This is where all of your zeros come from.
The simple answer is that MASM sucks!!
Cited from here "In the past I had developed 32-bit shellcode using the free and open-source Netwide Assembler (NASM), but when going through the exercise of learning the 64-bit variety I figured I would try it out with the Microsoft Assembler (MASM) instead. One problem quickly became apparent: MASM offers no way (that I know of) to generate raw binary machine code as opposed to an .exe file! All is not lost though, the code bytes can be extracted from the .exe file easily enough (but in the future I might go back to NASM).", it's harder to create shellcode.
I used NASM to create the shellcode for a program that says hey from the link you provided on windows x64, this is the result that I achieved, no null bytes. Turns out the example for sleep may not work correctly but the second example is fully functional.
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x2f\x59\x88\x51\x0a"
"\xbb\x82\xf8\x60\x77\x51\xff\xd3\xeb\x31\x59\x31\xd2"
"\x88\x51\x0b\x51\x50\xbb\xe6\x4d\x61\x77\x59\x31\xd2"
"\x88\x51\x03\x31\xd2\x52\x51\x51\x52\x31\x32\xd2\x50"
"\xb8\xca\x3a\x61\x77\xe8\xcc\xff\xff\xff\x75\x73\x65"
"\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xca\xff\xff\xff"
"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8"
"\xc6\xff\xff\xff\x48\x65\x79\x4e"
NOTE: use nameofexecutable.o with objdump
ie. objdump -o nameofexecutable.o to get the shellcode and not nameofexecutable.exe
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With