Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Shellcode in C program

Tags:

c

shellcode

In Demystifying the Execve Shellcode is explained a way to write an execve shellcode:

#include<stdio.h>
#include<string.h>

unsigned char code[] = 
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";

main()
{

    printf("Shellcode Length: %d\n", strlen(code));

    int (*ret)() = (int(*)())code;

    ret();
}

What does the line int (*ret)() = (int(*)())code; do?

like image 490
user720694 Avatar asked May 18 '13 17:05

user720694

People also ask

What is meant by shellcode?

Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware term and how to mitigate the risk.

How is shellcode written?

Most shellcode is written in machine code because of the low level at which the vulnerability being exploited gives an attacker access to the process. Shellcode is therefore often created to target one specific combination of processor, operating system and service pack, called a platform.

Why is shellcode written in assembly?

Shellcodes are typically written in assembly language, in order to gain full control on the layout of code and data in stack and heap memory, to make the shellcode more compact, to obfuscate the code, and to perform low-level operations on data representation (Deckard 2005; Foster 2005; Anley et al.

Is shellcode an assembly?

Shellcode is inherently written in low level assembly langugae following certain rules like no hardcoded address, and no nulls "0x00" etc. The assembler "assembles" and "links" this machine code and produces a hexcode output, which can be then be executed as an executable.

2 Answers

  int (*ret)() = (int(*)())code;
  ~~~~~~~~~~~~   ~~~~~~~~~~~~~~
        1              2

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
               3

  1. It defines ret as a pointer to a function which has no parameter () and returns int. So, Those () indicates the definition of parameters of a function.

  2. It's for casting code to a pointer to a function which has no parameter () and returns int.

  3. Casts code as a function and assigns it to ret. After that you can call ret();.

 

unsigned char code[] =  "\x31\xc0\x50\x68\x6e\x2f\...

It is a sequence of machine instructions represented by hex values. It will be injected to the code as a function.

like image 159
masoud Avatar answered Sep 26 '22 06:09

masoud

 
    (*(void(*)())shellcode)()

==

    p = (void(*)()) shellcode;
    (*p)();
like image 41
Jeremy Avatar answered Sep 22 '22 06:09

Jeremy
Sign in to Comment

Related questions

Is it good to use functions as much as possible?
when I use strlcpy function in c the compilor give me an error
Is GCC's option -O2 breaking this small program or do I have undefined behavior [duplicate]
Parameters declared restrict and compiler warnings
STM32 - How to enable DWT Cycle counter
C: Why allocate string length in powers of 2?
Any Online compiler you know for C or other languages? [closed]
How to get file descriptor of buffer in memory?
How does free() know how much memory to deallocate? [duplicate]
Can the dirtiness of pages of a mmap be found from userspace?
Recognizing arrow keys with stdin
How does WSAStartup function initiates use of the Winsock DLL?
Rolling median in C - Turlach implementation
Square detection doesn't find squares
How to set precision of a float
Is there a more efficient way of splitting a number into its digits?
If a pointer's address is 64 bits, why does it appear as 6 bytes when printed?
How does a segmentation fault work internally (kernel/hardware)?
Passing Argument 1 discards qualifiers from pointer target type
What is the Signal function (SIGINT)?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!