in a shellcode tutorial, I have seen the following example:
main(){
exit(0);
}
The idea was to create an exit()-syscall. So, then they produce the assembly:
Section .text
global _start
_start:
mov ebx, 0
mov eax, 1
int 0x80
I understand this. The 0 is the argument of exit() which we store in ebx, the 1 is the number of the exit syscall and with 0x80 we change the CPU to the kernel mode and the syscall is executed.
After that, they let produce the opcodes of that which are:
bb 00 00 00 00
b8 01 00 00 00
cd 80
Then, they translate this into C language which looks like:
char example[] = "\xbb\x00\x00\x00\x00"
"\xb8\x01\x00\x00\x00"
"\xcd\x80"
int main(){
int *pointer;
pointer = (int *)&pointer+2;
(*pointer) = (int)example;
}
So, what I understand is that they take the opcodes in a char array, but I do not understand what they made in main()-methode. The first line is ok. But what they want to express with the 2nd and 3th line?
Best regards,
The code takes the address of a stack variable, then the address two pointer sizes above it. Then, whatever is at this location is overwritten with the address of the shellcode.
If the overwritten location is the function's return address, then when the function exits the shellcode will be executed. Experimentation and disassembly can help calculate the correct offset from the local variable to the return address.
Usually, the actual exploit will involve a stack buffer overflow (i.e., a function that doesn't check the length of what it puts in its stack buffer, allowing it to "overflow" into the return address): the buffer may be filled with the shellcode and the "overflowed" part will contain the buffer's address; that way, when the function exits it will execute the shellcode within the buffer.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With