Shellcode Development

  • eax : must contain 11, which is the system ca ll number for execve ().
  • ebx: must contain the address of the command string (e.g . “ /b i n/ sh “ ).
  • ecx: must contain the address of the argument array ; in our case, the first element of the array points to the “ /bin/ sh “ string, while the second element is O (which marks the end of the array) .
  • edx : must contain the address of the environment variables that we want to pass to the new program . We can set it to 0, as we do not need to pass any environment variable.
  • If we want to assign zero to eax, we can use “mov eax, 0”, but doing so, we will get a zero in the machine code. A typical way to solve this problem is to use “xor eax, eax”.
  • If we want to store 0x00000099 to eax. We cannot just use mov eax, 0x99, because the second operand is actually 0x00000099, which contains three zeros. To solve this problem, we can first set eax to zero, and then assign a one-byte number 0x99 to the al register, which is the least significant 8 bits of the eax register.
  • Another way is to use shift. In the following code, first 0x237A7978 is assigned to ebx. The ASCII values for x, y, z, and # are 0x78, 0x79, 0x7a, 0x23, respectively. Because most Intel CPUs use the small-Endian byte order, the least significant byte is the one stored at the lower address (i.e., the character x), so the number presented by xyz# is actually 0x237A7978. You can see this when you dissemble the code using objdump.
  1. Using Stack
fig : proof of getting a new shell
fig : Using objdump to extract machine code
fig : Using xxd to exctract machine code
Python program to convert the machine code into an array
fig: shellcode in array form

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
aayush malla

aayush malla

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst