3

I'm wondering what the shellcode would be to simply print "hello world" to the console. When testing for vulnerabilities, I think it would be very useful to have shellcode to test if the exploit works.

In addition, a simple explanation in how to compile shellcode from C in a usable format (ex. backslash + hex characters) would be fantastic so that I can easily generate the shellcode to execute for the payload.

Any helpful information, relating to the main question or not, is greatly appreciated!

Aaron Esau
  • 278
  • 3
  • 15

2 Answers2

5

If you want to get shellcode quick and dirty, use msfvenom. If you want to learn something and become a wizard, I suggest the following:

1. Write a small assembler program for your platform.

You will realize that you need to code in such way that no NULL bytes will be produced. This can be done by creative use of XOR and other tricks.

;hello.asm
[SECTION .text]

global _start


_start:

    jmp short ender

    starter:

    xor eax, eax    ;clean up the registers
    xor ebx, ebx
    xor edx, edx
    xor ecx, ecx

    mov al, 4       ;syscall write
    mov bl, 1       ;stdout is 1
    pop ecx         ;get the address of the string from the stack
    mov dl, 5       ;length of the string
    int 0x80

    xor eax, eax
    mov al, 1       ;exit the shellcode
    xor ebx,ebx
    int 0x80

    ender:
    call starter    ;put the address of the string on the stack
    db 'hello'

2. Use objdump to get the opcodes for the instructions:

hello:     file format elf32-i386


Disassembly of section .text:

08048080 <_start>:
 8048080:       eb 19                   jmp    804809b

08048082 <starter>:
 8048082:       31 c0                   xor    %eax,%eax
 8048084:       31 db                   xor    %ebx,%ebx
 8048086:       31 d2                   xor    %edx,%edx
 8048088:       31 c9                   xor    %ecx,%ecx
 804808a:       b0 04                   mov    $0x4,%al
 804808c:       b3 01                   mov    $0x1,%bl
 804808e:       59                      pop    %ecx
 804808f:       b2 05                   mov    $0x5,%dl
 8048091:       cd 80                   int    $0x80
 8048093:       31 c0                   xor    %eax,%eax
 8048095:       b0 01                   mov    $0x1,%al
 8048097:       31 db                   xor    %ebx,%ebx
 8048099:       cd 80                   int    $0x80

0804809b <ender>:
 804809b:       e8 e2 ff ff ff          call   8048082 
 80480a0:       68 65 6c 6c 6f          push   $0x6f6c6c65

3. Then your shellcode will be:

char code[] = "\xeb\x19\x31\xc0\x31\xdb\x31\xd2\x31\xc9\xb0\x04\xb3\x01\x59\xb2\x05\xcd"\
              "\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe2\xff\xff\xff\x68\x65\x6c\x6c\x6f";

4. Profit

AdHominem
  • 3,006
  • 1
  • 16
  • 26
  • Thanks! By the way, I must comment. Your username is absolutely amazing. – Aaron Esau Nov 03 '16 at 05:04
  • Just thought you might want to know- Ever since I posted this question, I've been studying and working on a (dynamically typed, functional) programming language that compiles to x86 shellcode. It does some tricks to avoid null bytes, tries to optimize the shellcode to make sure it is as small as possible, avoids hardcoded memory addresses, etc. Thanks again for this answer! – Aaron Esau Jul 17 '18 at 04:57
1

It depends on the target platform, however to make your life a little easier I recommend that you look into Metasploit's MSFvenom tool which allows you to generate payloads of different types. See Offensive Security's tutorial

schroeder
  • 123,438
  • 55
  • 284
  • 319
Colin Cassidy
  • 1,880
  • 11
  • 19