What are these hex codes and how can they be decoded/encoded?

I have some interest if finding out a bit more about an exploit that was published that creates a root user in a linux machine; however, before I run the code, I want to make sure I understand all of it and I can't seem to find any information on the hex codes being used.

This is the link to the exploit code source: exploitdb.com/exploits/17439

It's a basic C program, but the value of one of the pointers uses code like this:

           "\x6a\x26\x5a\x25\x04\xe3\xb3\x64"
           "\x04\xc7\x03\x65\x48\xe6\x02\xc3"

How do I decode this to ASCII and how can I re-encode it back?

I'm thinking I could be totally off-base here and really this code should decode to assembly, but I don't really know. Either way, what can I do with this code to make sure I'n not executing arbitrary commands?

I'm completely new to C, but know enough VB.net/C#/PHP to be dangerous.

P.S. For those of you who are concerned, I'll be running this in a VM.

skub

Posted 2011-07-08T05:30:56.293

Reputation: 2 716

Answers

Python's REPL is good in a pinch for stuff like this.

>>> "\x6a\x26\x5a\x25\x04\xe3\xb3\x64"
'j&Z%\x04\xe3\xb3d'
>>> "\x04\xc7\x03\x65\x48\xe6\x02\xc3"
'\x04\xc7\x03eH\xe6\x02\xc3'

So yeah, pretty much all assembly. You'll need a disassembler (or a CPU databook and a lot of patience) in order to read it.

Ignacio Vazquez-Abrams

Posted 2011-07-08T05:30:56.293

Reputation: 100 516

This is probably getting in to stack overflow territory, but could you provide a basic code example (even if pseudo-code) of how to get python to parse this? – skub – 2011-07-08T05:50:54.797

There is no further parsing. What I showed is what Python knows about it. You will need a disassembler (or a ...) from here. – Ignacio Vazquez-Abrams – 2011-07-08T05:52:26.683

Maybe you want to ask this on http://codegolf.stackexchange.com/ perhaps they can help you.

– Michael K – 2011-07-08T07:26:11.667

The very database entry that you pointed to gives both the original assembly language program, and its C language equivalents, immediately above the hex-encoded raw machine code. It's SuperH assembly language.

JdeBP

Posted 2011-07-08T05:30:56.293

Reputation: 23 855

Yes, I know; the comments that contain the assembly may or may not necessarily be the code that in the pointer. I was requesting a way (method or process) to check the code to ensure it is indeed the assembly noted above. And also a method to encode to the appropriate hex code values (which no one answered). – skub – 2011-07-08T12:52:50.570

That's not in your question as asked, which didn't say anything at all about verification of machine code against assembly language, but did ask about converting to ASCII characters, which is why people's answers talk about that. You didn't ask anything like what you are asking now. And the method to encode assembly language to machine code is known as an assembler. – JdeBP – 2011-07-08T14:27:54.077

ockquote>

Either way, what can I do with this code to make sure I'n not executing arbitrary commands?

– skub – 2011-07-09T02:56:18.667

Decoding it to ASCII would be useless as it is not a text string - the \x0... bytes map to control characters in the ASCII character set, not to printable characters.

Dave Sherohman

Posted 2011-07-08T05:30:56.293

Reputation: 5 143