As We know, Shellcodes have much different usages, such as Exploit and Malwares development process, and etc. But there is a question, Could we compile the Shellcodes [Assembly Codes] and run them without inject inside an other process or file? Of course! Shellcodes are bunch of assembly codes with removed null codes or make it injectable in to a process.
OWASP ZSC let us to have disassembly codes inside generated file. It could be used for compiling a sing file.
Take a look at a shellcode which generated by OWASP ZSC.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | #include <stdio.h> #include <string.h> /* This shellcode generated by ZCR Shellcoder [zsc] http://zsc.z3r0d4y.com/ Title: system('nc[space]-v[space]google.com[space]80') OS: linux_x86 Encode: none Length: 74 shellcode.c: file format elf32-i386 Disassembly of section .text: 00000000 <.text>: 0: 6a 0b push $0xb 2: 58 pop %eax 3: 99 cltd 4: 52 push %edx 5: 68 90 20 38 30 push $0x30382090 a: 59 pop %ecx b: c1 e9 08 shr $0x8,%ecx e: 51 push %ecx f: 68 2e 63 6f 6d push $0x6d6f632e 14: 68 6f 67 6c 65 push $0x656c676f 19: 68 76 20 67 6f push $0x6f672076 1e: 68 6e 63 20 2d push $0x2d20636e 23: 89 e6 mov %esp,%esi 25: 52 push %edx 26: 68 90 90 2d 63 push $0x632d9090 2b: 59 pop %ecx 2c: c1 e9 10 shr $0x10,%ecx 2f: 51 push %ecx 30: 89 e1 mov %esp,%ecx 32: 52 push %edx 33: 6a 68 push $0x68 35: 68 2f 62 61 73 push $0x7361622f 3a: 68 2f 62 69 6e push $0x6e69622f 3f: 89 e3 mov %esp,%ebx 41: 52 push %edx 42: 57 push %edi 43: 56 push %esi 44: 51 push %ecx 45: 53 push %ebx 46: 89 e1 mov %esp,%ecx 48: cd 80 int $0x80 compile example: gcc -ggdb -static -fno-stack-protector -z execstack -mpreferred-stack-boundary=2 -o shellcode_compiled shellcode.c */ int main(){ unsigned char shellcode[]= "\x6a\x0b\x58\x99\x52\x68\x90\x20\x38\x30\x59\xc1\xe9\x08\x51\x68\x2e\x63\x6f\x6d\x68\x6f\x67\x6c\x65\x68\x76\x20\x67\x6f\x68\x6e\x63\x20\x2d\x89\xe6\x52\x68\x90\x90\x2d\x63\x59\xc1\xe9\x10\x51\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80"; fprintf(stdout,"Length: %d\n\n",strlen(shellcode)); (*(void(*)()) shellcode)(); } |
Our shellcode built for linux_x86 OS that will execute “nc -v google.com 80” command, And as we can see, we have disassembled code in the comment of C file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | |
And now all we need is spliting the compiled assembly opcodes.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | |
We have to save these codes inside a file and compile it. Then we have the PE file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | |
References
ZeroDay Cyber ResearchZSC Home
OWASP Page
Ali Razmjoo