6.D.1. Assignment

3. Sends string to all terminals

The third shellcode we’re going to check is a shellcode which sends a string to all terminals. Originally, the string was “Phuck3d!”, but we’ll be using something else along the way, just for fun.
One typo was found in the code[] array of the original C code: it contained no suffix “;” for end of a codeline in C, added it and it compiled correctly. Another modification was the calling of main using a pointer to “evil” as in other shellcode examples for SLAE: makes function analysis a little easier in debuggers.

Compiling original file:

$ ../compile_c.sh c_linx86_send-string-all-terminals_shellstorm_sample3_mod
[+] Compiling ... 
[+] Done!

Debugging GDB:

$ gdb -q ./c_linx86_send-string-all-terminals_shellstorm_sample3_mod
Reading symbols from /home/vbox/exam/assignment_6/c_linx86_send-string-all-terminals_shellstorm_sample3_mod...(no debugging symbols found)...done.

Setting breakpoint at code function:

gdb-peda$ b *&evil
Breakpoint 1 at 0x804a040
gdb-peda$ r

Printing out code part and to file:

Just like before, we’re only interested in the code getting executed in the “code” function.

gdb-peda$ x/23i &evil
=> 0x804a040 <evil>:	push   0xb
   0x804a042 <evil+2>:	pop    eax
   0x804a043 <evil+3>:	cdq    
   0x804a044 <evil+4>:	push   edx
   0x804a045 <evil+5>:	push   0x6c6c6177
   0x804a04a <evil+10>:	push   0x207c2021
   0x804a04f <evil+15>:	push   0x64336b63
   0x804a054 <evil+20>:	push   0x75685020
   0x804a059 <evil+25>:	push   0x6f686365
   0x804a05e <evil+30>:	mov    esi,esp
   0x804a060 <evil+32>:	push   edx
   0x804a061 <evil+33>:	pushw  0x632d
   0x804a065 <evil+37>:	mov    ecx,esp
   0x804a067 <evil+39>:	push   edx
   0x804a068 <evil+40>:	push   0x68732f2f
   0x804a06d <evil+45>:	push   0x6e69622f
   0x804a072 <evil+50>:	mov    ebx,esp
   0x804a074 <evil+52>:	push   edx
   0x804a075 <evil+53>:	push   esi
   0x804a076 <evil+54>:	push   ecx
   0x804a077 <evil+55>:	push   ebx
   0x804a078 <evil+56>:	mov    ecx,esp
   0x804a07a <evil+58>:	int    0x80

Using GDB for logging to file

gdb-peda$ set logging file gdb_linx86_send-string-all-terminals_shellstorm_sample3_mod.txt
gdb-peda$ set logging on
Redirecting output to gdb_linx86_send-string-all-terminals_shellstorm_sample3_mod.txt.
gdb-peda$ x/23i &evil
gdb-peda$ set logging off
Done logging to gdb_linx86_send-string-all-terminals_shellstorm_sample3_mod.txt.

AWK’ing created file

$ awk '{print substr($0, index($0, $3))}' gdb_linx86_send-string-all-terminals_shellstorm_sample3_mod.txt | sed -e 's/<evil>:\t//' 
push   0xb
pop    eax
cdq    
push   edx
push   0x6c6c6177
push   0x207c2021
push   0x64336b63
push   0x75685020
push   0x6f686365
mov    esi,esp
push   edx
pushw  0x632d
mov    ecx,esp
push   edx
push   0x68732f2f
push   0x6e69622f
mov    ebx,esp
push   edx
push   esi
push   ecx
push   ebx
mov    ecx,esp
int    0x80

$ awk '{print substr($0, index($0, $3))}' gdb_linx86_send-string-all-terminals_shellstorm_sample3_mod.txt | sed -e 's/<evil>:\t//' > asm_linx86_send-string-all-terminals_shellstorm_sample3_mod.asm

Copy for own modifications

$ cp asm_linx86_send-string-all-terminals_shellstorm_sample3_mod.asm asm_linx86_send-string-all-terminals_shellstorm_sample3_mod-alt.asm

Generating our own string to display

Using our helper, we generate our own string for displaying allover several displays. This includes a trailing space as for the previous string which also has a trailing space.

$ python ../string_to_hex.py " HODORHODORHODOR"
String length : 16

Converted [{opcode} {0x hex} ; {reversed string}] format
push 0x524f444f ; RODO
push 0x48524f44 ; HROD
push 0x4f48524f ; OHRO
push 0x444f4820 ; DOH