Writing shellcodes for fun (and profit)

Hello,

Mayby it's time for something more difficult. Let's talk about shellcodes tonight.
Not those simple exec and setuid shellcodes, but something more funny. Something like the old "Hello World" example.

The C code

If you want to make a shellcode, the first you should do is writing your shellcode in c. So let's start with the c code:

// helloworld.c
#include< stdio.h >

int main()
{
char *buffer = "Hello World";
write(1, (void*)buffer, 11);
exit(0);
}

Looks very nice, doesn't it? Let's analise this piece of code.

char *buffer = "Hello World";

We take a pointer, defining it with a char and put "Hello World" into the memory. After then the char pointer buffer will be set to "Hello World". Easy, but it's very important for our shellcode.

write(1, (void*)buffer, 11);

Now we have our function, it's a function from the unistd.h lib. Write is a suitable function for writing text to a pid. Because we want to write something on the screen we will write it to the std_out. Which is, in linux, one (1). After our desination we want our source, the buffer pointer. At last we declare the size of the buffer's text, this is 11.

exit(0);

After we write "Hello World" to the screen, we want to exit correctly. This is done by return 0;

Going down to ASM-x86

Let's start with the real work, writing from c to asm-x86. I, myself, runs an amd64 with the gentoo 64bits linux environment. But I created a 32bits x86 chrooted environment, which I use for developing 32 bits linux shellcodes. After a few minutes I created this shellcode:

BITS 32
xor eax, eax

mov ebx, 0x01
push eax
push long 0x646c726f
push long 0x57206f6c
push long 0x6c6548
push esp
pop ecx
mov edx, 0x0B
mov al, 0x04
int 0x80

mov al, 0x01
mov ebx, eax
int 0x80

Let me expain the code very carefully. First we want to clean the registry. The only registry that should be set to zero is eax. We can't use the "mov eax, 0", because shellcode shouldn't contain zero byte codes. That's why I used xor.

BITS 32
xor eax, eax ;; always becomes 0

mov ebx, 0x01

The first part of the write function is set to 1, which is the std_out pid.

push eax
push long 0x646c726f
push long 0x57206f6c
push long 0x6c6548
push esp


We push eax (0) on the stack, after 0 the hexdecimal part of "Hello World". Remember that it should be put in little-endian, last char at first. At last we push esp on the stack which contains the pointer adres to "Hello World\0"

pop ecx

The adres of "Hello World\0" will be put into ecx, which is esp. We only have one part of the function arguments left.

mov edx, 0x0B

We put 11 (yes, eleven --> 0x0B) into edx. And we can now call the write function.

mov al, 0x04
int 0x80

All unistd functions have a system call. Just look in the unistd.h file for the write numbers. Write function has the 0x04 systemcall. So we put it into al and execute the systemcall (0x80).

mov al, 0x01
mov ebx, eax
int 0x80

Now we have to exit our shellcode correctly. The unistd systemcall for exit is 0x01, it needs one argument (0) and than should be executed.

Now let's see if our shellcode is working.

linux write # nasm helloworld.s

No compile errors, that could be a good sign. I parsed the shellcode to a good looking hexdecimal shellcode and use a simple c exploit for testing the code.

linux write # cat test.c
/* The following shellcode is 40 bytes long: */

char shellcode[] =
"\x31\xc0\xbb\x01\x00\x00\x00\x50\x68\x6f\x72\x6c\x64\x68\x6c"
"\x6f\x20\x57\x68\x48\x65\x6c\x00\x54\x59\xba\x10\x00\x00\x00"
"\xb0\x04\xcd\x80\xb0\x01\x89\xc3\xcd\x80";

int main(void)
{
int *ret;

ret = (int*)&ret + 2;
(*ret) = (int)shellcode;

return 0;
}
linux write # gcc -o test test.c
linux write # ./test
Hello World

Hallo wereld, it's working! Just the way we want it to work. Have a nice day!

-Noud 'jwaixs' Aldenhoven

First results!

The first results of Google Analytics are here. It was more than I expected. 8 viewers in 2 days, wow! Good job everyone.

Updated my blog

Hello,

It has been an long time ago since I posted my last post. Now I'm back and I really want to change some things over here. First off all, I really do hate all those stupid spam comments. Now you need to be a member of the blog if you want to post something, hopefully it will work. Next I took an other clean template for my blog. I jet didn't create a template by my own but I modified it a little bit. Last of all I hacked google analytics into this blog, hopefully it will work.

Greetings,

Noud

No Permission Error

Yesterday this blog was not reachable, I don't know why it gave a permission error. But the next time it will, I'll investigate everything.

Noud

Compaq Portable III

How it all started

My parents are font of going to cheap goods market. (I'm not sure if that's the right word for it, enfin) When they are at those markets they buy a lot, mostly it's thrash. And it's only perpose is to stand somewhere in the garden an watch over some stupid plants. But when my parents return from a cheap goods market nearby this sunday, they bought something use(less/full) for me, a complete functional laptop named Compaq Portable III.

What's in it for me?

For the people who don't exactly know what the CPIII is, here are some hardware specifications:

• Model: 2660
• Sn: 1722AL2B0186
• PC-AT
• CPU: Intel 80286, 12MHz
• Mathco included
• RAM: 640K
• Display: CGA Plasma, 80 col. 25 lines
• Ports: 1 parallel, 1 serial , 1 RGB
• 1 Expension slot
  
• Storage: 51/4" floppy drive 1.2MB

Once apon a time there was...

The Compaq Portable III was definitely one of the finest portable computers of its day. The one pictured below is the base version of the computer. The basic configuration includes 640K of RAM memory, a 20MB internal hard drive, an internal 5.25" , 1.2MB high density floppy drive, and the adjustable gas plasma display. Also included are parallel, serial, and RGB monitor ports. The computer is AC powered. The base version of the Portable III (Model 20), had a list price of $4,999.00. Another version, the Model 40 (40 MB hard drive) was available at $5,799.00 DOS 3.3 was an extra $120.00.

The Compaq was a top flight computer and the price was a little steep even for that time. Prices listed were in effect in 1988. The original Compaq Portable was a fairly large unit that looked like a portable sewing machine when it was all packed up. The machine was followed by the Compaq Portable II. This second generation machine was nearly as heavy as the original Portable, but had trimmer dimensions and the original machines' 8088 processor was upgraded to a 8 Mhz 80286 processor.

This brings us up to the introduction of the Portable III. For most uses, this was a much better machine. Probably the most noticeable drawback for some users was the Portable III lacked internal expansion ports. Compaq offered an external expansion unit that could hold two full-length expansion cards. The unit attached to the rear of the computer and listed for $199.00.The Compaq Portable III had been improved in several ways over the earlier machines. First of all, I would say it is roughly half the size of the original Portable. Secondly, though not exactly a lightweight, (at 20 lbs.), it was at least 6 lbs. lighter than the earlier designs. The footprint of the "lunch box" style case occupies about half the space of the older designs, or a traditional desktop computer. The reductions in size and weight made it much less of a chore to shuttle the computer between home and the office.

Summed up, it's crap, aber it's nice crap. So I tried to do something with it.

First try

First time, what should I try out with this huge sandwichbox looklike oldtime? Installing linux ofcourse! But where whould I find an operation system old anough to run on a computer from 1988? That's why I switch over to Minix, the preamble of Linux and Linus Torvalds biggest idol. I downloaded minix from the internet and pushed in the root disk. Guess what, it worked! CPIII readed the disk and loaded the minix kernel into the 16-bit protected stack. After it asked the second USR disk I had a bash (born again shell) running. Amazing to work with a computer that's older than yourself!

Problems

After trying some things on my "portable" 12.5kg laptop I can conclude that this is the most crappy and vetste (coolest) pc I've ever worked with. But I've encountert some small problems.
Fist of all, what can I do with 640kb RAM? Nothing, really nothing. The smallest Linux kernel need at least 1MB RAM to run, so I have a lot of restrictions.
Second, WHERE THE FUCK is the harddisk? I really can't find anyone. I'm really not a n00b in *NIX systems and know what's going on in a system. But it really seems that the harddrive isn't working anymore, which means I should (perhaps) buy an otherone.

This is where I'll end my story and include some nice pictures of my PCIII laptop.

***If you ever find a PCIII, don't hesistate and buy one. You can always say that I bought one for 2.5 euro and you don't need to pay more for it. ;-)***

Dyslexie and programming?

It's a bit late now, almost 2:00 (am). But I found something very funny.

As you may already know, I'm a dyslection, dyslect or someone who can't spell things correct. Beside I can't spell thinks right I also can't read fast, that's why book for my literature list are spoke on a tape. It's really easy to read a book like that.

As you also my have notice is that I like programming. C (and a bit of C++, python and asm) in particulary. A good book I once read to learn the basics of C was The C Programming Language. When I was surfing on the web a few minutes ago I found this:

"The second edition is available on audio tape for loan or purchase from Recording for the Blind & Dyslexic."

After some minutes searching I found the tape. It doesn't include any price, but I like it that people are paying attention to less language founded people. But I doubt that this recording would be very usefull... ;-)

Noud Aldenhoven

Integers

This is my first post about something else then myself. This time I'll tell about something more informatically. I'm going to discribe how integers work!

Integers are one or more digits. These digits could be 0 to 9, but could also only be 0 or 1, like binary, or hexdecimal, 0 to F (0, 1, ..., 8, 9, A, B, C, D, E, F).
Binary integers are very importent in the computer sience, because a computer can still (I'm waiting for the quantum processor) only count in binary. Moreover hexdecimal is importent when you're programming assembly.

There are 2 types of computer integers:
-Unsigned integers, which can't be negative (200). They are presented in very straightforward binary codes. I take for example, 200 as one byte (2^8). In binary this will become 11001000 (or C8 in hexdecimal).
-Signed integers, which can be negative (+52, -52). These integers work a bit more complicated than the unsigned integers. I'm going to explain how these integers work. I'll hope you'll like to read this.

A signed integers must have a way to prenouce they are positive or negative.

Signed Magnitude Method

The first and most simple way to do that is signed magnitude. It represent an integer as 2 parts. The first one is one signed bit and the second part is the magnitude of the integer. 56 would be presented as 00111000, where the first bit (a zero) shows that the magnitude (0111000) is a positive integer. The range of the signed magnitude method is -127 to +127. This a less high than an unsigned integer byte (which is 0 up to 256). And zero could be prenouced in 2 ways, it can be 00000000 and 10000000, both means the same.

One's Complement Method

The second technic is called one's complement method. This method takes the complement of an integer to produce it's component. It's very simple, for example: if we take +56, this would become 00111000 in one byte binary. To produce it's component (-56) we take it's (one's) complement which will be 11000111 (C7 in hex). Zero will be (again) 2 binary codes, 00000000 and it's complement 11111111.
This method is more handy that the signed magnitude method because it's not too difficult to find one's complement in hexdecimal. The trick is to substract every hexdecimal digit from F (or 15 in decimal). For example we take (+56) which is 38 in hexdecimal. Than we substract all hexdecimal digits each alone from F and we get C7, which is -56. This agrees with the result above

Two's Complement Method

This last method is the most used method in modern processor. I've worked a long time with a 486 (or something in that direction) and I only have an amd64 for a couple of months so this technic was very new for me. This method is a bit more effeciently because it doesn't have 2 numbers for 0, only 1.
Two's Complement Method is based on the two following steps:

1) Find the one's complement of the number
2) Add 1 to the result

Here's the same example for this method. We take +56 (00111000) and find it's complement, 11000111. Than we add 1 to the complement:

     
      11000111
             1 +
     --------------------
      11001001

So the complement for +56 is 11001001 (-56). This method will also solve the problem that there aren't more than one numbers for 0. If we would take 0 in binary (00000000) it's complement would be one's complement (11111111). Plus 1 digit, which will become:

      11111111
             1 +
     --------------------
     100000000

But the result consist of 9 bits and we were working with 8 bits (one byte). So the processer will dump the last bit and will return 00000000 in the eax register. The range of an signed integer will become +127 to -128, and is a bit more efficient.

I'll hope you liked to read this post, and I'll be delighted read you're comments, suggestions and tips.

Noud Aldenhoven

Just woke up

Hello,

I just woke up this morning and found out (again) that I have a strange allergy towards choclate. I'm having a bad headace and will try to upderpress my depressive feeling now... well it could always be more wors.

Owh... and a nice, strange pic from 2 strange japonese guys:

Goodbye!