Linux Shell Code

Posted on 2011-09-16
Last Modified: 2012-05-12
HI Experts - I have a homework problem that I have no idea to even begin, any guidance would be appreciated.  Take a look:

You are required to come up with a binary file containing some Linux shellcode such that the
following program will spawn a /bin/sh shell upon reading the binary file in the Linux lab virtual
machine. Note, the program has some primitive defense against “code injection” which searches
substring “/bin/sh” from the first line of the input binary file. For a full score, you need to find a
shellcode that does not contain substring “/bin/sh” but spawns “/bin/sh” shell (hint: you can use
registers to hold the string “/bin/sh”, and push them into the stack; or find some way to disguise your
“/bin/sh” string; Be creative to defeat the primitive content signature matching!)

Program is attached
<!-- saved from url=(0059) -->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">/* testsh.c


#include &lt;stdio.h&gt;
#include &lt;string.h&gt;

#define bufsz 100

const char msg[]="Usage: %s &lt;shellcode file&gt;\n";

static char buffer1[bufsz];
static char buffer2[bufsz];

void usage(char *self)
{ printf(msg, self);

int main(int argc, char *argv[])
{ FILE *fp;
  void (*funcptr)();

  if (argc != 2) usage(argv[0]);

  if ((fp=fopen(argv[1], "rb"))==NULL)
  { printf("fail to open file: %s\n", argv[1]);

  fgets(buffer1, bufsz, fp);

  strcpy(buffer2, buffer1); /* your shellcode should not contain \0x00 */

  if (strlen(buffer2)&gt;=40) /* your shellcode should be less than 40 bytes */
    printf("your shellcode is too long! 5 points penalty \n");

  if (strlen(buffer2)&lt;30) /* the shorter, the better the shell code is */
    printf("your shellcode is less than 30 bytes! 10 bonus points\n");

  if (strstr(buffer2, "/bin/sh"))
    printf("Malicious code detected! 15 points penalty \n");

  funcptr = (void *) buffer2;
  (*funcptr)();  /* execute your shell code */

  return 0 ;

Open in new window

Question by:southpau1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
LVL 40

Expert Comment

ID: 36552327
So start investigating....

Author Comment

ID: 36552376
Thanks, I am researching as well.  That's why I didn't just come out and ask for a solution.  Figured I would attack this problem from all fronts.
LVL 40

Expert Comment

ID: 36553359
Ok, but the answer isn't too difficult anything else might be considered against the rules of EE.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 36553735
Do you know of a specific reference that can help me?  I've read a couple of papers at the top of the search results in Google an none are really beginner shellcode.
LVL 40

Accepted Solution

noci earned 333 total points
ID: 36553765
Well shell code 101:

Make a short assembly program, it must fit the constraints of the program you try to invade.
The rest is a matter of trying to fit the constraints.
The more complex story can be found using the links....

Start trying...
LVL 53

Assisted Solution

Infinity08 earned 167 total points
ID: 36554059
The article "Smashing the stack for fun and profit" is imo the best reference on exploiting stack overflows :

It also contains a nice introduction to writing shell code.

Author Comment

ID: 36577718
Ok guys, I have put together come C code that is close to working (I think).  It executes by itself, but the string does not concatenate correctly.  I'm not a C pro, can you help?
#include <string.h>
#include <stdlib.h> 

	char beg[4]="/bin";
	char end[3]="/sh";

Open in new window

LVL 40

Assisted Solution

noci earned 333 total points
ID: 36577785
From 'man strcat'

The  strcat()  function appends the src string to the dest string, overwriting the null byte ('\0') at the end
of dest, and then adds a terminating null byte.  The strings may not overlap, and the dest  string  must  have
enough space for the result.

That should also set you thinking about your payload btw.
LVL 40

Expert Comment

ID: 36965146
The problem this is quite basic knowledge. About how C strings work, and how to copy stuff around
It's clearly an assignment, as it is stated in the first sentence.
The answer has been given with a clear pointer, but not en exact answer, why his example will not work.

It hard to just not tell the right answer but point in the right direction...
As given the exercise is not too difficult.

LVL 53

Expert Comment

ID: 36967508
Since the question was asking for guidance, and that's what was provided, I recommend closing the question by accepting these posts :

        http:#36553765 (noci) : short overview of what needs to be done
        http:#36554059 (Infinity08) : a nice reference with examples, and a clear explanation
        http:#36577785 (noci) : some corrections for the first attempt from the asker

With this, the asker should have been able to make it work. I can only guess he did, because he didn't get back to us.

Author Closing Comment

ID: 37046602
I was mostly given links to web pages, which I can find myself.  Was really hoping to get some expert insight, not just a web page.
LVL 40

Expert Comment

ID: 37046850
not to offend, but...

This is home work, I cannot give you a solution directly (i don't do the homework for my kids either...)
You were given some pointers and whether that is a textbook reference [ rather hard to get sometimes ] or a pointer to a website [ more convenient ] it's a source for the knowledge you wish to acquire.

Then you did present your solution which fails on several grounds like [size] and [copy constraints]. You demonstrate to miss some basic understanding how stuff works just below the visible world. This was hinted using the strcat() manpage excerpt.

sorry to be rather blunt.. But I really do hope you score better then B...


Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn different types of Android Layout and some basics of an Android App.
In this post we will learn how to make Android Gesture Tutorial and give different functionality whenever a user Touch or Scroll android screen.
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.
Simple Linear Regression

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question