[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Linux Shell Code

Posted on 2011-09-16
Medium Priority
Last Modified: 2012-05-12
HI Experts - I have a homework problem that I have no idea to even begin, any guidance would be appreciated.  Take a look:

You are required to come up with a binary file containing some Linux shellcode such that the
following program will spawn a /bin/sh shell upon reading the binary file in the Linux lab virtual
machine. Note, the program has some primitive defense against “code injection” which searches
substring “/bin/sh” from the first line of the input binary file. For a full score, you need to find a
shellcode that does not contain substring “/bin/sh” but spawns “/bin/sh” shell (hint: you can use
registers to hold the string “/bin/sh”, and push them into the stack; or find some way to disguise your
“/bin/sh” string; Be creative to defeat the primitive content signature matching!)

Program is attached
<!-- saved from url=(0059)http://www.cs.gmu.edu/~xwangc/teaching/ISA674/code/testsh.c -->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">/* testsh.c


#include &lt;stdio.h&gt;
#include &lt;string.h&gt;

#define bufsz 100

const char msg[]="Usage: %s &lt;shellcode file&gt;\n";

static char buffer1[bufsz];
static char buffer2[bufsz];

void usage(char *self)
{ printf(msg, self);

int main(int argc, char *argv[])
{ FILE *fp;
  void (*funcptr)();

  if (argc != 2) usage(argv[0]);

  if ((fp=fopen(argv[1], "rb"))==NULL)
  { printf("fail to open file: %s\n", argv[1]);

  fgets(buffer1, bufsz, fp);

  strcpy(buffer2, buffer1); /* your shellcode should not contain \0x00 */

  if (strlen(buffer2)&gt;=40) /* your shellcode should be less than 40 bytes */
    printf("your shellcode is too long! 5 points penalty \n");

  if (strlen(buffer2)&lt;30) /* the shorter, the better the shell code is */
    printf("your shellcode is less than 30 bytes! 10 bonus points\n");

  if (strstr(buffer2, "/bin/sh"))
    printf("Malicious code detected! 15 points penalty \n");

  funcptr = (void *) buffer2;
  (*funcptr)();  /* execute your shell code */

  return 0 ;

Open in new window

Question by:southpau1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
LVL 40

Expert Comment

ID: 36552327
So start investigating....

Author Comment

ID: 36552376
Thanks, I am researching as well.  That's why I didn't just come out and ask for a solution.  Figured I would attack this problem from all fronts.
LVL 40

Expert Comment

ID: 36553359
Ok, but the answer isn't too difficult anything else might be considered against the rules of EE.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 36553735
Do you know of a specific reference that can help me?  I've read a couple of papers at the top of the search results in Google an none are really beginner shellcode.
LVL 40

Accepted Solution

noci earned 999 total points
ID: 36553765
Well shell code 101:

Make a short assembly program, it must fit the constraints of the program you try to invade.
The rest is a matter of trying to fit the constraints.
The more complex story can be found using the links....

Start trying...
LVL 53

Assisted Solution

Infinity08 earned 501 total points
ID: 36554059
The article "Smashing the stack for fun and profit" is imo the best reference on exploiting stack overflows :


It also contains a nice introduction to writing shell code.

Author Comment

ID: 36577718
Ok guys, I have put together come C code that is close to working (I think).  It executes by itself, but the string does not concatenate correctly.  I'm not a C pro, can you help?
#include <string.h>
#include <stdlib.h> 

	char beg[4]="/bin";
	char end[3]="/sh";

Open in new window

LVL 40

Assisted Solution

noci earned 999 total points
ID: 36577785
From 'man strcat'

The  strcat()  function appends the src string to the dest string, overwriting the null byte ('\0') at the end
of dest, and then adds a terminating null byte.  The strings may not overlap, and the dest  string  must  have
enough space for the result.

That should also set you thinking about your payload btw.
LVL 40

Expert Comment

ID: 36965146
The problem this is quite basic knowledge. About how C strings work, and how to copy stuff around
It's clearly an assignment, as it is stated in the first sentence.
The answer has been given with a clear pointer, but not en exact answer, why his example will not work.

It hard to just not tell the right answer but point in the right direction...
As given the exercise is not too difficult.

LVL 53

Expert Comment

ID: 36967508
Since the question was asking for guidance, and that's what was provided, I recommend closing the question by accepting these posts :

        http:#36553765 (noci) : short overview of what needs to be done
        http:#36554059 (Infinity08) : a nice reference with examples, and a clear explanation
        http:#36577785 (noci) : some corrections for the first attempt from the asker

With this, the asker should have been able to make it work. I can only guess he did, because he didn't get back to us.

Author Closing Comment

ID: 37046602
I was mostly given links to web pages, which I can find myself.  Was really hoping to get some expert insight, not just a web page.
LVL 40

Expert Comment

ID: 37046850
not to offend, but...

This is home work, I cannot give you a solution directly (i don't do the homework for my kids either...)
You were given some pointers and whether that is a textbook reference [ rather hard to get sometimes ] or a pointer to a website [ more convenient ] it's a source for the knowledge you wish to acquire.

Then you did present your solution which fails on several grounds like [size] and [copy constraints]. You demonstrate to miss some basic understanding how stuff works just below the visible world. This was hinted using the strcat() manpage excerpt.

sorry to be rather blunt.. But I really do hope you score better then B...


Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn different types of Android Layout and some basics of an Android App.
Computer science students often experience many of the same frustrations when going through their engineering courses. This article presents seven tips I found useful when completing a bachelors and masters degree in computing which I believe may he…
Six Sigma Control Plans
Starting up a Project

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question